Cupertino, California-based Apple released fixes for a bevy of security flaws in its iOS mobile operating system, including security flaws affecting the Siri personal assistant, the iOS passcode feature, and more than five dozen flaws in the WebKit Web rendering enging used by both iOS and Android devices.
The security update came with the release of iOS Version 5.1 on Wednesday and included fixes for a wide range of security holes, including 71 vulnerabilities in WebKit, the Web browser component that is used in both iOS and Android mobile devices. Also fixed was a passcode vulnerability that allows an unauthorized user to bypass an iPhone lock feature.
The passcode vulnerability (CVE-2012-0644) was credited to Roland Kohler of the German Federal Ministry of Economics and Technology. It is described by Apple as a “race condition” in iOS’s handling of the slide to dial gesture – the lateral swipe that users employ to unlock their iOS device. The patched flaw affects iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, and iPad 2.
In February, Safwan Saba revealed on the Web site iPhoneIslam that iOS’s passcode feature could be bypassed if, after a missed call, an attacker tried to return the call while quickly removing the SIM card as the phone tried to join the local GSM network.
A flaw in the Siri personal assistant program could have allowed an attacker with physical access to a locked phone to send an open e-mail message, Apple said. The problem was a design issue that meant that, for Phones that were able to use Siri on the lock screen, a voice command could be used to send an open mail message protected behind the lock screen to an arbitrary recipient. Apple said it is disabling forwarding of active messages from the Lock screen to circumvent the vulnerability.
More concerning is a flaw in the iOS kernel that could allow malicious program to break out of the iOS sandbox, which limits the ability of applications to access other programs running on an iOS device, or the underlying operating system itself. Apple has fixed a vulnerability in the logic used to handle debug system calls on iOS that could allow a malicious program to gain code execution in other programs with the same user privileges.
However the vast majority of security flaws fixed with 5.1 were in WebKit, the open-source HTML rendering engine that is used in a wide range of software, from Google’s Chrome and Apple’s Safari Web browsers, to Yahoo Messenger, iTunes and RealPlayer, as well as in mobile devices running iOS and the Android mobile operating systems. More than 70 of the 81 vulnerabilities fixed in iOS 5.1 were found in the WebKit component. They range from a wide range of memory corruption issues that could allow a malicious Website to crash an iOS application or run arbitrary code on the device, to so-called “cross-origin” vulnerabilities that could allow attackers to launch cross site scripting attacks, read the contents of protected cookies or allow content to be dragged and dropped across origins, Apple said.
WebKit has become a security headache for mobile software makers and for enterprises worried about the influx of employee-owned mobile devices in the workplace. Researchers from the company CrowdStrike demonstrated an end-to-end phishing attack on Google Android phones that used a previously unknown (zero-day) vulnerability in WebKit on Android phones.
