SBN

iOS Update 11.3 Security Details

iOS version 11.3 was released on Mar 29, 2018. Although there have been reports about Siri reading out messages from locked devices despite users setting locked screen to hide the messages, there is no mention of fixing such a vulnerability in the iOS 11.3 update.

In total, these 28 vulnerabilities are fixed in this security update:

  • 4 WebKit vulnerabilities –  These vulnerabilities allow maliciously crafted web content to execute arbitrary code or cause denial of service. These issues are fixed with better memory and input handling.
  • 3 Kernel vulnerabilities – The kernel is the underlying foundation of iOS. Kernel vulnerabilities may lead to memory issues and arbitrary code execution with kernel privileges. These vulnerabilities are fixed through improved input validation and memory handling.
  • 3 Safari vulnerabilities – These vulnerabilities allow malicious website to exfiltrate autofilled data or spoof user interfaces. They are addressed through better state management and autofill heuristics.
  • 2 Telephony vulnerabilities – These vulnerabilities enables remote attackers to execute arbitrary codes or restart devices. These vulnerabilities are addressed with improved message and input validation.
  • 2 File vulnerabilities – One of them exists in file system events allowing apps to gain unauthorized privileges and another exists in files widget displaying cache data on locked devices. They are handled with validation for race condition and improved state management.
  • 1 Clock vulnerability – This vulnerability discloses the email address used for iTunes to any person with physical access to the device. This vulnerability is remediated through improved access control.
  • 1 Core Foundation vulnerability – This vulnerability causes a race condition granting unauthorized apps elevated privilege. It is addressed through additional validation for the race condition.
  • 1 Core Text vulnerability – This vulnerability allows a maliciously crafted string to cause a denial of service. It is handled by improved memory handling.
  • 1 Find My Phone vulnerability – This vulnerability allows an attacker to disable Find My iPhone without entering an iCloud password. It is addressed through improved state validation.
  • 1 iCloud Drive vulnerability – This vulnerability allows unauthorized apps to gain privileges. It is fixed via improved validation for a race condition.
  • 1 Mail vulnerability – This vulnerability allows an attacker to intercept encrypted emails. It is addressed through better state management.
  • 1 NSURLSession vulnerability – This vulnerability allows unauthorized apps to gain privileges. It is fixed via improved validation for a race condition.
  • 1 PluginKit vulnerability – This vulnerability allows unauthorized apps to gain privileges. It is fixed via improved validation for a race condition.
  • 1 Quick Look vulnerability – This vulnerability allows unauthorized apps to gain privileges. It is fixed via improved validation for a race condition.
  • 1 Security vulnerability – This vulnerability allows unauthorized apps to gain privileges. It is fixed via improved validation for a buffer overflow.
  • 1 Storage vulnerability – This vulnerability allows unauthorized apps to gain privileges. It is fixed via improved validation for a race condition.
  • 1 System Preferences vulnerability – This vulnerability allows a configuration profile in system preferences to incorrectly remain in effect even after removal. This issue is addressed with better preferences cleanup.
  • 1 WebApp vulnerability – This vulnerability allows cookies to unexpectedly persist in web apps. This is remediated with improved state management.
  • 1 WindowServer vulnerability – This vulnerability allows unprivileged third-party apps to observe keystrokes from other apps. The vulnerability is eliminated with improved state management.

Enhance Your Security by Keeping Up with OS Updates

Enterprise users should note that, although Apple has fixed the vulnerability with the 11.3 update, the security benefits are not reflected on their devices unless users update the OS to this latest version. Thus, before attackers exploit these vulnerabilities, enterprise users should go to “Settings > General > Software Update” and update their iOS devices to the latest version.

OS updates are among the easiest and most cost-effective ways to prevent attacks from exploiting holes in older operating systems and we certainly recommend updating to this latest OS release given the numerous security updates it provides.

 

*** This is a Security Bloggers Network syndicated blog from Mobile Threat Blog Posts | Appthority authored by Su Mon Kywe. Read the original post at: https://www.appthority.com/mobile-threat-center/blog/ios-update-11-3-security-details/