iOS 4 Addresses Over 60 Security Vulnerabilities
Apple has posted a new support document outlining the security content of iOS 4, released earlier today. The document covers well over 60 security vulnerabilities addressed with the new release for the operating system behind Apple's mobile devices. Fifty of the security issues addressed involve WebKit, the engine behind Apple's mobile Safari browser included on all iOS devices, while a handful of other issues affect the specific Safari implementation of WebKit in iOS.
One issue addressed in iOS 4 involves the ability of third-party applications to access a user's photo library, indirectly allowing the applications to infer a user's location without explicit authorization via the geolocation information. iOS 4 addresses the issue by modifying the Application Sandbox to prevent direct access to the photo library.
Four of the fixed vulnerabilities affect the operating system's ImageIO framework and could have allowed maliciously crafted BMP, TIFF or JPEG images to lead to security breaches. iOS 4 also addresses a pair of flaws in the Passcode Lock system in which remote locking via MobileMe could result in the password already being entered at the next unlock or unauthorized pairing of a locked device to a computer could occur soon after initial booting following a shutdown in an unlocked state.
iOS 4 also addresses an issue with the Settings application in which a device connected to a hidden Wi-Fi network could incorrectly indicate that is connected to a different network. Finally, an assortment of other issues primarily involving overflow conditions that could lead to crashes or arbitrary code execution have also been fixed in CFNetwork, LibSystem, and libxml.