Apple iOS 4.2 addresses multiple WebKit security issues

Apple's iOS 4.2 is now available and the release addresses a lot more than just AirPrint and other goodies. The updated iOS addresses numerous security issues including a bevy of items in WebKit.

You can find the security update about iOS 4.2 in this mailing list advisory. Among the key highlights:

• CVE-2010-3828: This one addresses iOS 2.0 through 4.1 for iPhone 3G and later as well as the iPod touch and iPad. In a nutshell, a URL issue allows a hacker to initiate a call from the iAd Content Display. Aaron Sigel of vtty.com reported the issue.
• CVE-2010-3929: This Mail flaw means that that WebKit will perform a prefetch if remote image loading is enabled when it runs into an HTML Link Element. "This may result in undesired requests to remote servers," said Apple.  Mike Cardwell of Cardwell IT Ltd. gets props for the find.
• CVE-2010-1843: A remote attacker can shutdown a system. " A null pointer dereference issue exists in the handling of Protocol Independent Multicast (PIM) packets. By sending a maliciously crafted PIM packet, a remote attacker may cause an unexpected system shutdown," said Apple. TippingPoint's Zero Day Initiative found this one.
• CVE-2010-3831: This one addresses photos. In certain situations a "send to MobileMe" may disclose your passwords. Sigel found this one.
• And multiple WebKit fixes to prevent code executions after visiting a "maliciously crafted Web site." This laundry list includes: CVE-2010-3824, CVE-2010-3816, CVE-2010-3809, CVE-2010-3810, CVE-2010-3805, CVE-2010-3823, CVE-2010-3116, CVE-2010-3812, CVE-2010-3808, CVE-2010-3259, CVE-2010-1822, CVE-2010-3811, CVE-2010-3817, CVE-2010-3818, CVE-2010-3819, CVE-2010-3820, CVE-2010-1789, CVE-2010-1806,  CVE-2010-3257, CVE-2010-3826, CVE-2010-1807, CVE-2010-3821,  CVE-2010-3804, CVE-2010-3813,  CVE-2010-3822 and multiple component fixes beyond those.