The Mac Security Blog
Apple has just released iOS 5.0.1, for the iPhone, iPad and iPod touch. In addition to several bug fixes and improvements (notably concerning battery life for iOS devices), this update contains several security fixes. Some of these fixes involve network access, fonts, kernel issues and the passcode lock, but one is worth noting.
Impact: An application may execute unsigned code
Description: A logic error existed in the mmap system call’s checking of valid flag combinations. This issue may lead to a bypass of codesigning checks. This issue does not affect devices running iOS prior to version 4.3.
This is the bug that security researcher Charlie Miller unearthed just a few days ago, that we reported on here. While it may seem that Apple reacted quickly, patching this bug in just a couple of days, Miller had stated that he had informed Apple about the bug before they removed his program from the App Store. Full information about the security content of this update is available here.
This is the first iOS update available by “over the air,” or OTA, updating. You can get the update by connecting your device to iTunes, as in the past, or you can go to Settings > General > Software Update. Your device will show you information about the new update, and you can tap Download and Install to install it directly. One big advantage to this type of update is that the updates are incremental; instead of some 500 MB for a full iOS download, this update shows as around 40 MB, on our iPad and iPod touch, and 45 MB for iPhones.
Mac and iOS security researcher Charlie Miller discovered a flaw in Apple’s code signing system. Using this exploit, Miller said that, “you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check. With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”
The vulnerability is as follows:
To increase the speed of the phone’s browser [...] Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, [Miller] realized, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible.
According to the Forbes article linked above, “The simple program appears to merely list stock tickers, but also communicates with a server in Miller’s house in St. Louis, pulling down and executing whatever new commands he wants.” Once this was made public, Apple removed the app, and has also revoked Miller’s membership in Apple’s iOS developer program.
Miller did break Apple’s rules, but he also highlighted what could be a very serious flaw in the way iOS applies code signing. In doing so, he has exposed a vulnerability that needs to be patched in order to protect iOS users. Miller will be presenting this vulnerability next week at the SyScan conference in Taiwan.
This happened very quickly, but when syncing an iOS device yesterday, we noticed that Google safe browsing data was being synced to the device. It’s fair to say that, for many, updating iOS devices to iOS 5 was fraught with much annoyance, and when it finally worked, it was easy to not pay close attention to the process. But in the iTunes LCD (the part at the top of the iTunes window that shows the playback timeline and other information), we spotted a message saying “Downloading Safari safe browsing data.” This database, provided by Google, is used by mobile Safari to check for known malicious web sites. To check if this is activated on your iOS device, go to Settings > Safari, then look for the Fraud Warning slider. If it’s not set to “On,” do so; it’s a good way to protect your device and yourself from known malicious websites.
We’re curious as to how often this database will update – whether it’s going to be regularly updated, such as daily or weekly, or whether updates will only come occasionally. If you spot a regularity to these updates, let us know in the comments.
Update: syncing our iOS devices over the past couple of days, it seems that this update occurs once a day, but we have no idea at what time the update is made available.
Apple today released updates for Mac OS X Lion, iOS, the Apple TV, as well as iWork applications, iPhoto and more. Many of these updates include security fixes, and the total number of bugs patched is certainly a record for Apple.
Security Update 2011-006 includes fixes for both Mac OS X 10.6.8 and Lion (as part of the Mac OS X 10.7.2 update), patching more than 60 bugs.
The iOS 5 Software Update fixes dozens of security issues.
The Safari 5.1.1 update, included with the Mac OS X Lion 10.7.2 update, and available separately for Snow Leopard, patches dozens of bugs.
The Apple TV Software Update 4.4 patches a half-dozen bugs, and updates to Pages and Numbers for iOS patch even more bugs.
And updates to Pages and Numbers for iOS fix even more bugs.
This is a bumper crop for Apple, requiring users to download a number of very large updates. But with all these security fixes, Mac and iOS users can certainly sleep better tonight.
More information about these updates will be posted to Apple’s security updates page.
Learn more about VirusBarrier iOS on the Intego web site.
Apple has released security updates for iOS to fix a problem with certificate validation:
A certificate chain validation issue existed in the handling of X.509 certificates. An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS. Other attacks involving X.509 certificate validation may also be possible. This issue is addressed through improved validation of X.509 certificate chains.
The updates, iOS 4.3.5 for the iPhone (GSM), iPod touch and iPad, and iOS 4.2.10 for the CDMA (Verizon) iPhone, are available via iTunes. More information about the update is available here for iOS 4.3.5 and here for iOS 4.2.10.