Apple Mitigates Multiple Security Vulnerabilities

By Author: eccuni
Total Articles: 211
Comment this article

Recently, Apple released four security updates to address multiple vulnerabilities in various products. One of the security updates by the company blacklists fraudulent SSL certificates issued by a registration authority affiliated to Comodo. The fraudulent certificates may lead to man-in-the-middle attack allowing an attacker to intercept sensitive information such as user credentials. The update is applicable to Mac OS X v10.5.8 and v10.6.7, and Mac OSX Server v10.5.8 and v10.6.7. The security update for Safari addresses security flaws in WebKit. The update mitigates integer overflow issue in the handling of nodesets and use after free issue in the handling of text nodes. Exploitation of these security flaws could cause execution of arbitrary code or lead to application termination, if a user visits a maliciously crafted website.

The developer has issued software update for iPhone. The update blacklists fraudulent certificates issued by a Comodo registration authority, which could have allowed interception of sensitive information. The software update mitigates integer overflow issue and use-after issue in WebKit. ...
... The update also fixes a memory corruption issue in QuickLook's handling of Microsoft Office files. Viewing a malicious crafted office file could lead to unexpected termination of an application or cause arbitrary code execution. The software update is applicable to iOS 4.2.5 to 4.2.6 for iPhone 4.

Apple has also issued software update for iOS 4.3.2. The update blacklists fraudulent certificates, and addresses memory corruption issue in QuickLook, integer overflow issue and use-after free issue in WebKit, and a flaw associated with libxslt. The implementation of generate-id() XPath function by libxslt discloses the addresses on the heap buffer on visiting a maliciously crafted website. The vulnerability helps the attackers in circumventing address space layout randomization protection. The software update resolves the issue by creating an ID based on the difference between addresses of two heap buffers. The software update is available for iOS 3.0 to 4.3.1 for iPhone 3GS and later versions, iOS 3.1 to 4.3.1 for iPod touch third generation and later versions and iOS 3.2 to 4.3.1 for iPad.

Usually, security professionals qualified in IT degree programs and security certifications such as penetration testing identify and mitigate weaknesses. In this case, the vulnerabilities were identified by security researchers affiliated to various organizations such as Vupen Security, Tipping Point and Google Chrome security team among others.

Users must adhere to the security updates to prevent exploitation of vulnerabilities by attackers. Online IT courses and tutorials may help users in understanding and preventing security threats. Adherence to security advisories, recommendations by researchers on security blogs and security guidelines could help users to safeguard devices from sophisticated attacks and avoid disclosure of sensitive information.

Developers face constant challenge of manufacturing products, which not only add to the convenience of the end-user, but also ensure security from sophisticated threats. Information security is crucial for retaining the trust of end-users and ensuring popularity of products. E-learning and online IT degree programs may help software professionals to improve their expertise, and deliver products with better security features and mechanisms.