September 29, 2016

Apple Releases iOS 5.0.1 To Kill Code-signing Bug

Apple has released iOS 5.0.1 for the iPhone, iPad and iPod Touch to fix half a dozen security vulnerabilities including the code-signing bug that Charlie Miller discovered recently and the iPad 2 smart cover bug.

A few days ago Charlie exposed a flaw in Apple’s code signing system which ensures that only Apple-approved applications can run on an iPhone or iPad. If Apple hadn’t fixed this issue it would have been possible for developers to upload apps to iTunes that could run new code on your phone that Apple never had a chance to check. This in turn would let malware into Apple’s tightly controlled eco system.

According to the security note issued by Apple, Charlie’s flaw was due to a logic error that existed in the mmap system call’s checking of valid flag combinations. This issue does not affect devices running iOS prior to version 4.3.

The other important fix in iOS 5.0.1 is the iPad smart cover bug. The problem was that when a Smart Cover is opened while an iPad 2 is confirming power off in the locked state, the iPad does not request a passcode.

Other things fixed in this release include:

  • Visiting a maliciously crafted website may lead to the disclosure of sensitive information. An issue existed in CFNetwork’s handling of maliciously crafted URLs. When accessing a maliciously crafted HTTP or HTTPS URL, CFNetwork could navigate to an incorrect server.
  • Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Multiple memory corruption issues existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font.
  • An attacker with a privileged network position may intercept user credentials or other sensitive information. Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. DigiCert Malaysia has issued certificates with weak keys that it is unable to revoke. An attacker with a privileged network position could intercept user credentials or other sensitive information intended for a site with a certificate issued by DigiCert Malaysia. This issue is addressed by configuring default system trust settings so that DigiCert Malaysia’s certificates are not trusted. We would like to acknowledge Bruce Morton of Entrust, Inc. for reporting this issue.
  • Visiting a maliciously crafted website may lead to the disclosure of sensitive information. An issue existed in libinfo’s handling of DNS name lookups. When resolving a maliciously crafted hostname, libinfo could return an incorrect result.
Apple also fixed non-security related bugs in iOS 5.0.1 including tweaks to extend the battery life of devices running the OS.