Apple Updates iOS 4, Safari

Apple's iOS 4.1 and Safari for Mac OS X and Windows updates address security issues; the iPhone 4 also gets HDR photography functions and improved Bluetooth support.

iOS 4.1, released Sept. 8, is the version that Apple should have shipped in the first place to showcase its mobile device hardware. It takes full advantage of the camera built into the iPhone 4, allows full-function use of Bluetooth headphones and brings a number of security-related fixes.

Perhaps the most useful features from a business perspective would be the enhanced photo and video functions. These include the ability to upload high-definition video to YouTube and Apple's MobileMe service directly from iPhone 4, and a form of HDR (high dynamic range) photography.

HDR photos on the iPhone use exposure-based auto-bracketing and are actually derived from three images: The iPhone takes the image its programming determines is best for the lighting, and with the same press of the shutter records underexposed and overexposed versions of the image. The goal with HDR is to avoid images that are "blown out" due to too much light affecting the image sensor or, conversely, a muddy image from a low-light environment.

iPhone 3G users can expect the iOS 4.1 update to rectify performance issues that they experienced after installing iOS 4; this improvement was confirmed by eWEEK Labs Technical Director Cameron Sturdevant, whose iPhone 3G had become pretty much unusable after it was updated to iOS 4 earlier this year. Other fixes address Bluetooth connectivity and the iPhone 4's proximity sensor, which blanks the screen when the device is close to one's face.

The iOS update also has a consumer focus, bringing features related to the new iTunes 10 such as TV show rentals and the iTunes Ping social network, and adding support for Apple's forthcoming social gaming site, Game Center. Game Center will be available on the iPhone 3GS, iPhone 4 and second-generation or later versions of the iPod Touch.

This release expands support for the Bluetooth AVRCP (audio-video remote-control profile); although volume and play/pause functions have been enabled for some time, iOS 4.1 finally supports controls for selecting next track and last track.

iOS 4.1 also contains security fixes relating to FaceTime, image handling and the VoiceOver accessibility functions. Perhaps the most serious of the problems addressed was that privileged attackers had been able to redirect FaceTime video chats. This was addressed by improvements in certificate handling, according to Apple's documentation. The VoiceOver flaw derived from the location services setting panel in iOS; prior to this release, VoiceOver would not notify users of applications that had requested the user's location in the previous 24 hours. The image handling issues concerned the interpretation of GIF and TIFF images by iOS; Apple improved the bounds checking of GIFs and the way TIFFs are read.

A score of WebKit security flaws were also fixed in this release. The simplest, an inadvertent information disclosure through redirected form submissions, stemmed from WebKit's handling of HTTP redirects and could represent a problem even for people who are careful about which sites they visit. The overwhelming majority of the security fixes could be triggered by a visit to a hostile Website and involve a range of vulnerabilities related to type checking of text nodes, inline element rendering, keyboard focus and clipboard data, among other things.

In other news from Apple, Safari 5.0.2 for Mac OS X and Windows debuted on Sept. 7. On both platforms Version 5.0.2 fixes an issue that could prevent users from submitting Web forms and establishes an encrypted, authenticated connection to the Safari Extensions Gallery, which debuted in Safari 5.01. Another problem fixed in this release occurred in Mac OS X systems only; it could cause Web content to display incorrectly when the user views a Google Image result with Flash 10.1 installed.

Other security issues addressed in the Safari update for Mac OS X and Windows involved WebKit's handling of floating point data, which before this release had not been validated, and run-in styling that didn't handle object pointers securely was reworked for improved security, according to Apple. Finally, a Windows-only vulnerability related to search paths was fixed by using explicit search paths when invoking Windows Explorer.