Apple Fixes 12 Vulnerabilities in iOS 10.2

Apple released iOS 10.2 on Monday, addressing a handful of security vulnerabilities, including two issues that could have led to arbitrary code execution.

Apple updated its mobile operating system iOS 10 on Monday to address a handful of security vulnerabilities, including two issues that could have led to arbitrary code execution.

The update, iOS 10.2, fixes 12 vulnerabilities in total. Topping the list was a flaw that could of allowed an attacker to execute arbitrary code by sending a specially crafted certificate file through Apple Mail or through Safari. That could allow the adversary to cause a memory corruption and in turn code execution.

Maksymilian Arciemowicz, a security researcher who oversees the vulnerability database cxsecurity.com and discovered the issue, told Threatpost last week that the bug hadn’t been patched, even after he disclosed details regarding it on November 6.

“Apple dictates conditions when they fix security flaws,” Arciemowicz said last week. He added, “I believe that Apple will fix these problems but it will take some time.”

Apple fixed the issue, which affected iOS, tvOS, and watchOS, through improved input validation.

A second vulnerability, a validation issue in the way USB image devices are handled, could have also led to arbitrary code execution. Andy Davis, a ‎Transport Cybersecurity Practice Director at NCC Group, discovered the issue, which was also fixed through improved input validation. Davis, who uncovered a flaw earlier this year in Windows’ USB Mass Storage Class Driver has discussed USB attacks at past Black Hat conferences and previously identified an arbitrary code execution vulnerability in iOS 7’s kernel mode in 2014.

Until they were patched, many of the other bugs could have afforded an attacker with access to the device the ability to manipulate settings.

Miguel Alvarado, who runs iDeviceHelp, a YouTube channel that specializes in iPhone jailbreak news disclosed the bypass bug three weeks ago. That issue, perhaps the most publicized vulnerability fixed in 10.2, could have been exploited by tricking Siri and Apple’s accessibility feature, VoiceOver, into bypassing the lockscreen. According to Monday’s advisory, Apple fixed that by restricting options offered on a locked device.

Two other vulnerabilities in SpringBoard, an application that manages the home screen on iOS devices, were also fixed. An attacker, assuming they had physical access to the device, could have exploited a “counter issue” that stemmed from the handling of attempts when resetting the passcode. An attacker could have used the bug to unlock a device and used another bug in SpringBoard to keep it unlocked.

A separate state management issue also existed that could have allowed an attacker with an unlocked device to disable the Find My iPhone setting. Apple claims it fixed that issue by improving how it stores account information.

Apple also released updates for watchOS (version 3.1.1) and tvOS (version 10.1) on Monday, incorporating some of the iOS fixes, notably Arciemowicz’s memory corruption issue.

Suggested articles

Discussion

  • John on

    Since updating to iOS 10.2 on my iPhone 5s last night, now whenever I rotate my phone to landscape mode for Gmail or Blood and Honor my iPhone starts to flicker between a black screen and the application. For some reason, it seems to do this more when I rotate the phone to where the volume controls are in the upper-right-hand corner. But it happens in either landscape orientation. I have not dropped my phone and it did not do this prior to the 10.2 upgrade.
  • bhupal panshikar on

    after upgrading to ios 10.2 my iphone 5s screen turned black and nothing happened since then...completely stuck
  • Oquinte on

    In response to Manoooooooo I am user of from iPhone 4, I am so glad to use this equipment even when my iPhone 5 needs to be replaced by power button problem, it speaks well of apple accountability But now I am worried, my new iPhone 7 works perfectly until I updated to iOS 10.2. From this is real nightmare . The home button stop to work currently, besides I reset and restore twice (more than 4 hours each one) using iTunes, works few hours and stop to work Some advice to solve this issue one time at all?
  • Alexander Akopian on

    Safari browser acts up on my iPhone 7+ and iPad Pro. While surfing on the web the pages automatically changes by itself. And if you're writing a long message, all that work is gone. Lots of and loads of shit going on with apple. I think my decision to switch to Samsung is strengthening every day. By the time galaxy S8 comes out my decision will be iron clad.
  • Alexander Akopian on

    I have the feeling my device getting hacked through email malwares.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.