Apple Posts Details of iOS 9.3.5 Security Fixes as More Information About Security Holes Surface

Posted in Apple, Apple News, iOS on 25/08/2016 by Chris Hauk

0

Apple released iOS 9.3.5 on Thursday, and update designed to plug three serious security holes, which could give bad guys access to a user’s data, and even allow a device to be remotely jailbroken.

Apple Posts Details of iOS 9.3.5 Security Fixes as More Information About Security Holes Surfaces

Apple has posted information about the content of the update, and what it fixes.

iOS 9.3.5

Released August 25, 2016

Kernel

Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later

Impact: An application may be able to disclose kernel memory

Description: A validation issue was addressed through improved input sanitization.

CVE-2016-4655: Citizen Lab and Lookout 

Kernel

Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4656: Citizen Lab and Lookout

WebKit

Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later

Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4657: Citizen Lab and Lookout

A targeted attack on the device of Ahmed Mansoor, a 46-year-old human rights activist from the United Arab Emirates, came in the form of a text message that included a link. Mansoor was suspicious of the source, and didn’t click the link, instead forwarding it to Bill Marczak, a researcher at Citizen Lab, a digital rights watchdog at the University of Toronto’s Munk School of Global Affairs.

It turns out the link was malicious, and if clicked, would have launched a three-pronged attack on Mansoor’s device accessing the data on the iPhone. Citizen Lab and Lookout informed Apple of the vulnerabilities on August 15.

“It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls,” said mobile security company Lookout’s Vice President of Research Mike Murray. “It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram—you name it.”

Three zero-day vulnerabilities were discovered in the attack, and today’s iOS update plugged the holes used by the attacks. In addition to stealing data, the malware sends constantly updated GPS information to the bad guys, loads the iOS Keychain and grabs the victim’s data, including credentials for wi-fi networks, router passwords, and can intercept phone calls and WhatsApp calls and messages, plus it can remotely record audio and video.

(Some information via AppleInsider)


Author

Chris Hauk

MacTrast Senior Editor, and self-described "magnificent bastard," Chris Hauk owns Phoenix Rising Services and writes for everyone's favorite "bad movie" website, Big Bad Drive-In.

His first Apple product was an iPod Classic 9 years ago, and he has since added a MacBook Pro, a number of iPads, iPhones, and multiple Apple TVs to his collection.

He lives somewhere in the deep Southern part of America. Yes, he has to pump in both sunshine and the Internet.