Apple Update Patches Critical Flaws For iPad, iPhone, iPod

Users anticipating an iPad or an iPodTouch for the holidays will also be getting a device less susceptible to hacker attacks.

In addition to enhancing a plethora of AirPrint and Gaming Center features for iPad, iPhone and iPod Touch, Apple's massive iOS 4.2 update, released Monday, repaired a multitude of pending security vulnerabilities for the company's mobile platforms.

Altogether, the comprehensive update repaired around 40 glitches, including serious flaws in WebKit, Coregraphics, ImageIO, FreeType, Photos, Safari, and Telephony among others.

The bulk of the security update was dedicated to Apple's WebKit with at least 27 fixes for vulnerabilities, the majority of which led to remote code execution attacks.

The update addressed major flaws in the way WebKit handled just about everything, including SVG documents, inline styling, CSS boxes, Web sockets, Text objects, editing commands, JavaScript and Geo-location features.

Almost all of the WebKit flaws opened the door for remote code execution. Attackers could launch a malicious attack by creating a specially crafted Website and then tricking users into visiting the site, typically through some kind of social engineering. Users would download malicious code onto their computers once they clicked on the malicious links, which enabled the remote attackers to either shut down or take control of users' machines.

Another WebKit fix included a Safari glitch that enabled Websites to track users' online behavior without using cookies, hidden form elements, IP addresses or other techniques.

In addition, the update included two fixes for Networking errors stemming from null and invalid pointer deference issues in the handling of Protocol Independent Multicast (PIM) packets and packet filter rules. Hackers who exploited the vulnerabilities could cause a user's computer to shut down in a denial of service attack, or use malicious code to gain unauthorized access to the user's system.

Meanwhile, Safari also received a patch for a bug that prevented passwords from being removed from memory when the users pressed the "Reset Safari" button, giving users who later accessed the device within a short timeframe the ability to acquire the stored credentials. The glitch would likely have the most significant impact for users sharing public computers in a library, Internet cafe or university, for example.

The massive update also prevented users from becoming victims of arbitrary code execution attacks when receiving attached documents. Apple repaired a FreeType heap buffer overflow error that enabled hackers to infect users by placing maliciously crafted fonts in a PDF document, and also repaired a critical memory corruption OfficeImport vulnerability that enabled hackers to take complete control of a user's computer via an infected Excel file.

Next: Experts Emphasize Need To Install Updates

Security experts underscored the necessity for users to apply the patches as soon as possible.

"It's critical that users of Apple's popular gadgets update their operating system as soon as possible. Fixes included in the iOS 4.2 update include patches for the web browser," said Graham Cluley, Sophos senior technology consultant, in a blog post. "Without these, users could be at risk when they visit booby-trapped websites - code embedded on the website could cause iOS applications to crash, or even plant and run malicious code on the device."

Just days after the Apple's iOS 4.2 became available, rumors circulated that the release of iOS version 4.3 is just around the corner, anticipated sometime in December. Apple, however, declined to confirm the rumors.