Apple has released iOS 8.3, a major security upgrade for iPhone and iPad users that includes patches for more than three dozen vulnerabilities.
The new version of iOS has security fixes for several vulnerabilities in the mobile operating system’s kernel, a handful of code-execution bugs and a long list of WebKit vulnerabilities. Apple also patched a bug that could lead to a user’s credentials being sent to the wrong server in some cases. The issue with credentials results from a bug in the CFNetwork Session component of iOS.
“A cross-domain HTTP request headers issue existed in redirect handling. HTTP request headers sent in a redirect response could be passed on to another origin. The issue was addressed through improved handling of redirects,” Apple’s advisory says.
Among the code-execution vulnerabilities are a group of memory corruption bugs in the FontParser component of the operating system, along with a bug in CFURL that can lead to remote code execution if a user visits a malicious site.
There also are several serious vulnerabilities in the iOS kernel that Apple patched in version 8.3. One of the bugs could allow a malicious app to run arbitrary code with system-level privileges and another of the kernel issues could let an app cause a system termination or read kernel memory. There’s also a fix for a kernel flaw that allows an attacker with a privileged network position to redirect users to any host he chooses.
The new version of iOS also includes patches for a slew of bugs in WebKit, among them many memory corruption issues that could allow arbitrary code execution.
