iOS version 11.4 was released on May 29, 2018, and the following 31 vulnerabilities are fixed in this security update:
- 10 WebKit vulnerabilities – These vulnerabilities allow maliciously crafted web content to execute arbitrary code on mobile devices. These issues are fixed with improved memory handling, input validation, locking and state management.
- 5 Security vulnerabilities – These vulnerabilities allow a local user to read persistent account and device identifier info and modify the state of Keychain. One of them allows a malicious website to track users using client certificates. These vulnerabilities are fixed via improved certificate validation and state management.
- 3 Siri vulnerabilities – These vulnerabilities allow a malicious attacker with physical access to a device to enable Siri, read contacts and notifications. They are fixed by improving Siri permission checking.
- 2 Messages vulnerabilities – These vulnerabilities allow impersonation attacks and denial of service attacks via maliciously crafted messages. They are fixed using improved message and input validation.
- 2 Kernel vulnerabilities – These Kernel vulnerabilities lead to arbitrary code execution with kernel privileges by a malicious attacker. These vulnerabilities are fixed through improved bound checking and memory handling.
- 1 Bluetooth vulnerability – This vulnerability allows a third-party application to escalate the privileges. This is fixed via improved size validation.
- 1 Contacts vulnerability – This vulnerability allows a maliciously crafted vcf file to denial-of-service attack. This is fixed with improved validation of phone numbers.
- 1 FontParser vulnerability – This vulnerability allows a maliciously crafted font file to arbitrary code execution. This issue is fixed via improved input validation.
- 1 iBook vulnerability – This vulnerability allows a malicious attacker to spoof password prompts from the privileged network. This is fixed with improved input validation.
- 1 libxpc vulnerability – This vulnerability allows third-party applications to escalate their privileges. This is addressed via improved validation.
- 1 Magnifier vulnerability – This vulnerability allows a person with physical device access to view images used by Magnifier. It is fixed via improved permission checking.
- 1 Mail vulnerability – This vulnerability allows an attacker to exfiltrate encrypted emails. It is addressed through better isolation of MIME in Mail.
- 1 Safari vulnerability – This vulnerability allows a malicious website to launch denial-of-service attack. This issue is addressed with improved validation.
- 1 UI Kit vulnerability – This vulnerability allows third-party applications to gain escalated privileges. The vulnerability is fixed through improved error handling.
Enhance Your Security by Keeping Up with OS Updates
Enterprise users should note that, although Apple has fixed these vulnerability with the 11.4 update, the security benefits are not reflected on their devices unless users update the OS to this latest version. Thus, before attackers exploit these vulnerabilities, enterprise users should go to “Settings > General > Software Update” and update their iOS devices to the latest version.
OS updates are among the easiest and most cost-effective ways to prevent attacks from exploiting holes in older operating systems and we certainly recommend updating to this latest OS release given the numerous security updates it provides.
*** This is a Security Bloggers Network syndicated blog from Mobile Threat Blog Posts | Appthority authored by Su Mon Kywe. Read the original post at: https://www.appthority.com/mobile-threat-center/blog/ios-update-11-4-security-details/