Number: IRCNE2013091962
Date: 2013/09/20
According to “zdnet”, it's not the flashiest improvement in iOS 7, but the new version fixes 80 security vulnerabilities that presumably remain in iOS 6.
The list is very big, even for Apple, which is known for such large updates. Also typical of Apple, the updates include several for vulnerabilities that are quite old.
The bugs could allow many undesirable behaviors:
- Malicious code execution
- Determination of the user's passcode by an app
- The ability to persist malicious code execution across reboots
- background applications could inject user interface events into the foreground application
- The ability to intercept data protected with IPSec Hybrid Auth
- A person with physical access to the device may be able to bypass the screen lock
- Sandboxed apps could send tweets without user interaction or permission
- Malicious apps could interfere with or control telephony functionality
What would seem to be the oldest bug in the list is labeled as CVE-2011-2391. It is described as kernel bug which could allow a DOS, via high CPU load, when an attacker sends specially-crafted IPv6 ICMP packets.
But the update also fixes several bugs from 2012 and one from 2011 in the libxml library. The bugs were reported to Apple from dozens of outside sources including Microsoft and Fortinet. 24 of the 80 were reported to Apple by Google.
- 2