46 Vulnerabilities Fixed: The Security Side of iOS 4.2
Article by George Norman
On 25 Nov 2010
Earlier this week Cupertino-based software developer Apple rolled out iOS 4.2 for iPad, iPhone and iPod Touch, just like it promised back in September. There are two good reasons why users would want to get iOS 4.2.
1 – It brings a bunch of nice new features to the iPad (read more about this topic here).
2 – Find My iPhone is now free. You no longer need a MobileMe subscription to use this feature (read more about it here).

There’s a third reason why you would want to update your iOS to the latest version, version 4.2. That reason is security. You see, iOS 4.2 comes with patches for 46 vulnerabilities. iOS 4.2 comes with more than a dozen fixes to WebKit, the HTML rendering framework, and a number of fixes to CoreGraphics, FreeType, Mail and Telephony.

Advertising

So if you want to stay safe and protected, you are well advised to update to the latest iOS version. To get iOS 4.2 all you have to do is sync your iPad, iPhone or iPod Touch with iTunes 10.1.

A detailed list of all the vulnerabilities iOS 4.2 fixes is available here. Out of them all I selected the following four because I thought they deserved mentioning:

iAd Content Display - CVE-2010-3828
Impact: An attacker in a privileged network position may be able to cause a call to be initiated
Description: A URL handling issue exists in iAd Content Display. An iAd is requested by an application, either automatically or through explicit user action. By injecting the contents of a requested ad with a link containing a URL scheme used to initiate a call, an attacker in a privileged network position may be able to cause a call to occur. This issue is addressed by ensuring that the user is prompted before a call is initiated from a link.
Credit: Aaron Sigel of vtty.com

Mail - CVE-2010-3829
Impact: Mail may resolve DNS names when remote image loading is disabled
Description: When WebKit encounters an HTML Link Element that requests DNS prefetching, it will perform the prefetch even if remote image loading is disabled. This may result in undesired requests to remote servers. The sender of an HTML-formatted email message could use this to determine whether the message was viewed. This issue is addressed by disabling DNS prefetching when remote image loading is disabled.
Credit: Mike Cardwell of Cardwell IT Ltd

Networking - CVE-2010-1843
Impact: A remote attacker may cause an unexpected system shutdown
Description: A null pointer dereference issue exists in the handling of Protocol Independent Multicast (PIM) packets. By sending a maliciously crafted PIM packet, a remote attacker may cause an unexpected system shutdown. This issue is addressed through improved validation of PIM packets. This issue does not affect devices running iOS versions prior to 3.2.
Credit: An anonymous researcher working with TippingPoint's Zero Day Initiative

Photos - CVE-2010-3831
Impact: "Send to MobileMe" may result in the disclosure of the MobileMe account password
Description: The Photos application allows users to share their pictures and movies through various means. One way is the "Send to MobileMe" button, which uploads the selected contents to the user's MobileMe Gallery. The Photos application will use HTTP Basic authentication if no other authentication mechanism is presented as available by the server. An attacker with a privileged network position may manipulate the response of the MobileMe Gallery to request basic authentication, resulting in the disclosure of the MobileMe account password. This issue is addressed by disabling support for Basic authentication.
Credit: Aaron Sigel of vtty.com



Tags: Apple, iOS 4.2, Security
About the author: George Norman
George is a news editor.
You can follow him on Google+, Facebook or Twitter

I Hope you LIKE this blog post! Thank you!
What do YOU have to say about this
blog comments powered by Disqus
Popular News
By George Norman on 17 Aug 2017
With the blockbuster movie season upon us, Sony decided to celebrate the occasion with a sale: the Attack of the Blockbusters Sale that offers discounts of up to 50% (60% if you’re a PlayStation Plus member) on a ton of PS4 video games.
By George Norman on 17 Aug 2017
Samsung’s new T5 portable solid-state drive (PSSD) uses the latest 64-layer V-NAND technology, offers between 250GB and 2TB of storage capacity, has a lightweight and shock-resistant design that’s smaller than the average business card, and delivers industry-leading transfer speeds of up to 540 MB/s.
Related News
By George Norman on 19 Jul 2017
Apple celebrated World Emoji Day by presenting 12 upcoming emoji characters that will be available across Apple devices later this year.
By George Norman on 09 Aug 2017
Android started out as an underdog, as the mobile operating system that nobody took seriously. Big-name tech companies laughed it off and critics said it would fail miserably, but Android proved them all wrong and become the powerhouse that it is today.
By George Norman on 10 Jul 2017
Did you know that life is easier on iPhone? Put down the pitchforks for a moment and let me explain. And put out those torches as well...
By George Norman on 10 Jul 2017
With technology constantly evolving, many devices become obsolete and get replaced with something that's better, smaller, and probably a lot shinier.
Sponsored Links
Hot Software Updates
Top Downloads
Become A Fan!
Link To Us!
46 Vulnerabilities Fixed: The Security Side of iOS 4.2
HTML Linking Code