Apple has fixed a slew of vulnerabilities that could lead to code execution on the iPhone, along with a number of other security vulnerabilities in the latest version of its mobile operating system, iOS 7.1. The new release comes just a little more than two weeks after Apple released iOS 7.06 to fix the SSL certificate validation error.
Unlike that release, which fixed just the one vulnerability, significant though it was, iOS 7.1 is a major security release containing patches for a large number of vulnerabilities in a bunch of different components. Webkit, the framework underlying Safari, got a major security upgrade in iOS 7.1, with Apple fixing 19 separate memory corruption issues. Nearly half of those vulnerabilities were discovered by the Google Chrome security team, and many of the 19 bugs were identified last year.
Among the code-execution vulnerabilities patched in the new release are a pair of buffer overflows in ImageIO, a library that enables the reading and writing of multiple image formats. Apple also fixed a code-execution flaw in the kernel caused by an out of bounds memory access issue in the ARM ptmx_get_ioctl function. There also is a fix for a vulnerability in the way that Office Viewer handled certain Microsoft Word documents.
Along with the more serious code-execution bugs, Apple also pushed out a fix for a vulnerability in the iTunes Store that could allow an attacker to trick a user into downloading a malicious app from the store.
“An attacker with a privileged network position could spoof network communications to entice a user into downloading a malicious app. This issue was mitigated by using SSL and prompting the user during URL redirects,” Apple said in its advisory.
There were patches for several other less-serious vulnerabilities, as well. The full list of fixes is included in the Apple advisory.