March 10, 2011

Apple issues security updates for Safari, iOS

Apple on Wednesday issued security updates for its Safari 5 web browser and iOS mobile operating system to address dozens of vulnerabilities.

An update affecting Safari 5 for Mac and Windows fixes more than 60 flaws and upgrades the web browser to version 5.0.4. The iOS update patches many of the same flaws and brings the mobile operating system, used for iPhones, iPads and the iPod touch devices, to version 4.3.

Unlike most other computing firms, including Microsoft and Adobe, Apple does not assign severity levels to the vulnerabilities discovered in its products.

Many of the flaws are critical, nonetheless, Graham Cluley, senior technology consultant at anti-virus firm Sophos, wrote in a blog post Thursday. As many as 57 of the bugs could be exploited via drive-by download if a user simply visits a malicious website using an unpatched version of Safari.

Most of the flaws in both Safari and iOS were described as memory corruption issues affecting WebKit, the framework used to render web pages, according to Apple's advisories.

Overall, the vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service, obtain sensitive information or conduct cross-site scripting attacks, US-CERT said in an advisory posted Thursday.

“These are, of course, the kind of vulnerabilities that have been exploited by malicious hackers and virus writers in the past and would present a way to deliver code to a non-jailbroken iPhone that did not involve entering via the official iPhone App Store,” Cluley wrote.

The iOS 4.3 update, however, is not available for the iPhone 3G and older versions of the iPod Touch, he warned. The update is only compatible with the iPhone 3GS and later, the third-generation iPod Touch and all versions of the iPad. As a result, earlier iPhone and iPod Touch devices are still vulnerable to attacks that exploit these flaws. 

“If you were looking for an excuse to upgrade your iPhone or iPod touch – maybe you've just been given a good one by Apple,” Cluley wrote.

Meanwhile, Apple on Wednesday also released a security update for Apple TV to address a number of flaws.

Related Articles
Related Topics

More in News

Operators again revive Pushdo botnet, use a popular tactic to stay hidden

Operators again revive Pushdo botnet, use a popular ...

Botnet operators are using a domain-generation algorithm to conceal their command-and-control center. And once they knew security researchers were on to their tricks, they got even slicker.

Mac spyware discovered on Angolan dissident's computer at Oslo Freedom Forum

Mac spyware discovered on Angolan dissident's computer at ...

Security researchers are studying an apparent new strain of Mac malware that turned up on the computer of a participant at the just-concluded Oslo Freedom Forum, an annual human rights ...

Judge in London sentences LulzSec members

Judge in London sentences LulzSec members

The sentences range from 20 to 32 months, with none of the defendants likely to serve the full time. There has been no formal request to extradite the U.K. men ...