Apple iOS 6.0.1 update fixes four security holes

iOS platform gets an update to 6.0.1 to fix security and stability problems. WebKit holes and kernel faults list among Apple’s list of patched bugs.

This week Apple issued fixes for flaws in its iOS platform to address security and stability issues, with the iOS 6.0.1 update. The update addresses four vulnerabilities, as well as a range of stability patches.

These patches include a kernel data leakage issue (CVE-2012-3749) in API handling related to kernel extensions, which may lead to kernel address disclosure. Responses containing an ‘OSBundleMachOHeaders’ key can divulge included kernel addresses, which may result in subversion of iOS’ address space layout randomization (ASLR) feature. Apple fixes this issue by unsliding the addresses prior to their return.

A flaw in the way Passbook passes were handled (CVE-2012-3750) has got fixes. This could allow a person with physical access to the device to access Passbook without entering the device passcode. Passbooks on iOS devices can store a wide range of sensitive personal information.

Two drive-by remote code execution flaws in iOS’ WebKit implementation have also received patches. One addresses a ‘time of check to time of use’ issue (CVE-2012-3748) while handling JavaScript arrays. This has been patched by additional validation of JavaScript arrays. The other WebKit flaw concerns a ‘use after free’ issue (CVE-2012-5112) in scalable vector graphics (SVG) image handling, which has been fixed through improved memory handling. According to Apple’s security advisory, both may lead to arbitrary application termination or code execution.

The update is expected to fix issues preventing iPhone 5 handsets from receiving over-the-air (OTA) updates. Patches are included for keyboard display issues, problems with encrypted connections, and wireless networking. iOS users can update to iOS 6.0.1 via iTunes or use OTA utilities on iOS devices.

Read more on Data breach incident management and recovery