One security flaw fixed in the update involved URL spoofing in Safari. “This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems”, Apple said in its security advisory. Apple credited David Vieira-Kurz with MajorSecurity for uncovering the flaw.
A second flaw is a WebKit cross-site scripting issue in which “visiting a maliciously crafted website may lead to a cross-site scripting attack”, Apple explained. The company acknowledged Sergey Glazunov working with Google’s Pwnium contest for finding the flaw.
The third flaw involves a WebKit memory corruption issue in which “visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution”, the company added. Apple gave a nod to Adam Barth and Abhishek Arya of the Google Chrome Security Team for identifying the vulnerability.
Paul Ducklin, head of technology, Asia Pacific, at Sophos, warned that these flaws should be considered “serious” by Apple mobile device users. “I’d recommend updating iOS 5.1.1 as soon as you reasonably can”, he advised.