Apple has wasted no time fixing the code signing bypass vulnerability exposed by Charlie Miller in the recent disclosure flap that ended with Miller being kicked out of Apple's iOS developer program.
Despite the controversial decision to dismiss Miller from the iOS developer program, Apple publicly credited the Accuvant security researcher for finding and reporting the kernel security hole.
From the advisory:
A logic error existed in the mmap system call's checking of valid flag combinations. This issue may lead to a bypass of codesigning checks. This could be exploited to allow an application to execute unsigned code.
The iOS 5.0.2 update also fixes some additional security problems:
- CFNetwork: An issue existed in CFNetwork's handling of maliciously crafted URLs. When accessing a maliciously crafted HTTP or HTTPS URL, CFNetwork could navigate to an incorrect server. Visiting a maliciously crafted website may lead to the disclosure of sensitive information.
- CoreGraphics: Multiple memory corruption issues existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. Viewing a document containing a maliciously crafted font may lead to arbitrary code execution.
- libinfo: An issue existed in libinfo's handling of DNS name lookups. When resolving a maliciously crafted hostname, libinfo could return an incorrect result. Visiting a maliciously crafted website may lead to the disclosure of sensitive information.
- Passcode Lock: When a Smart Cover is opened while iPad 2 is confirming power off in the locked state, the iPad does not request a passcode. This allows some access to the iPad, but data protected by Data Protection is inaccessible and apps cannot be launched. A person with physical access to a locked iPad 2 may be able to access some of the user's data.