(LiveHacking.Com) – Along side the release of the iPhone 6 and iPhone 6 Plus Apple has also released a new version of its mobile operating system. iOS 8 includes improvements to Siri and the ability for third parties to add widgets to the notification area. Apple are calling it “huge for developers, massive for everyone else.” iOS 8 also includes some important security fixes. Overall Apple addressed 56 unique CVEs in this release.
Among the changes are fixes for bugs which could allow an attacker with access to an iOS device to access sensitive user information from logs, allow a local attacker to escalate privileges and install unverified applications, and fixes for bugs that allow some kernel hardening measures may be bypassed.
Other fixes include a patch to stop maliciously crafted PDF files that can allow an attacker to run arbitrary code, and a patch to stop malicious applications executing arbitrary code with system privileges. Most of these issues revolve around NULL pointer dereferencing and bounds checking. For example an out-of-bounds read issue existed in the handling of an IOHIDFamily function. As a result, a malicious application may be able to read kernel pointers and then bypass kernel address space layout randomization. According to Apple’s release notes, “this issue was addressed through improved bounds checking.” A phrase that is found several times in Apple’s document that describes the security content of iOS 8.
Webkit, the open source HTML rendering engine used by Apple, also received a lot of patches (12 in total). According to Apple visiting a maliciously crafted website in previous versions of iOS may lead to an unexpected application termination or arbitrary code execution. This was because of multiple memory corruption issues in WebKit. These issues were addressed through improved memory handling.
As well as releasing iOS 8, Apple also released new versions of OS X, OS X Server, Safari, and Apple TV. These are all maintenance releases which fix bug and patch security vulnerabilities. The full list of updates including links to the relevant security information follows:
- OS X Server 2.2.3 – OS X Mountain Lion v10.8.5
- OS X Server 3.2.1 – OS X Mavericks v10.9.5
- Safari 6.2 and Safari 7.1 – OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
- OS X Mavericks 10.9.5 and Security Update 2014-004 – OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4
- Xcode 6.0.1 – OS X Mavericks v10.9.4 or later
- Apple TV 7Apple TV 3rd generation and later