Apple Issues Security Update to Mitigate Security Flaws

Recently, Apple released security updates to address multiple vulnerabilities in various products.
 
April 19, 2011 - PRLog -- Recently, Apple released four security updates to address multiple vulnerabilities in various products. One of the security updates by the company blacklists fraudulent SSL certificates issued by a registration authority affiliated to Comodo. The fraudulent certificates may lead to man-in-the-middle attack allowing an attacker to intercept sensitive information such as user credentials.  The update is applicable to Mac OS X v10.5.8 and v10.6.7, and Mac OSX Server v10.5.8 and v10.6.7. The security update for Safari addresses security flaws in WebKit. The update mitigates integer overflow issue in the handling of nodesets and use after free issue in the handling of text nodes. Exploitation of these security flaws could cause execution of arbitrary code or lead to application termination, if a user visits a maliciously crafted website.

The developer has issued software update for iPhone. The update blacklists fraudulent certificates issued by a Comodo registration authority, which could have allowed interception of sensitive information. The software update mitigates integer overflow issue and use-after issue in WebKit. The update also fixes a memory corruption issue in QuickLook's handling of Microsoft Office files. Viewing a malicious crafted office file could lead to unexpected termination of an application or cause arbitrary code execution. The software update is applicable to iOS 4.2.5 to 4.2.6 for iPhone 4.

Apple has also issued software update for iOS 4.3.2. The update blacklists fraudulent certificates, and addresses memory corruption issue in QuickLook, integer overflow issue and use-after free issue in WebKit, and a flaw associated with libxslt. The implementation of generate-id() XPath function by libxslt discloses the addresses on the heap buffer on visiting a maliciously crafted website. The vulnerability helps the attackers in circumventing address space layout randomization protection. The software update resolves the issue by creating an ID based on the difference between addresses of two heap buffers. The software update is available for iOS 3.0 to 4.3.1 for iPhone 3GS and later versions, iOS 3.1 to 4.3.1 for iPod touch third generation and later versions and iOS 3.2 to 4.3.1 for iPad.

Usually, security professionals qualified in IT degree programs and security certifications such as penetration testing identify and mitigate weaknesses. In this case, the vulnerabilities were identified by security researchers affiliated to various organizations such as Vupen Security, Tipping Point and Google Chrome security team among others.

Users must adhere to the security updates to prevent exploitation of vulnerabilities by attackers. Online IT courses and tutorials may help users in understanding and preventing security threats. Adherence to security advisories, recommendations by researchers on security blogs and security guidelines could help users to safeguard devices from sophisticated attacks and avoid disclosure of sensitive information.

Developers face constant challenge of manufacturing products, which not only add to the convenience of the end-user, but also ensure security from sophisticated threats. Information security is crucial for retaining the trust of end-users and ensuring popularity of products. E-learning and online IT degree programs may help software professionals to improve their expertise, and deliver products with better security features and mechanisms.

Contact Press
EC-Council
Website: http://www.eccuni.us
Email:  iclass@eccouncil.org
Tel:  505-341-3228

EC-Council University is based in Albuquerque, New Mexico and offers Master of Security Science (MSS) degree to students from various backgrounds such as graduates, IT Professionals, and military students amongst several others. The MSS is offered as a 100% online degree program and allows EC-Council University to reach students from not only the United States, but from all around the world.

EC-Council is a member-based organization that certifies individuals in cybersecurity and e-commerce skills. It is the owner and developer of 16 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offered in over 60 countries around the world.

EC-Council has trained over 80,000 individuals and certified more than 30,000 members, through more than 450 training partners globally. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. federal government via the Montgomery GI Bill, Department of Defense via DoD 8570.01-M, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates the global series of Hacker Halted security conferences.

# # #

iClass is EC- Council's online training delivery platform. Students can attend live, or recorded training sessions for courses such as Certified Ethical Hacker (CEH), Certified Security Analyst (ECSA) or Computer Hacking Forensic Investigator (CHFI).
End
EC-Council News
Trending
Most Viewed
Daily News



Like PRLog?
9K2K1K
Click to Share