Bugs and Fixes: Apple Patches Safari and iOS Holes, Skype Blocks XSS Hole
By James Mulroy, PCWorldAug 5, 2011 5:15 pm PDT
What’s new in the land of secuirty fixes? Over the last couple weeks, Apple released a fix to iOS, Google updated Chrome, and Skype patched a nasty server-side bug. Read on to get caught up on the latest patches.
iOS and Safari
If you own an Apple product, you’ll want to make sure you’re up to date. Apple recently released a number of updates that fix various security vulnerabilities affecting iOS and its Safari Web browser.
Safari 5.0.6 and Safari 5.1 both fix a flaw that could let an attacker to execute code on your system and may cause the browser to crash. The Safari 5.1 update includes the latest security fixes as well as a number of new features–visit apple.com/safari for additional information.
Apple also patched a PDF- and font-handling vulnerability in Safari for iOS that was used to jailbreak various Apple devices including the iPhone and iPad. Note that opening PDFs in other apps or software do not appear to allow for this type of exploitation. This flaw was also fixed in the CoreGraphics component of iOS 4.3.4 which also played a part in the way that PDFs were viewed.Apple also released a fix to iOS that fixes a problem with data security.
Apple fixed the PDF flaw in iOS 4.3.4, but to correct both of these issues, you should update to iOS 4.3.5 by plugging your iDevice into your computer, and opening iTunes.
Google recently released Chrome 13 (Beta Channel) for Chromebooks (Acer AC700, Samsung Series 5, and CR-48) and they also made a couple updates and fixes.
With the update of Chrome 13 there is currently one known issue: If the modem is disabled while it is trying to connect to 3G, then re-enabling the modem and trying to reconnect to 3G will show that it is connected, although it won’t be. This currently does not pose a security threat. To fix the problem restart the machine. To learn more about this visit Google Chrome Releases blog update.
Chrome version 14.0.835.8 fixes three bugs; one of which prevented users from opening PDF files in the Chrome PDF viewer, another vulnerability had incorrect gesturing commands which resulted in hand gesturing to go to one page (forward) going the opposite direction. Unfixed issues for Chromebooks include certain browser crashes and kernel crashes.
To learn more about these updates–and to download them–visit Google Chrome Releases. Be warned that Google often leaves information regarding these bugs and fixes locked from the public until a significant portion of the user base has updated.
Skype fixed a Cross Site Scripting (XSS) bug–a type of security vulnerability that allows attackers to put malicious content onto a web page that others could view later. If exploited, this flaw could take you to a malicious site or result in pop-up ads
In order for you to be affected, the attacker would have to be one of your accepted contacts.
Skype has since fixed the issue, and it requires you to perform no updates, since the bug is on their end. However, Skype encourages you to keep your Skype client up date since the company frequently releases updates that improve security and add features. Visit Skype Security to get the full details on this bug.