Security News

Apple’s iOS 7.1.2 software update is now available and contains bug fixes and security updates. iOS 7.1.2 contains fixes for 44 security bugs (CVEs), including 28 memory corruption issues that existed in WebKit, as well as the latest iPhone lock screen bypass.

This iOS update is available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later.

In addition to a long list of security updates contained in iOS 7.1.2, it includes the following bug fixes:

• Improves iBeacon connectivity and stability
• Fixes a bug with data transfer for some 3rd party accessories, including bar code scanners
• Corrects an issue with data protection class of Mail attachments

Among the more high profile security flaws addressed in this update is the iPhone lock screen bypass issue found in iOS 7.1.1, the previous version of the operating system. A security flaw (CVE-2014-1351) allowed someone to use Siri to view an iPhone’s Contacts without a passcode. Apple addressed the iPhone lock screen bypass issue by requiring the passcode.

Overall, the iOS 7.1.2 software update addresses the following vulnerabilities:

• CVE-2014-1354 : Viewing a maliciously crafted XBM file may lead to an unexpected application termination or arbitrary code execution. An unbounded stack allocation issue existed in the handling of XBM files. This issue was addressed through improved bounds checking.
• CVE-2014-1355 : An application could cause the device to unexpectedly restart. A null pointer dereference existed in the handling of IOKit API arguments. This issue was addressed through additional validation of IOKit API arguments.
• CVE-2014-1356 : A malicious application may be able to execute arbitrary code with system privileges. A heap buffer overflow existed in launchd’s handling of IPC messages. This issue was addressed through improved bounds checking.
• CVE-2014-1357 : A malicious application may be able to execute arbitrary code with system privileges. A heap buffer overflow existed in launchd’s handling of log messages. This issue was addressed through improved bounds checking.
• CVE-2014-1358 : A malicious application may be able to execute arbitrary code with system privileges. An integer overflow existed in launched. This issue was addressed through improved bounds checking.
• CVE-2014-1359 : A malicious application may be able to execute arbitrary code with system privileges. An integer underflow existed in launchd. This issue was addressed through improved bounds checking.
• CVE-2014-1360 : An attacker possessing an iOS device could potentially bypass Activation Lock. Devices were performing incomplete checks during device activation, which made it possible for malicious individuals to partially bypass Activation Lock. This issue was addressed through additional client-side verification of data received from activation servers.
• CVE-2014-1352 : An attacker in possession of a device may exceed the maximum number of failed passcode attempts. In some circumstances, the failed passcode attempt limit was not enforced. This issue was addressed through additional enforcement of this limit.
• CVE-2014-1353 : A person with physical access to a locked device may be able to access the application that was in the foreground prior to locking. A state management issue existed in the handling of the telephony state while in Airplane Mode. This issue was addressed through improved state management while in Airplane Mode.
• CVE-2014-1348 : Mail attachments can be extracted from an iPhone 4. Data protection was not enabled for mail attachments, allowing them to be read by an attacker with physical access to the device. This issue was addressed by changing the encryption class of mail attachments.
• CVE-2014-1349 : Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. A use after free issue existed in Safari’s handling of invalid URLs. This issue was addressed through improved memory handling.
• CVE-2014-1350 : A person with physical access to the device may be able to disable Find My iPhone without entering an iCloud password. A state management issue existed in the handling of the Find My iPhone state. This issue was addressed through improved handling of Find My iPhone state.
• CVE-2014-1361 : Two bytes of uninitialized memory could be disclosed to a remote attacker. An uninitialized memory access issue existed in the handling of DTLS messages in a TLS connection. This issue was addressed by only accepting DTLS messages in a DTLS connection.
• CVE-2014-1351 : A person with physical access to the phone may be able to view all contacts. If a Siri request might refer to one of several contacts, Siri displays a list of possible choices and the option ‘More…’ for a complete contact list. When used at the lock screen, Siri did not require the passcode before viewing the complete contact list. This issue was addressed by requiring the passcode.
• CVE-2013-2875, CVE-2013-2927, CVE-2014-1323, CVE-2014-1325, CVE-2014-1326, CVE-2014-1327, CVE-2014-1329, CVE-2014-1330, CVE-2014-1331, CVE-2014-1333, CVE-2014-1334, CVE-2014-1335, CVE-2014-1336, CVE-2014-1337, CVE-2014-1338, CVE-2014-1339, CVE-2014-1341, CVE-2014-1342, CVE-2014-1343, CVE-2014-1362, CVE-2014-1363, CVE-2014-1364, CVE-2014-1365, CVE-2014-1366, CVE-2014-1367, CVE-2014-1368, CVE-2014-1382, CVE-2014-1731 : Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
• CVE-2014-1346 : A malicious site can send messages to a connected frame or window in a way that might circumvent the receiver’s origin check. An encoding issue existed in the handling of unicode characters in URLs. A maliciously crafted URL could have led to sending an incorrect postMessage origin. This issue was addressed through improved encoding/decoding.
• CVE-2014-1345 : A maliciously crafted website may be able to spoof its domain name in the address bar. A spoofing issue existed in the handling of URLs. This issue was addressed through improved encoding of URLs.