Apple’s Colossal iOS 8.3 Update Kills 58 iOS Security Bugs
Posted on by Derek Erwin
Today Apple has updated its mobile operating system to iOS 8.3, which kills a whopping 58 iOS security bugs. This release includes “improved performance, bug fixes, and a redesigned Emoji keyboard,” said Apple’s iOS update notice.
iOS 8.3 is available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.
iOS 8.3 offers a wide range of improvements, from Family Sharing fixes to new emoji (and a redesigned emoji picker). MacRumors released a video covering what’s new in iOS 8.3:
On the security front, according to Apple’s security notice, the following vulnerabilities are resolved in iOS 8.3:
- CVE-2015-1085 : A malicious application may be able to guess the user’s Passcode. iOS allowed access to an interface which allowed attempts to confirm the user’s passcode. This issue was addressed with improved entitlement checking.
- CVE-2015-1086 : A malicious application may be able to execute arbitrary code with system privileges. A validation issue existed in IOKit objects used by an audio driver. This issue was addressed through improved validation of metadata.
- CVE-2015-1087 : An attacker may be able to use the backup system to access restricted areas of the file system. An issue existed in the relative path evaluation logic of the backup system. This issues was addressed through improved path evaluation.
- CVE-2015-1089 : Cookies belonging to one origin may be sent to another origin. A cross-domain cookie issue existed in redirect handling. Cookies set in a redirect response could be passed on to a redirect target belonging to another origin. The issue was address through improved handling of redirects.
- CVE-2015-1090 : A user may be unable to fully delete browsing history. Clearing Safari’s history did not clear saved HTTP Strict Transport Security state. The issue was addressed through improved data deletion.
- CVE-2015-1091 : Authentication credentials may be sent to a server on another origin. A cross-domain HTTP request headers issue existed in redirect handling. HTTP request headers sent in a redirect response could be passed on to another origin. The issue was addressed through improved handling of redirects.
- CVE-2015-1088 : Visiting a maliciously crafted website may lead to arbitrary code execution. An input validation issue existed within URL processing. This issue was addressed through improved URL validation.
- CVE-2015-1092 : An application using NSXMLParser may be misused to disclose information. An XML External Entity issue existed in NSXMLParser’s handling of XML. This issue was addressed by not loading external entities across origins.
- CVE-2015-1093 : Processing a maliciously crafted font file may lead to arbitrary code execution. Multiple memory corruption issues existed in the processing of font files. These issues were addressed through improved bounds checking.
- CVE-2015-1094 : A malicious application may be able to determine kernel memory layout. An issue existed in IOAcceleratorFamily that led to the disclosure of kernel memory content. This issue was addressed by removing unneeded code.
- CVE-2015-1095 : A malicious HID device may be able to cause arbitrary code execution. A memory corruption issue existed in an IOHIDFamily API. This issue was addressed through improved memory handling.
- CVE-2015-1096 : A malicious application may be able to determine kernel memory layout. An issue existed in IOHIDFamily that led to the disclosure of kernel memory content. This issue was addressed through improved bounds checking.
- CVE-2015-1097 : A malicious application may be able to determine kernel memory layout. An issue existed in MobileFrameBuffer that led to the disclosure of kernel memory content. This issue was addressed through improved bounds checking.
- CVE-2015-1098 : Opening a maliciously crafted iWork file may lead to arbitrary code execution. A memory corruption issue existed in the handling of iWork files. This issue was addressed through improved memory handling.
- CVE-2015-1099 : A malicious application may be able to cause a system denial of service. A race condition existed in the kernel’s setreuid system call. This issue was addressed through improved state management.
- CVE-2015-1117 : A malicious application may escalate privileges using a compromised service intended to run with reduced privileges. setreuid and setregid system calls failed to drop privileges permanently. This issue was addressed by correctly dropping privileges.
- CVE-2015-1100 : A malicious application may be able to cause unexpected system termination or read kernel memory. A out of bounds memory access issue existed in the kernel. This issue was addressed through improved memory handling.
- CVE-2015-1101 : A malicious application may be able to execute arbitrary code with system privileges. A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.
- CVE-2015-1102 : An attacker with a privileged network position may be able to cause a denial of service. A state inconsistency existed in the processing of TCP headers. This issue was addressed through improved state handling.
- CVE-2015-1103 : An attacker with a privileged network position may be able to redirect user traffic to arbitrary hosts. ICMP redirects were enabled by default on iOS. This issue was addressed by disabling ICMP redirects.
- CVE-2015-1104 : A remote attacker may be able to bypass network filters. The system would treat some IPv6 packets from remote network interfaces as local packets. The issue was addressed by rejecting these packets.
- CVE-2015-1105 : A remote attacker may be able to cause a denial of service. A state inconsistency issue existed in the handling of TCP out of band data. This issue was addressed through improved state management.
- CVE-2015-1106 : QuickType could learn users’ passcodes. When using Bluetooth keyboards, QuickType could learn users’ passcodes. This issue was addressed by preventing QuickType from being displayed on the lockscreen.
- CVE-2015-1118 : Processing a maliciously crafted configuration profile may lead to unexpected application termination. A memory corruption issue existed in the handling of configuration profiles. This issue was addressed through improved bounds checking.
- CVE-2015-1107 : An attacker in possession of a device may prevent erasing the device after failed passcode attempts. In some circumstances, a device might not erase itself after failed passcode attempts. This issue was addressed through additional enforcement of erasure.
- CVE-2015-1108 : An attacker in possession of a device may exceed the maximum number of failed passcode attempts. In some circumstances, the failed passcode attempt limit was not enforced. This issue was addressed through additional enforcement of this limit.
- CVE-2015-1109 : An attacker in possession of a device may be able to recover VPN credentials. An issue existed in the handling of VPN configuration logs. This issue was addressed by removing logging of credentials.
- CVE-2015-1110 : Unnecessary information may be sent to external servers when downloading podcast assets. When downloading assets for podcast a user was subscribed to, unique identifiers were sent to external servers. This issue was resolved by removing these identifiers.
- CVE-2015-1111 : A user may be unable to fully delete browsing history. Clearing Safari’s history did not clear “Recently closed tabs”. The issue was addressed through improved data deletion.
- CVE-2015-1112 : Users’ browsing history may not be completely purged. A state management issue existed in Safari that resulted in users’ browsing history not being purged from history.plist. This issue was addressed by improved state management.
- CVE-2015-1113 : A malicious application may be able to access phone numbers or email addresses of recent contacts. An information disclosure issue existed in the third-party app sandbox. This issue was addressed by improving the sandbox profile.
- CVE-2015-1114 : Hardware identifiers may be accessible by third-party apps. An information disclosure issue existed in the third-party app sandbox. This issue was addressed by improving the sandbox profile.
- CVE-2015-1115 : A malicious application may be able to access restricted telephony functions. An access control issue existed in the telephony subsystem. Sandboxed apps could access restricted telephony functions. This issue was addressed with improved entitlement checking.
- CVE-2015-1116 : Sensitive data may be exposed in application snapshots presented in the Task Switcher. An issue existed in UIKit, which did not blur application snapshots containing sensitive data in the Task Switcher. This issue was addressed by correctly blurring the snapshot.
- CVE-2015-1084 : The user interface in WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, does not display URLs consistently, which makes it easier for remote attackers to conduct phishing attacks via a crafted URL. This issue was addressed through improved user interface consistency checks.
- CVE-2015-1068, CVE-2015-1069, CVE-2015-1070, CVE-2015-1071, CVE-2015-1072, CVE-2015-1073, CVE-2015-1074, CVE-2015-1076, CVE-2015-1077, CVE-2015-1078, CVE-2015-1079, CVE-2015-1080, CVE-2015-1081, CVE-2015-1082, CVE-2015-1083, CVE-2015-1119, CVE-2015-1120, CVE-2015-1121, CVE-2015-1122, CVE-2015-1123, CVE-2015-1124 : WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1. Visiting a maliciously crafted website may lead to arbitrary code execution. These issues were addressed through improved memory handling.
- CVE-2015-1125 : Visiting a maliciously crafted website may lead to a user invoking a click on another website. An issue existed when handling touch events. A tap could propagate to another website. The issue was addressed through improved event handling.
- CVE-2015-1126 : Visiting a maliciously crafted website may lead to resources of another origin being accessed. An issue existed in WebKit when handling credentials in FTP URLs. This issue was address through improved decoding.
This update is available directly on iOS devices (Settings > General > Software Update), or it can be downloaded and installed in iTunes when a device is connected to a computer with an Internet connection.