Sophos Cloud Optix
Apple’s latest update to iOS just came out. Version 5.1.1 is more than just a cosmetic fix: it patches at least three security flaws, all of which should be considered serious.
Information about the update can be found in Apple’s knowledgebase article DL1521.
Unfortunately, the security reasons for updating sooner rather than later are hard to find from DL1521.
The page leads with a list of five “improvements and bug fixes”, none of which is a compelling reason on its own to update now.
As usual, Apple relegates the security content of the update to the well-known landing page HT1222. But when I visited, the most recent security updates in the list were still April’s malware-related Flashback fixes.
Nevertheless, the page you need to consult for iOS 5.1.1 does exist – it’s HT5278, and if you have an iDevice, I strongly suggest you read it.
Do you work for Apple? If so, please suggest – to the highest authority in the company you dare to email directly – that your employer tweaks its update publishing system. Make sure that HT1222 is updated at the same time as any security-related product update is published, not hours or days later. This will have a positive outcome: your users will apply security fixes more promptly.
To summarise here, iOS 5.1.1 addresses three main security problems:
* Address-bar spoofing. Site X could direct you to site Y, but make it look as though you'd gone to site Z.
This sounds like a minor issue, but it isn’t. The address bar is supposed to be accurate at all times, because it’s the primary indicator of whose site you’re actually visiting. Indeed, the browser is supposed to ensure that untrusted content – such as JavaScript – inside a web page can’t write into or affect the surrounding user interface (the so-called “chrome”) itself.
Address-bar spoofing is very useful to scammers, phishers and peddlers of malware because it lets them masquerade their bogus websites as the real deal.
* Cross-site scripting. When you visit site X, code sucked in from site Y could execute as though it had been served from site X.
XSS (short for cross-site scripting) is always a cause for concern. Web browsers are supposed to enforce a “same-origin” policy. Content from site Y should only be able to see cookies set for site Y, and scripts served from site Y should only be able to connect back to site Y to exchange or request further data.
If a script from site Y can view cookies set for site X, then a crook in control of site Y may be able to recover session authentication data (set by site X when you logged in), and thus to impersonate you online.
* Remote code execution. A maliciously crafted web page might crash your browser in such a way that it ends up running program code secretly embedded in the page.
Executable machine code served up in an untrusted web page should never be able to get near to the CPU without provoking one or more do-you-really-intend-to-do-this dialogs. This helps to protect you from installing malware by mistake.
Any time the Bad Guys get hold of an exploitable remote code execution (RCE) vulnerability, they’re laughing. They can sneak malware onto your computer or mobile device without consent or warning. That’s always a Very Bad Outcome. (Ask one of the hundreds of thousands of people whose Macs were recently infected with the Flashback Trojan!)
Bottom line: I’d recommend updating to iOS 5.1.1 as soon as you reasonably can.
–
PS. Note to jailbreakers. Yes, you can update too, at least if you have an iDevice with an A4 chip. (That excludes newer devices such as the iPhone 4S, the iPad 2 and the iPad which came after the iPad 2.) As with iOS 5.1, it's a tethered jailbreak. That means you need to connect your device to your computer and use the jailbreaking tool when you reboot.
Do these security fixes make it to devices that aren't able to update to iOS5 (like older gen Touches and iPhones?)
Unfortunately, as of iOS 4.3, support was dropped for 1st and 2nd generation devices. This includes the 1st generation iPhone and iPod Touch (iOS 3.1.3), and the 2nd generation iPhone and iPod Touch (iOS 4.2.1). The reasons were probably hardware limitations. So this means if you have one of the above device I mentioned, you will be unable to update to the latest version.
Paul I can’t speak for the iPhone 4S but my new iPad updated itself last night to 5.1.1. So it looks like Apple pushed a fix for their newer fleet as well.
Surely they will. A lot of there users are expecting on us to solve this conflict. Google really want to compete with Apple. 🙂
Paul, are these new threats, or is it that the hated scammers et al haven't yet found ways to use them to compromise devices? I only say it because I've not heard of any attacks to date which have used these attack vectors.
Nor have I. It looks as though attacks abusing these vulnerabilities will have been headed off at the past through responsible disclosure.
if you look at HT5278, the bugs appear to have been found, reported and fixed in a controlled fashion, rather than uncovered in the wild thanks to "zero day" attacks…
(For all we know, the crooks might already have found or bought any or all of these vulnerabilities. But if that's the case, they seem to have [a] failed to work out how to exploit them in time or [b] failed to use them in time or [c] used them, but no-one has yet noticed. All of those seem unlikely. My money is on the fact that the Good Guys found and fixed these particular holes first!)
I love how you pick on Apple for their security updates. And in this latest one, you again note that Apple leaves some products behind when they do new software updates.
All fair to point that out, but you fail to compare them to the Android market where many devices are left behind as OS and security updates are posted.
@sunbimr
You are an idiot. I am an iPhone user and am aware that Android has its security flaws. But precisely because I am an iPhone user I want to know about Apple security issues rather than feel upset because someone dares to criticize a device that I rather like.
Pray tell me how a comparison to Android is relevant wrt me deciding whether or not to install iOS 5.1.1 for its security contents.
Paul, keep up the good work.
Note to jailbreakers: your devices are more likely to be hacked.
Did SSL come out in this version?
Not sure what you mean by that.
iOS already includes SSL support (for example, the CFNetwork programming framework lets you create plain or SSL/TLS-encrypted socket connections). Neither DL1521 nor HT5278 mention any change or update to iOS's own SSL libraries.
iOS doesn't provide a lower-level interface to SSL/TLS. Notably, OpenSSL is not available under iOS. According to Apple's developer library, "OpenSSL does not provide a stable API from version to version. For this reason…OpenSSL has never been provided as part of iOS…If your application depends on OpenSSL, you should compile OpenSSL yourself and statically link a known version of OpenSSL into your application."
Apps which statically link their own SSL libraries are, ipso facto, not going to be updated as part of iOS.
this new update seems to have really messed up my email. Although I changed nothing, I now get a "incorrect password" error with all email account on my iPhone. Advice on a fix?
Im having issues with the new update! I downloaded it no problem, but am unable
to install it. Every time I try it says it is unable to install. I deleted many apps to make extra space (over 507mb) and trial and error. Nothing changes. I am unable to install the update. Any suggestions? Or is this normal? Does this happen often to users?
ill update my phone ios to 5.1.1 using Itune..
it will be ok if i use itunes?