Apple Patches Kernel, Passcode Lock and WebKit Flaws in iOS 6.0.1

A little more than a month out from the release of iOS 6, which in addition to new functionality addressed almost 200 security vulnerabilities, Apple pushed out iOS 6.0.1 yesterday that repaired four new critical security issues.The most serious seems to be a kernel flaw discovered by researcher Mark Dowd of Azimuth Security and Eric Monti of Square that affects iPhone 3GS and later, as well iPod Touch and iPad2 and later. An attacker exploiting the vulnerability could essentially bypass address space randomization layout (ASLR) protections using a malicious application, and could determine addresses in the kernel, Apple’s advisory said.

A little more than a month out from the release of iOS 6, which in additioiOS patchn to new functionality addressed almost 200 security vulnerabilities, Apple pushed out iOS 6.0.1 yesterday that repaired four new critical security issues.

The most serious seems to be a kernel flaw discovered by researcher Mark Dowd of Azimuth Security and Eric Monti of Square that affects iPhone 3GS and later, as well iPod Touch and iPad2 and later. An attacker exploiting the vulnerability could essentially bypass address space randomization layout (ASLR) protections using a malicious application, and could determine addresses in the kernel, Apple’s advisory said.

The researchers said the vulnerability, which could expose data to an attacker, occurs in the way iOS handles application programming interfaces in relation to kernel extensions.

“Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection,” Apple said. “This issue was addressed by unsliding the addresses before returning them.”

A vulnerability in iOS’ Passcode Lock was also addressed in the latest update that could allow someone with access to the iOS device to access Passbook passes without entering a passcode.

“A state management issue existed in the handling of Passbook passes at the lock screen. This issue was addressed through improved handling of Passbook passes,” Apple said.

Finally, a pair of WebKit vulnerabilities were patched.

The first involved how iOS handled JavaScript arrays, and could allow an attacker to remotely execute code if a user visited a malicious site and was infected. Apple said it addressed the matter through additional validation of JavaScript arrays.

The other WebKit flaw is a use-after-free issue in the handling of SVG images. Scalable vector graphics (SVG) are file formats for static or animated graphics. A user visiting a website hosting a malicious graphic could experience application crashes or worse, an attacker could remotely execute code.

Apple updates iOS throughout the year and at the Black Hat Briefings this summer, Dallas De Atley of Apple’s platform security team said that 80 percent of users run the most updated version of iOS, despite the lack of an automated update mechanism.

Suggested articles

intel graphics driver flaw

Bypassing ASLR in 60 Milliseconds

An academic paper demonstrates a new ASLR bypass executed through a side-channel attack against the branch target buffer in an Intel Haswell CPU.