News

Apple iOS 6.0.1 update fixes four security holes

SearchSecurity.in Staff

This week Apple issued fixes for flaws in its iOS platform to address security and stability issues, with the iOS 6.0.1 update. The update addresses four vulnerabilities, as well as a range of stability patches.

These patches include a kernel data leakage issue (CVE-2012-3749) in API handling related to kernel extensions, which may lead to kernel address disclosure. Responses containing an ‘OSBundleMachOHeaders’ key can divulge included kernel addresses, which may result in subversion of iOS’ address space layout randomization (ASLR) feature. Apple fixes this issue by unsliding the addresses prior to their return.

A flaw in the way Passbook passes were handled (CVE-2012-3750) has got fixes. This could allow a person with physical access to the device to access Passbook without entering the device passcode. Passbooks on iOS devices can store a wide range of sensitive personal information.

Two drive-by remote code execution flaws in iOS’ WebKit implementation have also received patches. One addresses a ‘time of check to time of use’ issue (CVE-2012-3748) while handling JavaScript arrays. This has been patched by additional validation of JavaScript arrays. The other WebKit flaw concerns a ‘use after free’ issue (CVE-2012-5112) in scalable vector graphics (SVG) image handling, which has been fixed through improved memory handling. According to Apple’s

    Requires Free Membership to View

security advisory, both may lead to arbitrary application termination or code execution.

The update is expected to fix issues preventing iPhone 5 handsets from receiving over-the-air (OTA) updates. Patches are included for keyboard display issues, problems with encrypted connections, and wireless networking. iOS users can update to iOS 6.0.1 via iTunes or use OTA utilities on iOS devices.