This article was published on May 8, 2012

Apple’s iOS 5.1.1 update fixes serious URL-spoofing security flaw in Safari


Apple’s iOS 5.1.1 update fixes serious URL-spoofing security flaw in Safari

We told you about Apple’s iOS update today and that it fixed some playback issues for AirPlay, but the big news here is that the company has fixed a pretty serious vulnerability that we told you about in March.

The affected devices were iPhone 4, 4S, iPad 2 and new iPad, and this is what was happening:

It was discovered by David Vieira-Kurz of MajorSecurity and the associated advisory details an error in how Safari handles the JavaScript window.open() method (which opens a new browser window). This could potentially be used to “trick users into supplying sensitive information to a malicious web site.”

The security issues that were fixed were outlined by Apple today along with its release of iOS 5.1.1:

Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2

Impact: A maliciously crafted website may be able to spoof the address in the location bar

Description: A URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems.

At that time we suggested that you be careful about tapping links from sources that you weren’t familiar with. It looks like Apple has fixed the problem, but always be cautious as you surf around the interwebs. Also, don’t skip updates.

Catch the latest Apple news right now at TNW Apple.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with