Apple Security Updates Fixed These Bugs in iOS 11

2 minute read
| News

With the release of iOS 11, Apple has included security updates to fix certain software bugs. The Apple security updates page includes a list of the bugs in iOS 11, macOS High Sierra, tvOS 11 and watchOS 4. The following is a list of vulnerabilities patched with the iOS 11.0 release.

Exchange ActiveSync

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: An attacker in a privileged network position may be able to erase a device during Exchange account setup
  • Description: A validation issue existed in AutoDiscover V1. This issue was addressed through requiring TLS.
  • CVE-2017-7088: Ilya Nesterov, Maxim Goncharov

iBooks

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service
  • Description: Multiple denial of service issues were addressed through improved memory handling.
  • CVE-2017-7072: Jędrzej Krysztofiak

Mail MessageUI

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Processing a maliciously crafted image may lead to a denial of service
  • Description: A memory corruption issue was addressed with improved validation.
  • CVE-2017-7097: Xinshu Dong and Jun Hao Tan of Anquan Capital

Messages

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Processing a maliciously crafted image may lead to a denial of service
  • Description: A denial of service issue was addressed through improved validation.
  • CVE-2017-7118: Kiki Jiang and Jason Tokoph

Apple security updates iPhone resting on table.

MobileBackup

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Backup may perform an unencrypted backup despite a requirement to perform only encrypted backups
  • Description: A permissions issue existed. This issue was addressed with improved permission validation.
  • CVE-2017-7133: Don Sparks of HackediOS.com

Safari

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Visiting a malicious website may lead to address bar spoofing
  • Description: An inconsistent user interface issue was addressed with improved state management.
  • CVE-2017-7085: xisigr of Tencent’s Xuanwu Lab (tencent.com)

WebKit

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Processing maliciously crafted web content may lead to universal cross site scripting
  • Description: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management.
  • CVE-2017-7089: Anton Lopanitsyn of ONSEC, Frans Rosén of Detectify

WebKit

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Visiting a malicious website may lead to address bar spoofing
  • Description: An inconsistent user interface issue was addressed with improved state management.
  • CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com)

The details on the Common Vulnerabilites and Exposures (CVE) website aren’t available yet. This is because Apple imposed a moratorium on publishing until the bugs were patched. We’ll know more about them in the days ahead.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account