Apple patches Pwn2Own iPhone OS vulnerabilities

Apple patches Pwn2Own iPhone OS vulnerabilities

Summary: Apple has released a critical update for its flagship iOS mobile operating system to fix several gaping security holes, including a few that were used in successful exploits at this year's CanSecWest Pwn2Own contest.

SHARE:

Apple has released a critical update for its flagship iOS mobile operating system to fix several gaping security holes, including a few that were used in successful exploits at this year's CanSecWest Pwn2Own contest.

The new iOS 4.3.2 software update, which is available for download via iTunes, provides cover for five documented security problems, including vulnerabilities exploited by Charlie Miller (iPhone) and a team of researchers who broke into RIM's BlackBerry smartphone.

The raw details:

  • QuickLook: A memory corruption issue existed in QuickLook's handling of Microsoft Office files. Viewing a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution. Credit to Charlie Miller and Dion Blazakis working with TippingPoint's Zero Day Initiative.
  • WebKit: An integer overflow issue existed in the handling of nodesets. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Credit to Vincenzo Iozzo, Willem Pinckaers, Ralf-Philipp Weinmann, and an anonymous researcher working with TippingPoint's Zero Day Initiative.
  • WebKit: A use after free issue existed in the handling of text nodes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Credit to Vupen Security working with TippingPoint's Zero Day Initiative, and Martin Barbella.

The iOS update also fixes the Comodo certificate trust policy problem that allowed an attacker with a privileged network position to intercept user credentials or other sensitive information.   This issue was also fixed in separate Safari and Mac OS X updates.

Topics: Security, Apple, Mobile OS, Operating Systems

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • RE: Apple patches Pwn2Own iPhone OS vulnerabilities

    Apple pies not commenting?

    See? ANY Operating System could have flaws.
    czorrilla
    • RE: Apple patches Pwn2Own iPhone OS vulnerabilities

      @czorrilla Fully agree - but tell THAT to the Linux guys.
      athynz
      • RE: Apple patches Pwn2Own iPhone OS vulnerabilities

        @athynz
        Oh - we are acutely aware of that, thanks.

        My Ubuntu comes up almost <i>every single day</i> with requests to patch. And I have to enter an admin password every time. Grr.
        honeymonster
      • RE: Apple patches Pwn2Own iPhone OS vulnerabilities

        @honeymonster
        <i>My Ubuntu comes up almost every single day with requests to patch. And I have to enter an admin password every time. Grr.</i>

        System level patches <b>should</b> require an admin password to install. They should also provide details on what is being patched. Automatically patching in the background has the potential to install unwanted (and possibly dangerous) malware.
        Rick_K
      • I have to agree with Rick_K

        It's better to have to put your admin password in every time and -know- what you're upgrading.
        Michael Alan Goff
    • RE: Apple patches Pwn2Own iPhone OS vulnerabilities

      @czorrilla

      All operating systems have vulnerabilities...some have a bucketload more exploited vulnerabilities...the devil is in those details.
      Brich
      • RE: Apple patches Pwn2Own iPhone OS vulnerabilities

        Actually, I'm of the opinion that a vulnerability is a worthless metric. It's exploits that we need to concern ourselves with.
        Michael Alan Goff
  • RE: Apple patches Pwn2Own iPhone OS vulnerabilities

    http://www.52tube.com/
    http://www.wctube.com/
    http://www.cameporn.com/
    http://www.escortbayan9.com/
    tamam
    myclub
  • RE: Apple patches Pwn2Own iPhone OS vulnerabilities

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com" title="seslichat">sesli chat</a> <a href="http://www.yuregininsesi.com" title="seslisohbet">sesli sohbet</a>
    talih