iOS 4.2 includes massive security update for iPad and iPhone

All of the attention has been focused on the enhancements, while more than 80 security fixes flew in under the radar.

Apple has finally released the highly-anticipated iOS 4.2. While the attention around iOS 4.2 has been focused on the enhancements and new features -- particularly for the iPad, the update also fixes more than 80 vulnerabilities in the iPhone, iPod, and iPad.

It is common knowledge that iOS 4.2 introduces features like multitasking -- or at least Apple's pseudo version of multitasking -- a unified e-mail inbox, and the ability to organize apps by grouping them in folders to the iPad. It also includes a variety of enhancements aimed at IT admins that make it easier to manage and protect iPads connected to a corporate network. The massive barrage of security updates, however, flew in under the radar.

It's not that Apple is unwilling to admit that there are security issues, but Apple policy dictates that the vulnerabilities not be publicly disclosed until the patch is available. An Apple Web page detailing the security updates in iOS 4.2 explains, "For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."

So, now that iOS 4.2 is out and the "patches or releases are available" it is safe to let you know that your iPhone, iPod, and iPad have been virtually Swiss cheese from a security standpoint. The iPhone and iPad are both now protected against more than 80 vulnerabilities -- many with critical security implications -- that most users were not even aware existed two days ago.

For example, viewing a PDF file is a relatively common task for an iPhone or iPad. According to Apple, it is also a potentially risky task on pre-iOS 4.2 devices. "A heap buffer overflow exists in FreeType's handling of TrueType opcodes [CVE-2010-3814]. Viewing a PDF document with maliciously crafted embedded fonts may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking."

If you have surfed the Web on an iPhone or iPad, you might be interested to learn that a vast array of flaws exist that could allow an attacker to execute arbitrary malicious code on your device. There is also a vulnerability which reveals your surfing history. "A design issue exists in WebKit's handling of the CSS :visited pseudo-class. A maliciously crafted website may be able to determine which sites a user has visited. This update limits the ability of web pages to style pages based on whether links are visited."

These are just a few examples. Many of the more than 80 flaws addressed in iOS 4.2 have very serious security implications. While the general public wasn't aware of these flaws, attackers probably were. If they weren't they are now -- so the clock is ticking to get the iOS 4.2 update applied before malicious developers find ways to exploit these vulnerabilities.

Join the CSO newsletter!

Error: Please check your email address.

Tags Apple iOS 4.2patches & driversiphone 4tabletssoftwareoperating systemsAppleMac OSapple iphoneapple ipadiOS 4.2security

More about Appleetwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place