We are one day in and Apple’s sleek new mobile operating system, iOS 7, has been dissected to death – the colors, the similarities to Android’s OS, the amount of time it took some users to download the update from Apple’s servers. Those talking points aside, the update also brought a slew of bug fixes, 80 in total, to devices that should appease Apple users with security concerns.

The update fixes a handful of issues, most which could lead to a denial of service attack or trigger unexpected application termination or arbitrary code execution on devices like an iPad, iPod Touch or iPhone running an out of date OS.

Some of the bigger flaws addressed involve two fixes for passcode bypass flaws, one (CVE-2013-0957) that could’ve allowed an attacker to break an app in the third-party sandbox and determine the user’s passcode and a second (CVE-2013-5147) that exploited the way the iPhone handled calls to bypass the screen lock in iOS 6.1.

Another similar data privacy bug could have allowed an attacker to intercept user credentials by compromising a TrustWave certificate (CVE-2012-5134). TrustWave issued and subsequently revoked the faulty sub-CA certificate.

Four Safari bugs were also addressed in yesterday’s update, including a problem where the browser’s history was still visible even after it was cleared and a problem stemming from a memory corruption issue in the way it handled XML files and a cross-site scripting flaw on sites that allow users to upload files.

The oldest bug in the batch appears to be a kernel issue from 2011 discovered by Marc Heuse where-in an attacker could have sent specially crafted IPv6 packets to an iPhone 4 and caused a high CPU load. While the bug is known as CVE-2011-2391 in the Common Vulnerabilities and Exposures database, the CVE warns the attached date does not necessarily reflect when the vulnerability was discovered.

Several vulnerabilities from 2012 are also addressed in the update, all involve fixing arbitrary code execution bugs in the libxml and libxslt libraries.

While not discussed in the update notes, iOS 7 also fixes a previously disclosed “USB charger” bug that surfaced in August that allowed hackers complete access to devices via a modded charger. Apple spokesman Tom Numayr confirmed last month that iOS 7 would give users the choice whether or not they want to trust the computer their device has been connected to.

Those interested in the full rundown of security fixes can head to Apple’s Mailing Lists email, posted yesterday.

Categories: Apple, Vulnerabilities

Comments (7)

  1. Deborah
    1

    What fixes the bug that silenced sound in iPhone 4S with last auto-update, forcing legions to wear headphones 24/7?

  2. Mike
    3

    the Trust this computer pop up comes up every time (never did before( I connect the iphone to my computer – so fix that was!!

  3. Michael
    4

    So by providing the apple email, did you *mean* to enable hackers? Because hackers now know what updates there are, they now know where to start their next attack.

    • Charles
      5

      By disclosing vulnerability information one is not “enabling” hackers, rather alerting users and developers alike to speed the closing of a security hole. This is a time tested method of improving software through community involvement.

      Also if it is broke, I want to know so that I can protect myself.

  4. Bob junckre
    6

    Wow. Why is the whole OS WHITE? I cannot see a thing, and it’s causing my vertigo to kick in. I had to go to the dr the other day which cost me 30 dollars. Also, why does nothing have depth, it’s extremely difficult to see things.

  5. Bob junckre
    7

    It’s been 15 minutes since my last comment and the battery on my iPad 2 has gone from 28% to 20%. I’m not even using motion or parallax.

Comments are closed.