Apple iPhone and iPad users are buzzing about the new features that come with the latest update to the company’s iOS mobile operating system. But the update also contains dozens of fixes for security holes that could have allowed attackers to compromise the popular devices using malicious PDF files, Web based attacks, and more.
Apple’s update, which was published on Monday, contains some 41 fixes for scores of separate vulnerabilities in a range of components for the iPhone, iPad and iPod. Among them are fixes for the ubiquitous Webkit rendering engine that is used by the mobile devices, as well as Apple’s Safari Web browser. The company issued a browser patch for the Webkit holes separately last week, fixing a wide range of holes that could have allowed malicious Web sites to crash vulnerable applications using the Webkit engine, or even place and run malicious code on those systems. The IOS 4.2 release fixes many of the same issues for the iPad, iPhone and iPod Touch.
Other holes patched this week include a flaw in the way that configuration files for some versions of the iPhone, iPod Touch and iPad are handled that could have allowed attackers to push malicious configuration files to those devices. Other holes patched with 4.2 include a vulnerability in the way iPad handled imported Microsoft Excel files that could allow malicious Excel files to place and run malicious code on a vulnerable iPad, as well as a flaw in the “Send to MobileMe” option for photo sharing that could have enabled a man in the middle-type attack that revealed a user’s account password, Apple disclosed in a knowledge base article.
The latest OS update – which is free – has been hotly anticipated, especially for owners of Apple’s iPad tablets. iOS 4.2 adds features that allow iPad owners to multi-task: running more than one program at the same time. It also adds a much sought-after wireless printing feature and a desktop folders option that makes it easier to organize similar applications into groups.
For iPhone and iPod Touch users, the update adds support for the Find My iPhone service – a free, Web based locator service for lost devices that was previously available only for users of Apple’s MobileMe service.
iOS is available for download through Apple’s iTunes application immediately. More information on the update is also available on Apple’s Web site.