Apple pushed out iOS 9 Wednesday, addressing a cornucopia of vulnerabilities, including bugs that could lead to arbitrary code execution, credential leakage, and interface spoofing among other issues.
But conspicuously absent from the update however is a fix for the vulnerability in AirDrop that surfaced this week.
The bug, discovered by Mark Dowd, technically exists in a library on both iOS and OS X and can be exploited via AirDrop, the feature that lets Apple users send files back and forth. The bug, via a directory traversal attack, could theoretically allow an attacker to overwrite arbitrary files on a target device.
Dowd told Threatpost Wednesday that Apple has released a mitigation for the bug, but hasn’t technically patched it yet.
Nine issues were fixed in CFNetwork, a framework in Apple’s Core Services framework, including bugs that could have let an attacker decrypt data protected by SSL, intercept SSL/TLS connections, create unintended cookies for a website, bypass HTTP Strict Transport Security, and more. Apple removed the fallback to SSL 3.0 – which only allows the unstable RC4 – in the framework to address some of these issues. The company also updated to the latest version of OpenSSL in iOS 9 to solve what it calls multiple vulnerabilities in older versions of the protocol.
Seven issues in kernel were also addressed, including memory corruption bugs, weaknesses, and a bug that could have let an attacker launch denial of service attacks on targeted TCP connections.
Elsewhere, six issues in Safari were fixed, including a problem that could have surfaced when a user visited a malicious website that would’ve led to user interface spoofing. Forensics expert Jonathan Zdziarski stumbled upon a vulnerability in the browser that was remedied as well. Safari bookmark data wasn’t being encrypted properly, so a local user could have read bookmarks on a locked iOS device without a passcode. Now that data is being encrypted with a key bolstered by the hardware unique identifier number and the user’s passcode.
An issue in Game Center was also fixed that could have been exploited as well. An attacker could potentially glean a player’s email address via a malicious app, according to Apple’s security notes.
Also on the slate was a fix for an issue with Apple Pay, a service in iPhone 6 and 6 Plus devices, that could have let a terminal access recent transaction information when a user was making a payment and in iTunes a problem with keychain deletion was sorted out that could have allowed an user’s AppleID credentials to linger after signing out.
Perhaps the most striking move by Apple with iOS 9, at least on the security front, is a pair of features that it first announced back in June. With the latest iteration of its mobile operating system the company moved to built-in two-factor authentication – meaning that any time users sign in from a new device or browser, they’ll be prompted for a verification code. The Cupertino company is also bumping the number of digits in its default passwords from four to six and is rationalizing that by having one million possible lockscreen combinations to solve, users’ devices will be tougher to crack.
Apple is already touting the features on its iOS 9 landing page, boasting that they “make it much harder for anyone else to access your personal information.”
