Apple released several security updates this week, addressing a number of vulnerabilities across its products ranging from Mac OS X to its Safari Web browser and iOS that runs iPhones, iPads and iPods.
Several of the updates addressed an incident surrounding the fraudulent SSL certificates recently issued by a Comodo affiliate registration authority, which could allow a man-in-the-middle attack redirecting connections and intercepting user credentials or other sensitive information.
A Summary of the security updates released by Apple are below:
Security Update 2011-002: Addresses a vulnerability in the Certificate Trust Policy for Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.7, Mac OS X Sever v10.6.7. Impact: Exploitation of this vulnerability may allow an attacker to intercept user credentials, or obtain sensitive information.
Safari 5.0.5: Addresses two vulnerabilities in the Safari WebKit. (1) An integer overflow issue existed in the handling of nodesets. (2) A use after free issue existed in the handling of text nodes. Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.5 or later, Mac OS X Server v10.6.5 or later, Windows 7, Vista, XP SP2
iOS 4.3.2 Software Update: Addresses multiple vulnerabilities affecting the Certificate Trust Policy, libxslt, QuickLook, and WebKit. Impact: Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, intercept user credentials, or obtain sensitive information, or bypass security restrictions.
iOS 4.2.7 Software Update for iPhone: Addresses multiple vulnerabilities affecting the Certificate Trust Policy, QuickLook, and WebKit Packages. Impact: Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, intercept user credentials, or obtain sensitive information.
For Windows users, see Microsoft’s Security Advisory on how Fraudulent Digital Certificates could allow spoofing here.