This article is more than 1 year old

Afraid of getting your iThing pwned? Get yourself iOS 9.2.1

Apple addresses fresh crop of remote code execution holes

Apple has posted an update for iOS, including patches for 13 CVE-listed security flaws.

The Cupertino giant said that the iOS 9.2.1 update bundles the security fixes with a patch for a bug in the Apple Mobile Device manager that had prevented some iOS devices from installing apps. Note that this update will not fix the weird timezone-related battery level bug in iPhone 6s and 6s Plus handsets, which Apple is still investigating.

The security portion of the 9.2.1 update covers a baker's dozen flaws, six of which can be exploited to achieve remote code execution on iOS devices.

Five of the remote code vulnerabilities lie in the WebKit browser engine, and could be exploited simply by loading a malicious webpage. Such flaws are commonly used by hobbyists to automate "unlock" procedures that allow users to install unapproved software. Discovery of all five flaws was credited to Apple staff.

A sixth remote code execution was found in the libxslt component by a researcher known as Puzzor. That flaw, due to a type confusion error, could also be exploited by way of a malformed webpage.

Another five of the patched flaws would also allow remote code execution, but only when run locally on the device. Those include memory corruption errors in iOS Disk Images (discovery by Frank Graziano of Yahoo! Pentest Team), IOHIDFamily and IOKit (both discovered by Ian Beer of Google Project Zero), iOS Kernel (discovered by Beer of Project Zero and Ju Zhu of Trend Micro), and syslog (discovered by Joshua J. Drake and Nikias Bassen of Zimperium zLabs).

The remaining two security flaws include a bug in WebKit CSS allowing a site to check if a user has previously visited a link (discovered by an anonymous researcher) and a flaw that could allow a captive portal webpage to view a user's cookies (discovered by Adi Sharabani and Yair Amit of Skycure.)

Users can obtain the iOS 9.2.1 update by loading the iOS "Settings" app then accessing the "General" panel and selecting "Software Update." ®

More about

TIP US OFF

Send us news


Other stories you might like