Apple has released its second iOS 7.1 security update in less than three weeks, this time fixing a host of code execution and other vulnerabilities that could compromise iPhone, iPad and iPod Touch owners.
The vulnerabilities range into the critical, like an iTunes Store problem that would allow man-in-the-middle (MITM) attacks via a malicious app via the Enterprise App Download feature. An attacker with a privileged network position could spoof network communications to entice a user into downloading a malicious app. This issue was mitigated by using SSL and prompting the user during URL redirects.
Also, a set of ImageIO vulnerabilities would allow an attacker to use a maliciously crafted PDF, JPEG or TIF files to cause unexpected application termination and arbitrary code execution. Another similar flaw would allow attackers to use a maliciously crafted Microsoft Word document to do the same.
Another flaw could expose personally identifiable information to attackers thanks to a flaw that would let user credentials be disclosed to an unexpected site via autofill. Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking.
Then there are the patches for Webkit, the framework underlying Safari. Apple fixes a full 19 separate memory corruption issues in this update – about half of which were discovered by the Google Chrome security team.
The laundry list of problems goes on and on in the advisory: a CoreCapture issue would allow a malicious application to crash the system, while another flaw would allow an attacker to bypass code signing requirements. And another serious issue could be exploited for info-stealing: a flawed interface in the IOKit framework allowed malicious apps to monitor on user actions in other apps. This issue was addressed through improved access control policies in the framework.
Some flaws would allow people with physical access only to the phone to wreak havoc. In one case, an unauthorized user could access FaceTime contacts on a locked device simply by making a failed FaceTime call from the lock screen. In another, a local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel. And one issue would allow a person with physical access to the device may be able to disable Find My iPhone without entering an iCloud password – perfect for a phone thief.
Also on the local front, a fairly serious USB host issue would allow a person with physical access to the device to cause arbitrary code execution in kernel mode, thanks to a memory corruption problem in the handling of USB messages. That issue was addressed through additional validation of USB messages.
The update also addresses a range of less serious problems, such as a video driver flaw (playing a maliciously crafted video could lead to the device becoming unresponsive). Some could be useful to crooks but on a less critical level than some other flaws: a TelephonyUI Framework problem would allow a webpage to trigger a FaceTime audio call without user interaction – Apple has now issued a confirmation prompt. And a springboard issue would give a person with physical access to the device the ability to see the home screen of the device, after an unexpected application termination during activation. Another issue would allow a remote attacker may be able to cause the lock screen to become unresponsive.
About two weeks ago Apple released the iOS 7.06 to fix a major SSL certificate validation error. That had potentially serious consequences based on a very simple coding error; and one that is believed to have existed for several months. The effect has been that anyone using Safari on Apple devices has been misled by belief in the security of an SSL-secured (https) site. A classic MITM attack is not difficult to execute, but is supposedly defeated by SSL. This has not been happening with Safari (and a few other Apple applications, such as Mail, Pages, Preview and Calendar) on Apple equipment. Any attacker with sufficient resources to divert traffic to its own server could decrypt and steal the content (which could include banking details) before pretending a fault or sending the message on to the correct destination.