At 1PM EST Apple Apple released iOS 10.3.3, watchOS 3.2.2, tvOS 10.2.2, and macOS 10.2.6. The release notes for all the above basically say some that the focus was performance and security improvements. But the the latter is why you should care. I’ve been browsing the documents that list the security improvements that have been made and these ones jump out at me. I’ll start with iOS 10.3.3:
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Notifications may appear on the lock screen when disabled
Description: A lock screen issue was addressed with improved state management.
CVE-2017-7058: an anonymous researcher
Lock screen issues are not new to iOS, but this one could have privacy implications.
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2017-2517: xisigr of Tencent’s Xuanwu Lab (tencent.com)
And:
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A state management issue was addressed with improved frame handling.
CVE-2017-7011: xisigr of Tencent’s Xuanwu Lab (tencent.com)
This is kind of dangerous as it could lead to you and your iDevice getting pwned by hackers through no fault of your own.
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing a maliciously crafted movie file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved bounds checking.
CVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team
This is really dangerous. There have been examples of this in the past where it would crash an iOS device. It sounds like this attack vector has become a bit more sophisticated. I should also note that the same thing was fixed in tvOS.
iOS, tvOS, macOS and watchOS share one interesting security fix:
Available for: All Apple Watch models
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-9417: Nitay Artenstein of Exodus Intelligence
I should note that this fix is available for iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation. Not to mention macOS users running 10.12.5 and 4th Generation Apple TV users. Which is good as this is not the first time that Apple has fixed an issue where a device could be pwned via WiFi, and the fact that this can be done at all is very serious.
There’s a bunch of interesting tvOS security fixes that look like this:
Available for: Apple TV (4th generation)
Impact: A malicious website may exfiltrate data cross-origin
Description: Processing maliciously crafted web content may allow cross-origin data to be exfiltrated by using SVG filters to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.
CVE-2017-7006: David Kohlbrenner of UC San Diego, an anonymous researcher
There’s of course many other fixes, but none as serious as these. Thus consider updating to the latest version of whatever OS your iDevice runs so that you can protect yourself from the attacks that are sure to come.
Like this:
Like Loading...
Related
This entry was posted on July 19, 2017 at 2:54 pm and is filed under Commentary with tags Apple. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Apple has released updates to iOS, watchOS, tvOS, and macOS…. Here’s Why You Should Care
At 1PM EST Apple Apple released iOS 10.3.3, watchOS 3.2.2, tvOS 10.2.2, and macOS 10.2.6. The release notes for all the above basically say some that the focus was performance and security improvements. But the the latter is why you should care. I’ve been browsing the documents that list the security improvements that have been made and these ones jump out at me. I’ll start with iOS 10.3.3:
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Notifications may appear on the lock screen when disabled
Description: A lock screen issue was addressed with improved state management.
CVE-2017-7058: an anonymous researcher
Lock screen issues are not new to iOS, but this one could have privacy implications.
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2017-2517: xisigr of Tencent’s Xuanwu Lab (tencent.com)
And:
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A state management issue was addressed with improved frame handling.
CVE-2017-7011: xisigr of Tencent’s Xuanwu Lab (tencent.com)
This is kind of dangerous as it could lead to you and your iDevice getting pwned by hackers through no fault of your own.
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing a maliciously crafted movie file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved bounds checking.
CVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team
This is really dangerous. There have been examples of this in the past where it would crash an iOS device. It sounds like this attack vector has become a bit more sophisticated. I should also note that the same thing was fixed in tvOS.
iOS, tvOS, macOS and watchOS share one interesting security fix:
Available for: All Apple Watch models
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-9417: Nitay Artenstein of Exodus Intelligence
I should note that this fix is available for iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation. Not to mention macOS users running 10.12.5 and 4th Generation Apple TV users. Which is good as this is not the first time that Apple has fixed an issue where a device could be pwned via WiFi, and the fact that this can be done at all is very serious.
There’s a bunch of interesting tvOS security fixes that look like this:
Available for: Apple TV (4th generation)
Impact: A malicious website may exfiltrate data cross-origin
Description: Processing maliciously crafted web content may allow cross-origin data to be exfiltrated by using SVG filters to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.
CVE-2017-7006: David Kohlbrenner of UC San Diego, an anonymous researcher
There’s of course many other fixes, but none as serious as these. Thus consider updating to the latest version of whatever OS your iDevice runs so that you can protect yourself from the attacks that are sure to come.
Share this:
Like this:
Related
This entry was posted on July 19, 2017 at 2:54 pm and is filed under Commentary with tags Apple. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.