Apple's new version of iOS for the iPhone, iPad and iPod Touch includes 100 well-documented new features, including wireless streaming (AirPlay), wireless printing (AirPrint) and a free app for recovering lost or stolen devices.
But, according to Apple, the update also addresses more than 40 security issues, 27 of which relate to the Webkit open source web browser engine. Furthermore, based simply on the iOS fixes, security experts recommend that existing iOS users get patched, and without delay.
"It's critical that users of Apple's popular gadgets update their operating system as soon as possible," said Graham Cluley, senior technology consultant at Sophos. "Fixes included in the iOS 4.2 update include patches for the web browser. Without these, users could be at risk when they visit booby-trapped websites -- code embedded on the website could cause iOS applications to crash, or even plant and run malicious code on the device.”
He said that iOS 4.2 also fixes "a problem with the way Excel files can be imported that could lead to malicious code being executed."
Another vulnerability addressed by the iOS update is a heap buffer overflow, which is due to how the font-handling engine FreeType handles tricky TrueType opcodes. Because of the buffer overflow vulnerability, Apple said that "viewing a PDF document with maliciously crafted embedded fonts may lead to an unexpected application termination or arbitrary code execution." As a fix, Apple included "improved bounds checking."
On the privacy front, Apple patched the iOS Mail application to disable DNS prefetching, which continued to execute even when remote-image loading was disabled. Apple said that this could "result in undesired requests to remote servers" and that "the sender of an HTML-formatted email message could use this to determine whether the message was viewed."
The iOS 4.2 update can be downloaded to an iPhone, iPad or iPod Touch via iTunes.