Apple Drops iOS 4.3 and Safari 5.0.4 Security Updates Ahead of Pwn2Own Contest
In awesome day-before-just-to-try-and-screw-with-your-exploits style, Apple has released significant security patches for iOS, Safari and Apple TV. Safari, which is one of the targets at CanSecWest’s Pwn2Own contest where hackers come to demonstrate 0day exploits, has received an update to 5.0.4, and fixes over 62 bugs including major vulnerabilities in WebKit (eg. Errorjacking) and the ImageIO and libxml libraries.
iOS 4.3 patches largely the same issues in MobileSafari, as well as a remote code execution vulnerability in CoreGraphics. iOS is expected to get a lot of attention at Pwn2Own, with at least four researchers having developed exploits. Charlie Miller and Dionysus Blazakis (@dionthegod) have one exploit which doesn’t work on update, although allegedly the vulnerability hasn’t been patched yet.
Whether or not these updates thwart some of the exploits developed for Pwn2Own remains to be seen. It’ll be cool if it prevents at least one. Either way, good job to Apple for trying.
Update: Just found out that target iPhones at Pwn2Own won’t be running the latest iOS 4.3 which does indeed prevent a number of exploits. Here’s a recap of the Pwn2Own action.
Lastly, Apple TV has been updated to 4.2 to patch a couple not-so-critical vulnerabilities in libfreetype and libtiff that could allow code execution if a malicious image were opened.
Hi the jump for the long list of issues fixed in iOS 4.3. Read more
iOS 4.1 New Bug Fixes and Boot ROM Hack
On Wednesday, Apple released iOS 4.1 to the public, bringing a good number of bug fixes including two in potential remote code issues in ImageIO, and many more in WebKit (full details after the jump).
In related news, pod2g – a member of the iPhone Dev Team – announced that an issue in iOS’s bootrom (a very low-level hardware bootloader) could be used to jailbreak future iOS updates (including 4.1) on current iOS devices. Due to the nature of the bootrom, it would be difficult for Apple to fix the flaw without somehow flashing a new bootrom to affected devices. Jailbreakers have been advised to forgo the 4.1 update until a stable bootrom-based jailbreak is developed – although this would leave those iPhone/iPod Touch users open to attack.
Loading ...
