Apple updated its mobile operating system iOS 10 on Monday to address a handful of security vulnerabilities, including two issues that could have led to arbitrary code execution.
The update, iOS 10.2, fixes 12 vulnerabilities in total. Topping the list was a flaw that could of allowed an attacker to execute arbitrary code by sending a specially crafted certificate file through Apple Mail or through Safari. That could allow the adversary to cause a memory corruption and in turn code execution.
Maksymilian Arciemowicz, a security researcher who oversees the vulnerability database cxsecurity.com and discovered the issue, told Threatpost last week that the bug hadn’t been patched, even after he disclosed details regarding it on November 6.
“Apple dictates conditions when they fix security flaws,” Arciemowicz said last week. He added, “I believe that Apple will fix these problems but it will take some time.”
Apple fixed the issue, which affected iOS, tvOS, and watchOS, through improved input validation.
A second vulnerability, a validation issue in the way USB image devices are handled, could have also led to arbitrary code execution. Andy Davis, a Transport Cybersecurity Practice Director at NCC Group, discovered the issue, which was also fixed through improved input validation. Davis, who uncovered a flaw earlier this year in Windows’ USB Mass Storage Class Driver has discussed USB attacks at past Black Hat conferences and previously identified an arbitrary code execution vulnerability in iOS 7’s kernel mode in 2014.
Until they were patched, many of the other bugs could have afforded an attacker with access to the device the ability to manipulate settings.
Miguel Alvarado, who runs iDeviceHelp, a YouTube channel that specializes in iPhone jailbreak news disclosed the bypass bug three weeks ago. That issue, perhaps the most publicized vulnerability fixed in 10.2, could have been exploited by tricking Siri and Apple’s accessibility feature, VoiceOver, into bypassing the lockscreen. According to Monday’s advisory, Apple fixed that by restricting options offered on a locked device.
Apple Credits Me For Helping out 😉 @Apple @iDeviceHelpus pic.twitter.com/F8sutYSIgh
— iDeviceHelp (@iDeviceHelpus) December 12, 2016
Two other vulnerabilities in SpringBoard, an application that manages the home screen on iOS devices, were also fixed. An attacker, assuming they had physical access to the device, could have exploited a “counter issue” that stemmed from the handling of attempts when resetting the passcode. An attacker could have used the bug to unlock a device and used another bug in SpringBoard to keep it unlocked.
A separate state management issue also existed that could have allowed an attacker with an unlocked device to disable the Find My iPhone setting. Apple claims it fixed that issue by improving how it stores account information.
Apple also released updates for watchOS (version 3.1.1) and tvOS (version 10.1) on Monday, incorporating some of the iOS fixes, notably Arciemowicz’s memory corruption issue.