Apple on Monday released security updates for iOS, tvOS, and watchOS platforms to resolve a total of 12 vulnerabilities that impact iPhone, iPad, iPod touch, Apple TV, and Apple Watch devices.
All 12 vulnerabilities were found to impact iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later, and all were addressed with the release of iOS 10.2 this week. Affected components included Accessibility, Accounts, Find My iPhone, Graphics Driver, Image Capture, Local Authentication, Mail, Media Player, Profiles, and SpringBoard.
Tracked as CVE-2016-7626 and impacting Profiles, a memory corruption issue was found to impact not only the aforementioned iOS devices, but also 4th generation Apple TV and all Apple Watch models. The vulnerability could allow an attacker to achieve arbitrary code execution if the user opened a maliciously crafted certificate on a vulnerable device.
For the attack to be successful, the attacker needs a specially crafted certificate that could lead to memory corruption of several processes. The file can be delivered to vulnerable devices through Mobile Safari or Mail app.
The bug was found by Maksymilian Arciemowicz (cxsecurity.com), who explains that the attacker would be able to control the overflow through the certificate length in OCSP field. Thus, they can trigger the crash of Profile, Preferences, or other unexpected behaviors.
While this was the only vulnerability addressed in tvOS 10.1, Apple fixed one more in watchOS 3.1.1, a bug tracked as CVE-2016-7651. Discovered by Ju Zhu and Lilang Wu of Trend Micro, the issue resulted in the authorization settings not being reset upon application uninstall. The flaw impacted iOS devices as well and Apple decided to improve sanitization to address it.
The issues impacting the iOS’ Accessibility could result in a nearby user overhearing spoken passwords (CVE-2016-7634), or in a person with physical access to the iOS device accessing photos and contacts from the lock screen (CVE-2016-7664). A state management issue in the handling of authentication information that resulted in an attacker with an unlocked device being able to disable Find My iPhone (CVE-2016-7638) was addressed as well.
Apple also resolved a graphics driver bug (CVE-2016-7665) that could lead to denial of service when watching a maliciously crafted video, as well as a vulnerability in image capture (CVE-2016-4690) that could allow a malicious HID device cause arbitrary code execution, and a local authentication bug (CVE-2016-7601) where the device would not lock the screen after the idle timeout.
A flaw in mail (CVE-2016-4689) could result in an email signed with a revoked certificate appearing valid, a bug in media player (CVE-2016-7653) could allow a user view photos and contacts from the lockscreen, while SpringBoard vulnerabilities could allow person with physical access to an iOS device unlock the device (CVE-2016-4781) or keep it unlocked (CVE-2016-7597).