The Mac Security Blog

Security News

Apple’s iOS 7.1 Update Fixes 41 Security Bugs

Posted on by

iOS 7.1 update notice

Apple has released iOS 7.1 with fixes for 41 security bugs and updates to several root certificates. Additionally, iOS 7.1 contains speed enhancements and improvements to various iOS features, including CarPlay, Siri, iTunes Radio and Calendar. This update is available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later.

Updates to the iOS Certificate Trust Policy include the addition and removal of several certificates from the list of system roots. On feature improvements, talking to Siri just got more convenient. Now, as mentioned in the iOS update notice, you can “Manually control when Siri listens by holding down the home button while you speak and releasing it when you’re done as an alternative to letting Siri automatically notice when you stop talking.”

iOS 7.1 addresses the following vulnerabilities:

  • CVE-2013-5133 : A maliciously crafted backup can alter the filesystem. A symbolic link in a backup would be restored, allowing subsequent operations during the restore to write to the rest of the filesystem. This issue was addressed by checking for symbolic links during the restore process.
  • CVE-2014-1267 : Profile expiration dates were not honored. Expiration dates of mobile configuration profiles were not evaluated correctly. The issue was resolved through improved handling of configuration profiles.
  • CVE-2014-1271 : A malicious application can cause an unexpected system termination. A reachable assertion issue existed in CoreCapture’s handling of IOKit API calls. The issue was addressed through additional validation of input from IOKit.
  • CVE-2014-1272 : A local user may be able to change permissions on arbitrary files. CrashHouseKeeping followed symbolic links while changing permissions on files. This issue was addressed by not following symbolic links when changing permissions on files.
  • CVE-2014-1273 : Code signing requirements may be bypassed. Text relocation instructions in dynamic libraries may be loaded by dyld without code signature validation. This issue was addressed by ignoring text relocation instructions.
  • CVE-2014-1274 : A person with physical access to the device may be able to access FaceTime contacts from the lock screen. FaceTime contacts on a locked device could be exposed by making a failed FaceTime call from the lock screen. This issue was addressed through improved handling of FaceTime calls.
  • CVE-2014-1275 : Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of JPEG2000 images in PDF files. This issue was addressed through improved bounds checking.
  • CVE-2012-2088 : Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in libtiff’s handling of TIFF images. This issue was addressed through additional validation of TIFF images.
  • CVE-2013-6629 : Viewing a maliciously crafted JPEG file may lead to the disclosure of memory contents. An uninitialized memory access issue existed in libjpeg’s handling of JPEG markers, resulting in the disclosure of memory contents. This issue was addressed through additional validation of JPEG files.
  • CVE-2014-1276 : A malicious application may monitor on user actions in other apps. An interface in IOKit framework allowed malicious apps to monitor on user actions in other apps. This issue was addressed through improved access control policies in the framework.
  • CVE-2014-1277 : A man-in-the-middle attacker may entice a user into downloading a malicious app via Enterprise App Download. An attacker with a privileged network position could spoof network communications to entice a user into downloading a malicious app. This issue was mitigated by using SSL and prompting the user during URL redirects.
  • CVE-2014-1278 : A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel. An out of bounds memory access issue existed in the ARM ptmx_get_ioctl function. This issue was addressed through improved bounds checking.
  • CVE-2014-1252 : Opening a maliciously crafted Microsoft Word document may lead to an unexpected application termination or arbitrary code execution. A double free issue existed in the handling of Microsoft Word documents. This issue was addressed through improved memory management.
  • CVE-2014-1281 : Deleted images may still appear in the Photos app underneath transparent images. Deleting an image from the asset library did not delete cached versions of the image. This issue was addressed through improved cache management.
  • CVE-2014-1282 : A configuration profile may be hidden from the user. A configuration profile with a long name could be loaded onto the device but was not displayed in the profile UI. The issue was addressed through improved handling of profile names.
  • CVE-2013-5227 : User credentials may be disclosed to an unexpected site via autofill. Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking.
  • CVE-2014-1284 : A person with physical access to the device may be able to disable Find My iPhone without entering an iCloud password. A state management issue existed in the handling of the Find My iPhone state. This issue was addressed through improved handling of Find My iPhone state.
  • CVE-2014-1285 : A person with physical access to the device may be able to see the home screen of the device even if the device has not been activated. An unexpected application termination during activation could cause the phone to show the home screen. The issue was addressed through improved error handling during activation.
  • CVE-2014-1286 : A remote attacker may be able to cause the lock screen to become unresponsive. A state management issue existed in the lock screen. This issue was addressed through improved state management.
  • CVE-2013-6835 : A webpage could trigger a FaceTime audio call without user interaction. Safari did not consult the user before launching facetime-audio:// URLs. This issue was addressed with the addition of a confirmation prompt.
  • CVE-2014-1287 : A person with physical access to the device may be able to cause arbitrary code execution in kernel mode. A memory corruption issue existed in the handling of USB messages. This issue was addressed through additional validation of USB messages.
  • CVE-2014-1280 : Playing a maliciously crafted video could lead to the device becoming unresponsive. A null dereference issue existed in the handling of MPEG-4 encoded files. This issue was addressed through improved memory handling.
  • CVE-2013-2909CVE-2013-2926CVE-2013-2928CVE-2013-5196CVE-2013-5197CVE-2013-5198CVE-2013-5199CVE-2013-5225CVE-2013-5228CVE-2013-6625CVE-2013-6635CVE-2014-1269CVE-2014-1270CVE-2014-1289CVE-2014-1290CVE-2014-1291CVE-2014-1292CVE-2014-1293CVE-2014-1294 : Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.

Apple iOS users can download and install the iOS 7.1 software update through iTunes or through your device Settings (select General > Software Update).