Apple has released iOS 8, a massive update to its mobile operating system, that includes fixes for more than 40 security vulnerabilities.
Apple is touting iOS 8 as the biggest update to the software since it launched the App Store, and, aside from the security fixes, there are hundreds of new features and functions in the update.
Among the vulnerabilities patched in the new release are a series of kernel flaws, several WebKit bugs and a pair of vulnerabilities that allowed a user to install apps outside of the App Store. But perhaps the most interesting of the bugs killed in iOS 8 is a problem with the way that the OS implemented 802.1x. In some cases, the flaw could enable an attacker to steal a user’s WiFi credentials.
“An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default,” the Apple advisory says.
LEAP (lightweight extensible authentication protocol) is an older authentication protocol developed by Cisco and used for authentication on wireless networks. The protocol has known weaknesses and is susceptible to offline password cracking.
The two app-installation vulnerabilities both were credited to the evad3rs crew, a group that releases jailbreaks for iPhones. One of the bugs is a race condition and the other is a path traversal issue, but both have the effect of allowing a local attacker to install unverified apps. In the Apple ecosystem, that means apps that didn’t come from the App Store.
“A path traversal issue existed in App Installation. A local attacker could have retargeted code signature validation to a bundle different from the one being installed and cause installation of an unverified app. This issue was addressed by detecting and preventing path traversal when determining which code signature to verify,” the Apple advisory says.
Among the other issues fixed is a longstanding problem that caused Bluetooth to be enabled by default whenever iOS was updated. Apple also patched an integer overflow flaw in CoreGraphics that could lead to remote code execution. There also is a fix for a vulnerability that enables a malicious app to bypass kernel ASLR, one of the key exploit mitigations in iOS.
“A malicious application may be able to read kernel pointers, which can be used to bypass kernel address space layout randomization,” Apple said. “An out-of-bounds read issue existed in the handling of an IOHIDFamily function. This issue was addressed through improved bounds checking.”
Two other issues in IOHIDFamily were patched as well, both of which could lead to code execution.
Apple also patched a host of vulnerabilities in both Safari and WebKit. Among the WebKit bugs fixed were 12 memory corruption problems. One of the Safari flaws enables an attacker with a privileged network position to intercept user credentials.
“Saved passwords were autofilled on http sites, on https sites with broken trust, and in iframes. This issue was addressed by restricting password autofill to the main frame of https sites with valid certificate chains,” Apple’s advisory says.