Apple and Adobe release updates
Consumerisation worries public sector IT managers
Apple has released iOS 5.0.1 to address several issues including battery life on its new operating system.
Mac security firm Intego said that in addition to several bug fixes and improvements, this update contains fixes for network access, fonts, kernel issues and the passcode lock. It also pointed to a fix for a logic error that existed in MMAP.
This issue was discovered and publicised by security researcher Charlie Miller, who claimed that he had informed Apple about the bug before they removed his program from the App Store.
Miller discovered a serious security flaw in iOS that allowed Apple devices to run unapproved code and created a stock market monitoring app called 'InstaStock' that was able to pass the review process as it did not contain anything suspicious for the review to discover. Instead the app downloaded the malicious code later, once it had been installed on a phone or tablet.
Paul Ducklin, head of technology for Sophos Asia Pacific, said: “Apple, which has been rather tardy in coming to the security party, wasn't best pleased. The company threw out Miller's proof-of-concept software, excommunicated him from the Apple developer program and banned him from the App Store for at least a year, according to reports.
“The video didn't have an entirely negative outcome for Miller. He's now getting plenty of advance publicity for his research, which he'll be presenting at SyScan '11 in Taiwan next week.”
Andrew Storms, director of security at nCircle, said: “It's obvious that Miller really got under Apple's skin. This must be some kind of record - Apple ousted him from the developer program and then patched his bug in record time.
“Now we know Apple can patch serious security flaws quickly, the turn-around on this bug was surprising. Charlie's critical flaw definitely has the potential to eat away at the trust Apple has carefully developed with users, partners and developers.”
Intego also pointed out that this is the first iOS update that is available by 'over the air' (OTA) updating.
Also patching this week was Adobe, which issued a security update to fix critical vulnerabilities in its Flash Player.
Affecting Flash Player 22.214.171.124 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 126.96.36.199 and earlier versions for Android, it claimed that the vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
Earlier this week, Adobe reconfirmed its commitment to 'aggressively contribute' to HTML5, with many media reports claiming that this spelt the end for Flash Player on mobile devices.
Engadget said HTML5 is a platform with broader support and capabilities than Flash can deliver, and while Adobe will be pushing developers to work in its AIR platform for a more native experience and continue to work on Flash Player for desktop operating systems, it doubted the long-term future of the software.
Storms said: “This week, IT operations hits the trifecta of security updates; Microsoft, Apple and Adobe. These security updates are sure to affect every single computer user in some way or another.
“Adobe security advisories continue to be the ‘bottom of the barrel'. They are patching a ton of serious bugs today and nearly all of them allow for remote code execution. In keeping with Adobe security update tradition, there's not a word of mitigation advice anywhere in the advisory. This is truly a ‘patch and pray release'. Download it and figure out your own solutions.”