- 10 May 2012 14:04
Apple offers iOS 5.1.1 update, fixes some serious vulnerabilities
Apple's latest update to iOS just came out. Version 5.1.1 is more than just a cosmetic fix: it patches at least three security flaws, all of which should be considered serious.
Information about the update can be found in Apple's knowledgebase article DL1521.
Unfortunately, the security reasons for updating sooner rather than later are hard to find from DL1521.
The page leads with a list of five "improvements and bug fixes", none of which is a compelling reason on its own to update now.
As usual, Apple relegates the security content of the update to the well-known landing page HT1222. But when I visited, the most recent security updates in the list were still April's malware-related Flashback fixes.
Nevertheless, the page you need to consult for iOS 5.1.1 does exist - it's HT5278, and if you have an iDevice, I strongly suggest you read it.
Do you work for Apple? If so, please suggest - to the highest authority in the company you dare to email directly - that your employer tweaks its update publishing system. Make sure that HT1222 is updated at the same time as any security-related product update is published, not hours or days later. This will have a positive outcome: your users will apply security fixes more promptly.
To summarise here, iOS 5.1.1 addresses three main security problems:
* Address-bar spoofing. Site X could direct you to site Y, but make it look as though you'd gone to site Z.
Address-bar spoofing is very useful to scammers, phishers and peddlers of malware because it lets them masquerade their bogus websites as the real deal.
* Cross-site scripting. When you visit site X, code sucked in from site Y could execute as though it had been served from site X.
XSS (short for cross-site scripting) is always a cause for concern. Web browsers are supposed to enforce a "same-origin" policy. Content from site Y should only be able to see cookies set for site Y, and scripts served from site Y should only be able to connect back to site Y to exchange or request further data.
If a script from site Y can view cookies set for site X, then a crook in control of site Y may be able to recover session authentication data (set by site X when you logged in), and thus to impersonate you online.
* Remote code execution. A maliciously crafted web page might crash your browser in such a way that it ends up running program code secretly embedded in the page.
Executable machine code served up in an untrusted web page should never be able to get near to the CPU without provoking one or more do-you-really-intend-to-do-this dialogs. This helps to protect you from installing malware by mistake.
Any time the Bad Guys get hold of an exploitable remote code execution (RCE) vulnerability, they're laughing. They can sneak malware onto your computer or mobile device without consent or warning. That's always a Very Bad Outcome. (Ask one of the hundreds of thousands of people whose Macs were recently infected with the Flashback Trojan!)
Bottom line: I'd recommend updating to iOS 5.1.1 as soon as you reasonably can.
PS. Note to jailbreakers. Yes, you can update too, at least if you have an iDevice with an A4 chip. (That excludes newer devices such as the iPhone 4S, the iPad 2 and the iPad which came after the iPad 2.) As with iOS 5.1, it's a tethered jailbreak. That means you need to connect your device to your computer and use the jailbreaking tool when you reboot.
Flash storage represents a quantum leap from the storage layer in terms of performance, however it is crucial companies understand their I/O profile in order to formulate a successful storage strategy. Find out in this eBook how flash storage can be beneficial for enterprises and useful questions to ask before making an informed decision on the purchase.
- FTAndroid DeveloperNSW
- CCContract Software Engineer (Crystal Report/JAVA) 160129/SE/vccAsia
- CCIBM ESB Developer (Junior to mid level role)NSW
- CCSolution Architect - .NET environmentACT
- CCJunior .NET DeveloperQLD
- CCInformation Security ManagerNSW
- FTServer EngineerNSW
- FTSystems Administrator/Engineer | $60-90K package | Northern BeachesNSW
- CCContract Analyst Programmer(Crystal Report/Oracle)160127/AP/vhsAsia
- CCSenior Wintel EngineerNSW
- CCCisco Network EngineerNSW
- CCContract Analyst Programmer (JAVA/Oracle/UNIX) 160203/AP/381Asia
- CCSolution Architect - .NET TechnologiesNSW
- FTBusiness Intelligence AnalystVIC
- CCTest AnalystACT
- FT.NET DeveloperVIC
- CCAD and FIM EngineerNSW
- CCHybris Developer - Global ConsultancyNSW
- CCSAP ABAP ProgrammersACT
- CCIT Solution DesignerNSW
- CCMid-level DevOps EngineerNSW
- CCJava DeveloperVIC
- FTSoftware Developer - Ruby on RailsNSW
- CCDBA (Oracle/SQL)NSW
- CCMVC .Net Developer- Hurstville NSW 2220NSW
Internal and external disruptions can impede business continuity and result in negative repercussions for enterprise productivity and data resources. This whitepaper looks at how improved mobility access can shield companies from unprecedented risks, resulting in greater cost savings and enhanced workforce continuity. It also highlights the benefits of having a mobile workspace technology which enables the workforce to have access to apps, desktops and files in difficult situations. Included are four case studies where organisations are able to demonstrate a high level of business continuity with sound disaster recovery strategies in place.
- Facebook faces restrictions in France on data transfer to US, tracking of users
- Cisco boosts, broadens Catalyst switches
- Flaws in Trane thermostats underscore IoT security risks, Cisco says
- Microsoft's Azure Stack beta gets new services and DevOps tools
- 9 technologies that could cut demand for lawyers, lower legal fees
- Prysm combines displays with SaaS to extend the reach of enterprise collaboration
- Kingston buys encrypted flash drive maker IronKey
- Users await possible Twitter feed change
- Microsoft previews enterprise-grade setting sync in Windows 10
- Forget Trump and Clinton: IBM's Watson is running for president
- 5G might be your next home broadband service
- Cybercriminals adopt spies' techniques to pull off online bank heists
- Watch hundreds of robots and drones in an amazing choreographed dance
- Java installer flaw shows why you should clear your Downloads folder
- Report: Hackers steal, post details on 9,000 DHS employees