iOS 11 is out today and along with a new look and feel on the iPad especially comes a handful of patches for the Apple mobile OS.
Two Webkit bugs, CVE-2017-7106 and CVE-2017-7089, were patched in iOS and Safari. CVE-2017-7089 is a universal cross-site scripting bug disclosed by Frans Rosen of Detectify and Anton Lopanitsyn of ONSEC. Apple said it addressed a logic issue in iOS’ handling of parent tabs.
CVE-2017-7106, meanwhile, could be abused by an attacker allowing them to spoof the address bar. A user would need to be tricked into visiting a site hosting an exploit, Apple said.
Apple also patched a similarly described bug in Safari for iOS and macOS, CVE-2017-7085, allowing an attacker to again spoof the address bar. Address bar spoofing allows an attacker to manipulate the browser and display a familiar URL to the user while they instead visit a site of the attacker’s choosing.
Apple also patched an issue in iOS’ implementation of Exchange ActivSync where an attacker already on the network could erase an iPhone or iPad during Exchange setup. Apple said it patched CVE-2017-7088 by requiring TLS during setup.
iOS’ MobileBackup was also patched, addressing a permissions issue that could allow the feature to perform an unencrypted backup despite established requirements mandating encrypted backups.
Apple also patched denial-of-service vulnerabilities in Messages, Mail MessageUI and iBooks. In Messages, a crafted message could cause an iPhone or iPad to crash; Apple patched CVE-2017-7118 with improved validation. In Mail MessageUI, Apple patched a memory corruption flaw that could also crash a device if a malicious image is processed.
Apple said that CVE-2017-7072 addresses multiple DoS issues in iBooks, each exploited through the parsing of maliciously crafted iBooks files.
The Xcode update included patches for single vulnerabilities in Git and subversion, and five in Id64, all of which lead to arbitrary code execution.
The Git and subversion bugs affect macOS Sierra 10.12.6 or later, and can be exploited through a maliciously crafted repository.
The Id64 issues also affect macOS Sierra 10.12.6. Apple said it the five CVEs were memory corruption issues that could allow an attacker to run code through the parsing of a crafted Mach-O file. macOS uses this file format for native executables, libraries and objects.