Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Apple's iOS 7 patches 80 vulnerabilities

John P. Mello Jr. | Sept. 23, 2013
Old flaws get fixes even as a new one appears

Just as Apple patched some 80 vulnerabilities in its mobile operating system this week, a new vulnerability popped up in the latest version of the software, iOS 7. The vulnerabilities patched by iOS 7 cover a wide array of undesirable behaviors — some of them years old.

"The changes made in iOS 7 aren't significant from any other software upgrade Apple has introduced," Cigital Principal Consultant Scott Matsumoto said in an email. "They are doing their job as the platform provider," he continued. "Platforms inevitably get more secure over time in the field; it's a natural maturation process that every piece of software goes through.

"Are there still vulnerabilities in iOS?" he said. "Yes. I imagine that there will be a similar list with every release of iOS."

One apparent vulnerability not addressed in the first release of iOS 7 is a defect uncovered just hours after the software became available Wednesday for downloading by the public.

Ironically, the vulnerability attacks the new lockscreen feature in iOS that's been praised as a security improvement over past versions of the OS.

Even when an Apple mobile device running iOS 7 is locked, a new feature called the Control Center can be accessed by swiping upward on a device's screen. The center gives a user access to four often-used apps on the device: flashlight, timer, calculator and camera.

Two of those apps — the calculator and timer — can be used to gain access to full functionality on the camera app through a series of steps using the Home button. Once in control of the camera app, an unauthorized user could shoot photos, share them through email and SMS messaging, post them to a device owner's social media accounts and edit or delete pics.

To a limited extent, the app can be used to modify contacts on the device, as well as kill any running applications on it.

Until Apple fixes the vulnerability, some security experts recommend disabling Control Center, Notification Center and Siri on the lockscreen.

Another lockscreen issue was addressed in the scores of vulnerabilities tackled in iOS 7. That issue allowed the lockscreen to be bypassed by leveraging a race condition involving phone calls and injections of a SIM card. Apple said it addressed that problem by improving the operating system's lock state management.

Apple also patched a vulnerability allowing an app in the operating system's third-party sandbox to snatch the passcode to a device. Apple addressed the issue by requiring additional entitlement checks.

Another flaw involving multiple buffer overflows had allowed attackers to execute arbitrary code — even after a system reboot. That problem was fixed by improved bounds checking in the code.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.