SecPoint Logo

Apple iPhone security 2.2 update

Version 2.2 of the firmware addresses software flaws in both the iPhone and iPod touch.

Several issues address problems with the way Safari handles HTML table and iframe elements. An attacker could exploit the flaws to cause a memory corruption and execute arbitrary code, Apple said in its advisory.

One of the errors enables an attacker to spoof the user interface, Apple said.

TIFF Image Security Vulnerability

A TIFF image handling error can be exploited by an attacker by tricking the user to view a malicious TIFF image.

CoreGraphics contains memory corruption issues resulting in processing errors.

An attacker can exploit the issues to pass arbitrary code or conduct a denial-of-service (DDoS) attack Some TIFF imaging errors cause the device to reset, Apple said.

Vulnerability in PPTP for VPN authentication

A networking error was also corrected.

An error with the default setting reduced the encryption level for point-to-point tunneling protocol (PPTP) and virtual private network (VPN) connections.

A defect in Office Viewer could likewise be abused by an assailant by deceiving a client into survey a noxious Microsoft Excel document.

"Seeing a vindictively created Microsoft Excel record may prompt a startling application end or discretionary code execution," Apple said.

 

Several pass code and SMS messaging errors were also addressed, Apple said.

The software maker also addressed a bug that allowed a user to dial non-emergency numbers when locked out of the iPhone.

 

Danish vulnerability clearinghouse Secunia gave the flaws a highly critical rating.

It said the flaws "can be exploited by malicious people to bypass certain security restrictions, disclose potential sensitive information, conduct spoofing attacks … or potentially compromise a user's system."

 

It is recommended to keep the system updated with the latest patch level.

When connecting your smartphone or laptop on public access points it is always recommended to connect via a VPN connection to make sure all the traffic is encrypted.

And to make sure the traffic can not be intercepted by third party blackhat attackers.