Apple's iOS 4.1 and Safari for Mac OS X and Windows updates address security issues; the iPhone 4 also gets HDR photography functions and improved Bluetooth support.
iOS 4.1, released Sept. 8, is the version that Apple should have
shipped in the first place to showcase its mobile device hardware. It takes
full advantage of the camera built into the iPhone 4, allows full-function use
of Bluetooth headphones and brings a number of security-related fixes.
Perhaps the most useful features from a business perspective would be the
enhanced photo and video functions. These include the ability to upload
high-definition video to YouTube and Apple's MobileMe service directly from
iPhone 4, and a form of HDR (high dynamic
HDR photos on the iPhone use
exposure-based auto-bracketing and are actually derived from three images: The
iPhone takes the image its programming determines is best for the lighting, and
with the same press of the shutter records underexposed and overexposed
versions of the image. The goal with HDR is
to avoid images that are "blown out" due to too much light affecting
the image sensor or, conversely, a muddy image from a low-light environment.
iPhone 3G users can expect the iOS 4.1 update to rectify performance issues
that they experienced after installing iOS 4; this improvement was confirmed by
eWEEK Labs Technical Director Cameron Sturdevant, whose iPhone 3G had become pretty much
after it was updated to iOS 4 earlier this year. Other fixes
address Bluetooth connectivity and the iPhone 4's proximity sensor, which
blanks the screen when the device is close to one's face.
The iOS update also has a consumer focus, bringing features related to the
new iTunes 10 such as TV show rentals and the iTunes Ping social network, and
adding support for Apple's forthcoming social gaming site, Game Center. Game
Center will be available on the iPhone
3GS, iPhone 4 and second-generation or later versions of the iPod Touch.
This release expands support for the Bluetooth AVRCP (audio-video
remote-control profile); although volume and play/pause functions have been
enabled for some time, iOS 4.1 finally supports controls for selecting next
track and last track.
iOS 4.1 also contains security fixes relating to FaceTime, image handling
and the VoiceOver accessibility functions. Perhaps the most serious of the
problems addressed was that privileged attackers had been able to redirect
FaceTime video chats. This was addressed by improvements in certificate
handling, according to Apple's documentation. The VoiceOver flaw derived from
the location services setting panel in iOS; prior to this release, VoiceOver
would not notify users of applications that had requested the user's location
in the previous 24 hours. The image handling issues concerned the
interpretation of GIF and TIFF images by iOS; Apple improved the bounds
checking of GIFs and the way TIFFs are read.
A score of WebKit security flaws were also fixed in this release. The
simplest, an inadvertent information disclosure through redirected form
submissions, stemmed from WebKit's handling of HTTP redirects and could represent
a problem even for people who are careful about which sites they visit. The
overwhelming majority of the security fixes could be triggered by a visit to a
hostile Website and involve a range of vulnerabilities related to type checking
of text nodes, inline element rendering, keyboard focus and clipboard data,
among other things.
In other news from Apple, Safari 5.0.2 for Mac OS X and Windows debuted on
Sept. 7. On both platforms Version 5.0.2 fixes an issue that could prevent
users from submitting Web forms and establishes an encrypted, authenticated
connection to the Safari Extensions Gallery, which debuted in Safari 5.01.
Another problem fixed in this release occurred in Mac OS X systems only; it
could cause Web content to display incorrectly when the user views a Google
Image result with Flash 10.1 installed.
Other security issues addressed in the Safari update for Mac OS X and
Windows involved WebKit's handling of floating point data, which before this
release had not been validated, and run-in styling that didn't handle object
pointers securely was reworked for improved security, according to Apple.
Finally, a Windows-only vulnerability related to search paths was fixed by
using explicit search paths when invoking Windows Explorer.