Apple updates iOS fixing 27 vulnerabilities and TURKTRUST revocation

Filed Under: Apple, Apple Safari, Featured, iOS, Vulnerability

ios6-170Apple has released version 6.1 of its iOS operating system that is the brains of millions of iPhones, iPads and iPod Touch devices.

I consider this to be a critical update, as many of the fixes can be used to remotely compromise your shiny iDevices.

iOS 6.1 is available for users of the iPhone 3GS and later, iPad 2 and later and iPod Touch 4th generation and later. Apparently Apple's advice to users of its older hardware is "buy a new one".

The vast majority of the flaws were in WebKit, the rendering engine used by Safari to display web content. This isn't surprising as it is a very complicated component.

It is also a very dangerous component to leave vulnerable as it can be attacked by any web page controlled by someone with malicious intent. I would make these updates a priority.

Some of these fixes have been known for some time. A bug in handling Japanese Unicode characters dates back to 2011 and could lead to a cross-site scripting attack.

You could even characterize this update as long-awaited as it finally addresses the bad certificates released by TURKTRUST and discovered this past Christmas.

A bit of too little, too late though. Although iOS devices will no longer trust the two intermediate certificates that were accidentally issued, those certificates have already been destroyed and determined to not have been used maliciously.

Apple has also released an update to the Apple TV bringing its release number to 5.2. Two responsibly disclosed vulnerabilities were fixed in this release, one of which appears to be intended to prevent jailbreaking.

As always update as soon as you can and you will enjoy a safer Apple experience.

, , , , , ,

You might like

8 Responses to Apple updates iOS fixing 27 vulnerabilities and TURKTRUST revocation

  1. Curious · 550 days ago

    If your feel that Apple's support for the 3 year old iPhone 3GS is not enough (the issue with iPad 1 and previous iPod touch is insufficient RAM as I understand it), what do you think of non-Nexus Android support/patches/updates?

    • Chester Wisniewski · 549 days ago

      Old devices should receive security fixes for whatever version they are running, for a minimum of 3 years. Forcing upgrades by not providing fixes is fiendish. Why not release the fixes for iOS 4 and 5? It costs money? Yes. It also costs money to provide fixes for Windows XP, but Microsoft have done so for 10 years.

      The Android situation is a nightmare. Non-Google branded devices are abandoned and haphazardly patched in a way far worse than Apple's behavior.

      Bad policies on Android don't justify bad practices by Apple. Be a star and lead by example, don't race to the bottom.

      • Sam · 549 days ago

        I quite agree Chester. I have an iPad 1 and strongly resent Apple's attitude. I won't be taking their advice - in fact I am very unlikely ever to buy another Apple product of any kind if that's all the service they give - and this from a company that makes over 30% clear profit from every product sold. I'd have thought there was plenty of scope there for looking after past customers a bit better than this.

        The stock market thinks they are on the way down. Policies like this only confirm that.

      • Larry M · 549 days ago

        Chester wrote "The Android situation is a nightmare."

        Updates for smartphones running Windows have never been readily available either. It's not the fault of the OS provider. In the US at least, the carriers would rather hook you into a subsidized new phone so they can lock you into a (highest cost in the world) overpriced new contrract.

        Not much you could do about the Windows situation, but with Android, you can keep the phone updated with third party builds like CyanoGenMod.

  2. Nigel · 549 days ago

    Apple's increasingly accelerating policy of forced obsolescence is scandalous. The suits and beancounters who evidently are driving it seem to have an insatiable need NOT just to keep the company profitable, but to show earnings and market share growth in the quarterly reports. Presumably, they think this will impress the shareholders. Maybe it will, in the short run, but...

    ...the problem with such a dismally short-term attitude is that it places shareholders' interests above the customer's interests. In the long run, that's a prescription for disaster. If there are no customers, there'll be no shareholders. Alas, Apple is showing a disturbing tendency to put the cart before the horse.

  3. Chester Wisniewski · 549 days ago

    Yes, I didn't say that correctly. Good catch. Please do install the patches, the flaws are the problem.

  4. Manuel · 548 days ago

    Hello Chester. Thank you very much for your information.
    We are very concerned about this issue. Our company has deployed 1700 iPad to internal users. The 75% are iPad 1. As you know, most iOS version that Apple has released for these devices is 5.1.1. Today we have tried to update a new version via iTunes, but Apple says no new version.
      Have you information on whether Apple will release an update to resolve the 27 vulnerabilities and revoking TURKTRUST you mention in your article?

    • I don't think Apple has announced any plans to release security updates for the iPad 1.

      But the people to ask definitively are the guys at Apple themselves.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.