Monday, January 28, 2013

iOS 6.1: BIG Security Fixes


iOS 6.1 was posted today. It contains BIG security fixes which I consider to be critical. This update is available for iPhone 3GS through iPhone 5; iPod Touch 4 through iPod Touch 5; iPad 2 through iPad 4. (Sorry iPad 1 users!).

If you check out the notes provided in iTunes, you'd never know about any security fixes unless you clicked the link at the end of Apple's brief notes:
For information on the security content of this update, please visit this website:
Which then provides a link to here:
About the security content of iOS 6.1 Software Update 
There are, according to my count, 28 security patches. MANY of them are critically dangerous.

Thankfully, Apple provide nice summaries of the CVE issues involved (as opposed to our pals at Oracle regarding Java :-P).

My quick list of problems fixed by iOS 6.1, 
with my comments in [brackets]:


Identity Services: Bypass of certificate authorization of an AppleID.

International Components for Unicode: Malicious website cross-site scripting attack.

Kernel: Faulty kernel memory access.

Security: Interception of user credentials and further information due to bad TURKTRUST issued security certificates. [DC- Oh look, yet-another BAD security certificate authority]

StoreKit: Smart App Banner automatic re-enablement of user disabled JavaScript.

WebKit Memory Corruption: 20 memory corruption flaws allowing unexpected application termination or arbitrary code execution. [DC- IOW, potential PWNing of your WebKit browser]

WebKit Content Pasting Validation: Pasting of content onto malicious websites leading to cross-site scripting attack.

WebKit Frame Elements: A cross-site scripting issue in the handling of frame elements leading to cross-site scripting attack.

WiFi: Temporary disablement of WiFi by a remote attacker on the same WiFi network. Caused by Broadcom's BCM4325 and BCM4329 firmware reading out of bounds when handling 802.11i information elements.


No surprise, the majority of issues involve memory management flaws, the continuing plague of modern programming languages and methods.

I suggest updating ASAP. It's always a good idea to have some free space available on your iOS device, especially when updating iOS.

Today I thankfully have not run into any bogged down access to the update. But my iPod Touch 4 booted five times before the update was complete. There is also a new setup process for iCloud required after the update. All went well.

Oh and BTW: The number of malware affecting iOS remains at zero.
(Unless of course you've cracked your iOS device. Then you're on your own. The number of affecting malware is unknown.)


No comments:

Post a Comment