The WebKit open source web browser received the most fixes, with 27 separate vulnerabilities patched. There are numerous fixes to prevent code executions after visiting maliciously crafted websites.
Also, Apple fixed a WebKit vulnerability that allows a hacker to initiate a call from the iAd Content Display. As Apple describes it: “An iAd is requested by an application, either automatically or through explicit user action. By injecting the contents of a requested ad with a link containing a URL scheme used to initiate a call, an attacker in a privileged network position may be able to cause a call to occur. This issue is addressed by ensuring that the user is prompted before a call is initiated from a link.”
In addition, Apple warned that a networking vulnerability enables a remote attacker to cause an unexpected system shutdown. Apple explains: “A null pointer dereference issue exists in the handling of protocol independent multicast (PIM) packets. By sending a maliciously crafted PIM packet, a remote attacker may cause an unexpected system shutdown. This issue is addressed through improved validation of PIM packets.”
Commenting on the Apple iOS 4.2 release, Graham Cluley with Sophos said that it is “critical that users of Apple’s popular gadgets update their operating system as soon as possible.”
Cluley continued: “Fixes included in the iOS 4.2 update include patches for the web browser. Without these users could be at risk when they visit booby-trapped websites—code embedded on the website could cause iOS applications to crash, or even plant and run malicious code on the device. In addition, iOS 4.2 fixes a flaw which made it possible for hackers to push malicious configuration files onto iPhones, iPads and iPod Touches, and a problem with the way Excel files can be imported that could lead to malicious code being executed.”
The iOS 4.2 update can be downloaded to an iPhone, iPad or iPod Touch via iTunes “when syncing a compatible device”, Apple said. According to MacStories, iOS 4.3 will be available in mid-December.