-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0436
                         iOS 5.1.1 Software Update
                                8 May 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           iOS
Publisher:         Apple
Operating System:  Apple iOS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-0674 CVE-2012-0672 CVE-2011-3056
                   CVE-2011-3046  

Reference:         ASB-2012.0040
                   ASB-2012.0034

Original Bulletin: 
   http://support.apple.com/kb/HT5278

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2012-05-07-1 iOS 5.1.1 Software Update

iOS 5.1.1 Software Update is now available and addresses the
following:

Safari
Available for:  iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact:  A maliciously crafted website may be able to spoof the
address in the location bar
Description:  A URL spoofing issue existed in Safari. This could be
used in a malicious web site to direct the user to a spoofed site
that visually appeared to be a legitimate domain. This issue is
addressed through improved URL handling. This issue does not affect
OS X systems.
CVE-ID
CVE-2012-0674 : David Vieira-Kurz of MajorSecurity
(majorsecurity.net)

WebKit
Available for:  iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact:  Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description:  Multiple cross-site scripting issues existed in WebKit.
CVE-ID
CVE-2011-3046 : Sergey Glazunov working with Google's Pwnium contest
CVE-2011-3056 : Sergey Glazunov

WebKit
Available for:  iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in WebKit.
CVE-ID
CVE-2012-0672 : Adam Barth and Abhishek Arya of the Google Chrome
Security Team


Installation note:

This update is only available through iTunes, and will not appear
in your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/

iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone, iPod touch or iPad is docked, iTunes will present the
user with the option to install the update. We recommend applying
the update immediately if possible. Selecting Don't Install will
present the option the next time you connect your iPhone, iPod touch,
or iPad.

The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone, iPod touch, or iPad
is docked to your computer.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "5.1.1".

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQEcBAEBAgAGBQJPpBcyAAoJEGnF2JsdZQeexJYH/0aYO0MULFXYARidSV22JdjG
a1+yXKn8Rv2vv+8yStgKK2mWu18hvYWQ+whtvCzs1OefiVsq1nOvdCL1G62ybcYv
O9BiHEDsuu+On2nAPiglu+luokByKLlZcIaM1Qa3pXHkiI8jlH7y7XuuoFsVt1Vc
284JgvV/sHnvesne2GsNyoRBJjfkliqXCgb1zmQWO9xX7HEJCaMNlc5Bwdonm26q
3OEKr2UQxvmWCbnCroiQ5KmEM+gLJSfLLOymow9xa4gM8aM87BXGWNMEKVs8LRLm
dHngmEmzEa/Fx9PnR7rqjTCAMS8hR7aFcCYNTWjfR+keRXx7OHhCm88MfndryS8=
=qhqL
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT6h9G+4yVqjM2NGpAQLzww//fCfQPIRG5dsTQFk1Uej9t1Ve/7jaN1ne
IdFQWsfarCeRww7up84ENPpW+8q1eFAqRhLd+9/T6ECPYpPZ77d0ItWQIT75N2Cu
qhO/Qmb+Aq2A2FdDFG+x5rw7BOawlIVdWPcjumk2NwIQtkkdzctF5OlatN6p84am
XuhXfm92s5Qw6BjdYglcg20NR82r2CN9re+Ioat+fRtQ1NrP48FYgBM4Zt07aUxX
/OibKVSELZcuxb0hNvqLKIsJg6ypmza4KW2oddZrQsld0TVkLNbOyEXD+qvbEPox
dDlvOhz7QjvMDByXHYquel3Ei4/Udl/jzhfqG/j2WYe6mWBiXeXkpqPjkgiwHiry
x0AkCcg3TCe2eKoIkyTDaJQO9omQqN8hIwnSMJ6yPGV72yJ7kJGkveSlN04qGdyY
dhZh3q6oF6LC6A0IwQ5NJ3bOBZgC+yfNWRah7kGm1briRJbd8KlcCkLXu3hTrR58
3orB+Z34hkbYmy8d2p7QCWLoyq1OO5yo5cqxld5QqI/5h/PCLmMwrHHOzyUcrkv3
lX8NBnIDFUXGRlXg+wzLhh8ugu6OoXddHb5kQhdvmf4oQ8YT4m84Jv0olXxBlfeZ
nBWaRz1iGaO6GtE/ozi/EktaRx5JF/jXxx1UoWe5prismxIEwmnIcY7TfhXVCeo/
JPdFHSNy/8E=
=ALPK
-----END PGP SIGNATURE-----