Apple released version 5 of its iOS mobile operating system, a major update that closes around 100 holes and adds several new features and addresses a number of security vulnerabilities.
Some of the holes it closes include possible exploits to gain access to private data, cause a device reset, lead to a cross-site scripting (XSS) attack, or execute arbitrary code on a device.
The security update fixes issues with the mobile version of the Safari web browser, the Calendar app, the OfficeImport component for viewing Microsoft Office Word and Excel files, and the way that X.509 certificates are handled. Other problems addressed by the update include vulnerabilities in CoreMedia, CoreGraphics, CoreFoundation, the XML library (libxml), ImageIO and the kernel. CalDAV, used by iCal and the Calendar app in iOS to sync calendar data, now checks to see if SSL certificates are trusted by the server before syncing in order to prevent user credentials or private data from being intercepted from a calendar server.
Support for TLS 1.2 also added in to prevent an attacker from decrypting an SSL connection via the recently disclosed potential information disclosure risk in SSL/TLS; a number of browser makers, including Google and Microsoft, have started to implement fixes for this issue.
Like Safari 5.1.1 and iTunes 10.5 on Windows, iOS 5 fixes a large number of memory corruption problems in the WebKit browser engine which could lead either to application termination or arbitrary code execution. The new version also removes trust from the certificate authorities (CAs) operated by DigiNotar after the CA suffered that compromise.
Apple has also released Update 4.4 for Apple TV which, among other things, removes trust in DigiNotar, supports TLS 1.2, closes holes in TIFF viewing and blocks an attack where a remote user could cause the device to reset.
Updates to its Pages and Numbers apps for iOS fix various buffer overflows and memory corruption issues that an attacker could exploit to execute arbitrary code when opening a maliciously crafted Excel or Word file. Details about the app updates are in the Pages for iOS v1.5 and Numbers for iOS v1.5 mailing list announcements.
The iOS updates are compatible with iPhone 4 (GSM and CDMA models), iPhone 3GS, the original iPad and iPad 2, and the 3rd and 4th generation iPod Touch; the iPhone 4S, ships with iOS 5. The original iPhone, iPhone 3G, and 1st and 2nd generation iPod Touch no longer receive support and, as such, no longer receive iOS updates. Users can update their iOS-based mobile devices using the current version of iTunes. Apple advised all users to upgrade as soon as possible.