Apple released iOS 5.1.1 for iOS device owners today over-the-air and in iTunes. The update brings several bug fixes and improvements, including a fix for certain iPads that loose connectivity when switching between 2G and 3G networks.
An important security update has also been included in iOS 5.1.1 for a URL spoofing technique in Safari that made the news a couple weeks ago.
Originally outlined by MajorSecurity.net, a malicious website could exploit javascript in Safari on iOS to serve a fake webpage under a legitimate domain name. The example was given of visiting a fake website that displayed “apple.com” in the address bar. This malicious technique could be used to collect login and banking information on iOS devices running version 5.1 and older.
Apple has patched the vulnerability in the newly-released iOS 5.1.1:
Safari
Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A maliciously crafted website may be able to spoof the address in the location bar
Description: A URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems.
iOS device owners can install 5.1.1 now to receive this security patch alongside two WebKit vulnerability fixes.
Source: Apple