50 Shades of Security Fixes: iOS 9.2 Update Available
Posted on by Derek Erwin
Apple has released iOS 9.2 for iPhones and iPads, patching a wide range of security bugs while adding several new feature updates. iOS 9.2 includes fixes for a combined 50 vulnerabilities, found by researchers at Apple and other vendors, many of which relate to the remote execution of code and remote access to system privileges.
iOS 9.2 is available for the following Apple devices: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.
One of the more notable security fixes addresses a flaw (CVE-2015-7080) that could allow people to use Siri on someone else’s iPhone or iPad to read notifications of content that is set to not be displayed at the lock screen. Another bug fix of particular note (CVE-2015-7094) impacts both iOS and OS X, whereas “an attacker with a privileged network position may be able to bypass HSTS,” Apple warned in its security bulletin.
As noted by Sean Michael Kerner at eWeek, an HSTS bypass comes with several risks.
HSTS is a security configuration that forces Web connections to occur over Secure Sockets Layer/Transport Layer Security (SSL/TLS) encrypted communications. The risk of an HSTS bypass is that a site that should only be available over SSL/TLS is accessible over a nonencrypted connection, where an attacker could easily view a user’s data traffic.
Altogether, the following describes the 50 vulnerabilities patched in iOS 9.2:
- CVE-2015-7055 : A malicious application may be able to execute arbitrary code with system privileges. An access control issue was addressed by preventing modification of access control structures.
- CVE-2015-7001 : A malicious application may maintain access to Contacts after having access revoked. An issue existed in the sandbox’s handling of hard links. This issue was addressed through improved hardening of the app sandbox.
- CVE-2015-7094 : An attacker with a privileged network position may be able to bypass HSTS. An input validation issue existed within URL processing. This issue was addressed through improved URL validation.
- CVE-2015-7054 : Visiting a maliciously crafted website may lead to arbitrary code execution. An uninitialized memory access issue existed in zlib. This issue was addressed through improved memory initialization and additional validation of zlib streams.
- CVE-2015-7105 : Processing a maliciously crafted font file may lead to arbitrary code execution. A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.
- CVE-2015-7074, CVE-2015-7075 : Visiting a maliciously crafted website may lead to arbitrary code execution. Multiple memory corruption issues existed in the processing of malformed media files. These issues were addressed through improved memory handling.
- CVE-2015-7072, CVE-2015-7079 : A malicious application may be able to execute arbitrary code with system privileges. Multiple segment validation issues existed in dyld. These were addressed through improved environment sanitization.
- CVE-2015-7069, CVE-2015-7070 : A malicious application may be able to execute arbitrary code with system privileges. Multiple path validation issues existed in Mobile Replayer. These were addressed through improved environment sanitization.
- CVE-2015-7081 : Parsing a maliciously crafted iBooks file may lead to disclosure of user information. An XML external entity reference issue existed with iBook parsing. This issue was addressed through improved parsing.
- CVE-2015-7053 : Processing a maliciously crafted image may lead to arbitrary code execution. A memory corruption issue existed in ImageIO. This issue was addressed through improved memory handling.
- CVE-2015-7111, CVE-2015-7112 : A malicious application may be able to execute arbitrary code with system privileges. Multiple memory corruption issues existed in IOHIDFamily API. These issues were addressed through improved memory handling.
- CVE-2015-7068 : A malicious application may be able to execute arbitrary code with kernel privileges. A null pointer dereference existed in the handling of a certain userclient type. This issue was addressed through improved validation.
- CVE-2015-7040, CVE-2015-7041, CVE-2015-7042, CVE-2015-7043 : A local application may be able to cause a denial of service. Multiple denial of service issues were addressed through improved memory handling.
- CVE-2015-7083, CVE-2015-7084 : A local user may be able to execute arbitrary code with kernel privileges. Multiple memory corruption issues existed in the kernel. These issues were addressed through improved memory handling.
- CVE-2015-7047 : A local user may be able to execute arbitrary code with kernel privileges. An issue existed in the parsing of mach messages. This issue was addressed through improved validation of mach messages.
- CVE-2015-7113 : A malicious application may be able to execute arbitrary code with system privileges. A memory corruption issue existed in the processing of malformed plists. This issue was addressed through improved memory handling.
- CVE-2011-2895 : Visiting a maliciously crafted website may lead to arbitrary code execution. A memory corruption issue existed in the processing of archives. This issue was addressed through improved memory handling.
- CVE-2015-7038, CVE-2015-7039 : Processing a maliciously crafted package may lead to arbitrary code execution. Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds checking.
- CVE-2015-3807 : Parsing a maliciously crafted XML document may lead to disclosure of user information. A memory corruption issue existed in the parsing of XML files. This issue was addressed through improved memory handling.
- CVE-2015-7051 : A malicious application may be able to execute arbitrary code with system privileges. A timing issue existed in loading of the trust cache. This issue was resolved by validating the system environment before loading the trust cache.
- CVE-2015-7064, CVE-2015-7065, CVE-2015-7066 : Visiting a maliciously crafted website may lead to arbitrary code execution. Multiple memory corruption issues existed in OpenGL. These issues were addressed through improved memory handling.
- CVE-2015-7037 : An attacker may be able to use the backup system to access restricted areas of the file system. A path validation issue existed in Mobile Backup. This was addressed through improved environment sanitization.
- CVE-2015-7107 : Opening a maliciously crafted iWork file may lead to arbitrary code execution. A memory corruption issue existed in the handling of iWork files. This issue was addressed through improved memory handling.
- CVE-2015-7093 : Visiting a malicious website may lead to user interface spoofing. An issue may have allowed a website to display content with a URL from a different website. This issue was addressed through improved URL handling.
- CVE-2015-7046 : A malicious application with root privileges may be able to bypass kernel address space layout randomization. An insufficient privilege separation issue existed in xnu. This issue was addressed by improved authorization checks.
- CVE-2015-7073 : A remote attacker may cause an unexpected application termination or arbitrary code execution. A memory corruption issue existed in handling SSL handshakes. This issue was addressed through improved memory handling.
- CVE-2015-7058 : A malicious application may gain access to a user’s Keychain items. An issue existed in the validation of access control lists for keychain items. This issue was addressed through improved access control list checks.
- CVE-2015-7080 : A person with physical access to an iOS device may be able to use Siri to read notifications of content that is set not to be displayed at the lock screen. When a request was made to Siri, client side restrictions were not being checked by the server. This issue was addressed through improved restriction checking.
- CVE-2015-7048, CVE-2015-7095, CVE-2015-7096, CVE-2015-7097, CVE-2015-7098, CVE-2015-7099, CVE-2015-7100, CVE-2015-7101, CVE-2015-7102, CVE-2015-7103 : Visiting a maliciously crafted website may lead to arbitrary code execution. Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
- CVE-2015-7050 : Visiting a maliciously crafted website may reveal a user’s browsing history. An insufficient input validation issue existed in content blocking. This issue was addressed through improved content extension parsing.
Apple iOS users can download and install the iOS 9 update through iTunes or through your device settings (select General > Software Update).