iOS 5.1.1 includes fix for dangerous Safari URL spoofing vulnerability

Earlier today, Apple released a new version of its mobile software: iOS 5.1.1. The update includes a number of bug fixes, and also apparently contains a patch for the dangerous URL spoofing vulnerability in mobile Safari.

We told you about the exploit, discovered by the folks at Major Security, back in March of this year. It allows web pages to spoof URLs in Safari’s address bar, leading users to believe they’re on a different website…

Apple explains the fix on its iOS 5.1.1 security support page:


Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2

Impact: A maliciously crafted website may be able to spoof the address in the location bar

Description: A URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems.”

Apple properly credits the discovery of the vulnerability to David Viera-Kurz of Major Security. Viera-Kurz was the first to bring up the issue, publishing an extensive blog post and even creating a working demo of the bug in action.

[Cult of Mac]