Apple has released updates to iOS, watchOS, tvOS, and macOS…. Here’s Why You Should Care

At 1PM EST Apple Apple released iOS 10.3.3, watchOS 3.2.2, tvOS 10.2.2, and macOS 10.2.6. The release notes for all the above basically say some that the focus was performance and security improvements. But the the latter is why you should care. I’ve been browsing the documents that list the security improvements that have been made and these ones jump out at me. I’ll start with iOS 10.3.3:

Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation

Impact: Notifications may appear on the lock screen when disabled

Description: A lock screen issue was addressed with improved state management.

CVE-2017-7058: an anonymous researcher

Lock screen issues are not new to iOS, but this one could have privacy implications.

Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation

Impact: Visiting a malicious website may lead to address bar spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2017-2517: xisigr of Tencent’s Xuanwu Lab (tencent.com)

And:

Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation

Impact: Visiting a malicious website may lead to address bar spoofing

Description: A state management issue was addressed with improved frame handling.

CVE-2017-7011: xisigr of Tencent’s Xuanwu Lab (tencent.com)

This is kind of dangerous as it could lead to you and your iDevice getting pwned by hackers through no fault of your own.

Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation

Impact: Processing a maliciously crafted movie file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved bounds checking.

CVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team

This is really dangerous. There have been examples of this in the past where it would crash an iOS device. It sounds like this attack vector has become a bit more sophisticated. I should also note that the same thing was fixed in tvOS.

iOS, tvOS, macOS and watchOS share one interesting security fix:

Available for: All Apple Watch models

Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-9417: Nitay Artenstein of Exodus Intelligence

I should note that this fix is available for iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation. Not to mention macOS users running 10.12.5 and 4th Generation Apple TV users. Which is good as this is not the first time that Apple has fixed an issue where a device could be pwned via WiFi, and the fact that this can be done at all is very serious.

There’s a bunch of interesting tvOS security fixes that look like this:

Available for: Apple TV (4th generation)

Impact: A malicious website may exfiltrate data cross-origin

Description: Processing maliciously crafted web content may allow cross-origin data to be exfiltrated by using SVG filters to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.

CVE-2017-7006: David Kohlbrenner of UC San Diego, an anonymous researcher

There’s of course many other fixes, but none as serious as these. Thus consider updating to the latest version of whatever OS your iDevice runs so that you can protect yourself from the attacks that are sure to come.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: