With the release of iOS 11, Apple has included security updates to fix certain software bugs. The Apple security updates page includes a list of the bugs in iOS 11, macOS High Sierra, tvOS 11 and watchOS 4. The following is a list of vulnerabilities patched with the iOS 11.0 release.

Exchange ActiveSync

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: An attacker in a privileged network position may be able to erase a device during Exchange account setup
  • Description: A validation issue existed in AutoDiscover V1. This issue was addressed through requiring TLS.
  • CVE-2017-7088: Ilya Nesterov, Maxim Goncharov

iBooks

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service
  • Description: Multiple denial of service issues were addressed through improved memory handling.
  • CVE-2017-7072: Jędrzej Krysztofiak

Mail MessageUI

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Processing a maliciously crafted image may lead to a denial of service
  • Description: A memory corruption issue was addressed with improved validation.
  • CVE-2017-7097: Xinshu Dong and Jun Hao Tan of Anquan Capital

Messages

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Processing a maliciously crafted image may lead to a denial of service
  • Description: A denial of service issue was addressed through improved validation.
  • CVE-2017-7118: Kiki Jiang and Jason Tokoph

Apple security updates iPhone resting on table.

MobileBackup

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Backup may perform an unencrypted backup despite a requirement to perform only encrypted backups
  • Description: A permissions issue existed. This issue was addressed with improved permission validation.
  • CVE-2017-7133: Don Sparks of HackediOS.com

Safari

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Visiting a malicious website may lead to address bar spoofing
  • Description: An inconsistent user interface issue was addressed with improved state management.
  • CVE-2017-7085: xisigr of Tencent’s Xuanwu Lab (tencent.com)

WebKit

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Processing maliciously crafted web content may lead to universal cross site scripting
  • Description: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management.
  • CVE-2017-7089: Anton Lopanitsyn of ONSEC, Frans Rosén of Detectify

WebKit

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Visiting a malicious website may lead to address bar spoofing
  • Description: An inconsistent user interface issue was addressed with improved state management.
  • CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com)

The details on the Common Vulnerabilites and Exposures (CVE) website aren’t available yet. This is because Apple imposed a moratorium on publishing until the bugs were patched. We’ll know more about them in the days ahead.

Subscribe
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments