Numerous security issues fixed in iOS 4, according to a document posted online by the iPhone maker

Jun 22, 2010 07:55 GMT  ·  By

Apple’s Support area now features a new knowledge base document entitled “About the security content of iOS 4.” In what was an expected move, Cupertino’s electronics and software giant has made all the recently found iOS vulns public. Over 60 security issues have been addressed in the software, most of which are WebKit-bound (as it was the case with Safari 5.0 and iTunes 9.2).

Many of the addressed bugs affect iOS 2.0 through 3.1.3, although some issues are typical to one firmware version for one, or more specific device models (including the iPhone and iPod touch).

For example, according to Apple, “The Application Sandbox does not prevent applications from directly accessing the user's photo library. This may allow an application to determine visited locations without authorization.” Affecting iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later, the issue is addressed “by modifying the Application Sandbox to prevent direct access to the user's photo library,” Apple says. The company credits a person named Zac White for finding and reporting the bug.

A couple of passcode lock issues are mentioned, one of which is described as follows: “If the device is unlocked in response to an alert, such as receiving a text message or voicemail, and MobileMe is then used to Remote Lock the device, then the next unlock of the device will have the passcode already entered. A person with physical access to the device will not require the passcode in this situation. This issue is addressed by properly clearing the passcode.” Sidney San Martin of DeepTech, Inc. is responsible for pointing this out to Apple.

The iPhone’s Safari web browser seems to be pretty vulnerable in the face of third-party cookies, maliciously crafted URLs and websites, etc. Even a Settings issue is being addressed in iOS 4, with Apple changing the way users are shown the active wireless network. Previously, a user could be misled as to the actual operational wireless network because of a design issue that existed in the Settings application. “When connected a hidden wireless network, the Settings application may incorrectly indicate another wireless network,” Apple explains. Updating to iOS 4 will fix this.

Apple outlines that iOS 2.0 through 3.1.3 is also vulnerable to an issue where applications that convert untrusted data between binary floating point and text may experience an unexpected application termination or arbitrary code execution. Visit Apple here to see the complete list of security issues addressed in iOS 4 for iPhone and iPod touch.