MUST READ: Microsoft unleashes bug bounty program — for betas, too

Topic: Browser

Discover

Apple patches serious security holes in iOS devices

Summary: The iOS 5.1.1 update fixes four separate vulnerabilities, including one that could be used to take complete control of an affected device.

Ryan Naraine

By for Zero Day |

Apple has shipped a high-priority iOS update to fix multiple security holes affecting the browser used on iPhones, iPads and iPod Touch devices.

The iOS 5.1.1 update fixes four separate vulnerabilities, including one that could be used to take complete control of an affected device.

Here's the skinny of this batch of updates:

  • A URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems.
  • Multiple security holes in the open-source WebKit rendering engine.  These could lead to cross-site scripting attacks from maliciously crafted web sites. These vulnerabilities were used during Google's Pwnium contest at this year's CanSecWest conference.
    • follow Ryan Naraine on twitter
  • A memory corruption issue in WebKit. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.  This issue was discovered and reported by Google's security team.

This patch is only available via iTunes. To check that the iPhone, iPod touch, or iPad has been updated:

  • Navigate to Settings
  • Select General
  • Select About. The version after applying this update will be "5.1.1".

Topics: Browser, Apple, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion

  • "This patch is only available via iTunes"?

    I have updated without iTunes perfectly. Or what do you mean?
    DDERSSS
    Reply Vote

    • Only via iTunes or via a WiFi connection

      I believe WiFi or iTunes is required, because it is a ~40Mb update.
      dancoiv
      Reply Vote

      • iTunes not needed

        That is quite likely.

        iOS 5 onwards doesn't require a computer, so making this update iTunes only would have been a serious flaw in their strategy.

        I am updating from software update in Settings, like I should be. No computer involved.
        richardw66
        Reply Vote

  • I can't keep track of what the rule is for this week

    Are patches a good thing this week or a bad thing? While I can't be 100% sure of the pattern, it does seem to me that patches are a bad thing on the 2nd Tuesday of the month (indicating that the OS in question is garbage) but a good thing any other time (indicating that the company releasing the patch cares about security and their customers). I'll have to collect more data points though because that would be a really strange pattern.
    toddbottom3
    Reply Vote

    • Headlines rule - Apple is news if bad news

      I believe the serious security holes are normal life on 2nd Tuesdays and big news on other days.

      I don't think Ryan is an iOS fan if that is what you are hinting at.
      richardw66
      Reply Vote

    • You don't get to set the rules, toddytroll

      They do. If Apple ever reaches vulnerability critical mass the way your fellow shills over at Microsoft do, then they'll they'll set up their own schedule like anybody else. Or would you rather have them wait 6 months before acting on this.
      ScorpioBlack
      Reply Vote

      • oh wise one....

        I just love how the tables have turned. Apple is being "responsible" sending out patches to their stuff. Microsoft was being an idiot for having to patch their stuff. I am wondering who the "shill" really is.
        phess11
        Reply Vote

      • I am wise

        And you need to bend down and pay homage to me. lol...

        Nope, I'm glad Apple's patching their stuff. They're just gonna do it on their own terms, not toddytroll the shill's. That's all.

        Oh and btw, I don't own an Apple. If I did, I'd certainly have no problem saying so.

        And speaking of updates, I just got 20 more Microsoft ones tonight. Surprised? ;)
        ScorpioBlack
        Reply Vote

    • I found a pattern

      It's a very obvious pattern, you are an idiot every day.
      non-biased
      Reply Vote

  • iTunes announced what version 5.1.1 is for, but doesn't match this blog

    There was no mention of these important reasons listed here to downoad and install the update. Thank you, Ryan! It only listed ways it improves minor bugs, like unlocking the screen, downloading apps, etc.
    dancoiv
    Reply Vote

    • Actually, those are mentioned

      Apple did mention what Ryan stated. See: support.apple.com/kb/HT5278
      It is true they are not mentioned in the download page. When you do this via WiFi. But you still have to drill down two more knowledge base links to get there. I don't know what is stated in the download via iTunes.
      ManoaHI
      Reply Vote

  • Re: Update for iOS 5.1.1

    I just check my iPad 2 software update and it told me to hook to the power source to update. So, you may not need to hook it iTunes but there is that one chance that it can make your device inoperable. Thank you!
    mac.richterj19@...
    Reply Vote

    • Plug it in

      This is there as a warning, I did mine without connecting the power supply. Basically, Apple is not aware of your ISP (or work ISP) speeds. If it took a really long time, and your battery dies while it's updating, you could have problems. But I did both my iPhone 4S and my new iPad just now and I did that after doing a backup. Both were showing 100% battery life, and it took about 10 minutes to do both. I did the backup using iTunes (I could have chosen, iCloud, but I only do that once a week - which means I did it last night). At lunch, I just started the upgrading of both. Finished before I finished lunch. (I have my own WiFi hotspot and I have my Mac at work).
      ManoaHI
      Reply Vote

      • You couldn't leave it on the charger while updating?

        [i][eyes rolling][/i]
        ScorpioBlack
        Reply Vote

    • That's Universal

      Every device that can update OTA recommends you be hooked up to a power source during the update, this is just in case the battery should run down during the update, if the device loses power during the update it could be a huge problem.
      Doctor Demento
      Reply Vote

  • MakeCash25.com

    Learn how to make money using a billion dollar company like Google! Earning potential up to $5000 per week! More info find on the link above
    goo.gl/Ud3e1
    Reply Vote

  • Safari Only?

    Question: is Safari the only browser affected?
    cartman00000001
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close