Monday's iOS 5.1.1 update may not have been the most exciting thing to come out of Cupertino, but it turns out the patch also includes some very welcome security updates for Mobile Safari and Webkit which didn't get outlined in the release notes.
Apple has posted a support document detailing the security content of Monday's iOS 5.1.1 software update for the iPhone, iPad and iPod touch. If the four bug fixes and stability improvements mentioned in the release notes didn't seem like much, the update also includes security patches that are far more important to users.
The support document details three security areas patched by iOS 5.1.1. The first is Mobile Safari itself, which clamps down on a known issue where "a maliciously crafted website may be able to spoof the address in the location bar." In response to the issue, Apple notes, "A URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems."
The last two security fixes in iOS 5.1.1 involve WebKit itself, the engine that drives Mobile Safari and a number of other browsers (notably Google Chrome, although these fixes only apply to Mobile Safari).
The two issues in question are "visiting a maliciously crafted website may lead to a cross-site scripting attack" and "visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution." The latter patch aims to stomp out "multiple cross-site scripting issues [that] existed in WebKit," while the former fixes "a memory corruption issue existed in WebKit."
Users are encouraged to apply the iOS 5.1.1 update, either from the Software Update panel on the device itself or via iTunes. Jailbreakers, beware: The patch will wipe out your jailbroken freedom, although the hackers have already whipped up a tethered (for now) version to support iOS 5.1.1 for those who can't live without it.
Follow this article's author, J.R. Bookwalter on Twitter
No comments:
Post a Comment