July 22, 2014

Apple updates OS X, iOS, Apple TV and AirPort

Apple-logoApple has released a slew of updates for several of its key platforms to fix a range of security issues including some related to the OpenSSL HeartBleed bug. According to the release notes for AirPort Base Station Firmware Update 7.7.3, the new software contains a fix for an out-of-bounds memory issue in the OpenSSL library when handling TLS heartbeat extension packets (i.e. the HeartBleed bug). Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected.

For iOS, Apple TV and OS X, Apple also released a set of patches one of which also applies to sessions protected by SSL. Known as a “triple handshake” attack, it was possible for an attacker to create two connections using the same keys and handshake. As a result an attacker could insert data into one connection and renegotiate so that the connections are forwarded to each other. To work around this scenario Apple has changed the SSL renegotiation code so that  the same server certificate needs to be presented as in the original connection.

The update to OS X is called Security Update 2014-002 and has various changes for  OS X 10.7 Lion, OS X 10.8 Mountain Lion and OS X 10.9 Mavericks. The changes are as follows:

  • Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie.
  • A format string issue existed in the CoreServicesUIAgent’s handling of URLs.
  • A buffer underflow existed in the handling of fonts in PDF files.
  • A reachable abort existed in the Heimdal Kerberos’ handling of ASN.1 data. This meant that a remote attacker could cause a denial of service.
  • A buffer overflow issue existed in ImageIO’s handling of JPEG images.
  • A validation issue existed in the Intel Graphics Driver’s handling of a pointer from userspace. As a result a malicious application could take control of the system.
  • A set of kernel pointers stored in an IOKit object could be retrieved from userland.
  • A kernel pointer stored in a XNU object could be retrieved from userland.
  • If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep.
  • An integer overflow issue existed in LibYAML’s handling of YAML tags as used by Ruby.
  • A heap-based buffer overflow issue existed in Ruby when converting a string to a floating point value.
  • WindowServer sessions could be created by sandboxed applications.

Apple has also updated iOS 7 with the release of iOS 7.1.1. It patches the same Set-Cookie HTTP headers bug as found in OS X plus it updates WebKit (the HTML rendering engine used by mobile Safari) to fix a number of issues, many of which were found by Google (for its Chrome browser). The new Apple TV 6.1.1 firmware has the same changes as iOS 7.1.1 and addresses the Set-Cookie HTTP headers bug and also patches WebKit.

You can get more information on Apple’s security updates here: http://support.apple.com/kb/HT1222

New digitally signed malware targets Mac users

os x mavericks desktopA new piece of digitally signed malware that targets Mac users has been discovered. The new malware, which has been dubbed OSX/LaoShu-A by Sophos and is considered as bot, is being used in an “undelivered courier item” email campaign which tries to trick users into downloading the malware as they try to see the description of an alleged undelivered parcel.

In this particular case the email explains that the undelivered item contained some documents which have been scanned and are waiting for the user to inspect them. A link is provided which takes the unsuspecting user to a fake courier website (often a clone of a real courier website like FedEx or DHL) and then proceeds to download an attachment. If the malicious website detects that the web browser is running on Windows then a piece of malware called Mal/VBCheMan-C is downloaded.

However for Mac users a .zip file is downloaded containing an application that looks like a PDF document. OS X will automatically unzip the file and leave the application in the Downloads folder. The app icon has been intentionally given the PDF icon to trick users into thinking it is a PDF document. However when clicked it will install the malware. Because the application is digitally signed OS X won’t produce a warning about the application coming from an unknown source, but rather it will only warn the user that it has been downloaded from the Internet. Although the warning does actually say “application” rather than “document” the dialog offers the user two possibilities to Cancel or to Open. The use  of the word Open by Apple rather than Run can leave the user with the impression that they are opening a document.

According to Sophos OSX/LaoShu-A is a bot and takes commands from a C&C server, however its main function appear to be data stealing as it will search for files with extensions such as DOC, DOCX, XLS, XLSX, PPT and PPTX and try to upload them to the C&C server. However it can also download new program files and execute shell commands which means it will basically be able to do whatever the attackers tell it to do.

In conclusion, don’t click on random links in unsolicited emails especially those with good link bait like the undelivered courier item emails.

Apple releases new versions of Safari to fix critical vulnerabilities

safari-logoApple has released new versions of Safari 6.1 and Safari 7.0 for Mac OS X to fix critical vulnerabilities. If exploited these vulnerabilities could lead to arbitrary code execution. The bugs fixed fall into two categories, those with Safari itself and those in the WebKit HTML rendering engine.

In Safari itself Apple has fixed one vulnerability which allowed hackers to create a site where Safari autofilled various user credentials unexpectedly. This could have led to unwanted information disclosure. According to Apple, ” Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking.”

The other fixes where for WebKit. Because of the vulnerabilities, a visit to a maliciously crafted website could lead to an unexpected application termination or arbitrary code execution. This was due to multiple memory corruption issues which were addressed through improved memory handling.

More details of the security content of Safari 6.1.1 and Safari 7.0.1 can be found here. Safari 6.1.1 and Safari 7.0.1 are available for OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.

Apple has also released an update to its latest iteration of OS X.

Apple recommends that all 10.9 users apply the OS X Mavericks v10.9.1 update. The update includes Safari 7.0.1 but doesn’t fix any other security issues in OS X. There are other bug fixes and enhancements which include:

  • Improved support for Gmail in OS X Mail, and fixes for users with custom Gmail settings Improves the reliability of Smart Mailboxes and search in Mail
  • Fixes an issue that prevented contact groups from working properly in Mail
  • Fixes an issue that prevented iLife and iWork apps from updating on non-English systems
  • Addresses an issue that may cause multiple prompts to unlock “Local items” keychain

More details about the security content of OS X Mavericks v10.9.1 can be found here.

Apple releases huge set of updates on back of new iPad announcements

Apple-logoApple has released a new slew of products in the run up to the holiday season including the new iPad Air, the iPad mini with a Retina display, the radically designed Mac Pro and an updated MacBook Pro. Along with these products Apple also released OS X 10.9 Mavericks which addresses some significant security vulnerabilities in OS X. Apple also released updates for iOS, OS X Server, Safari and iTunes.

OS X

Over 50 different security related bugs (with individual CVE designations) have been fixed. The most interesting of these include:

  • A fix to enable TLS 1.2 for CIFS networking as SSLv3 and TLS 1.0 are subject to a protocol weakness when using block ciphers. According to Apple, a man-in-the-middle attacker could have injected invalid data, causing the connection to close but revealing some information about the previous data. If the same connection was attempted repeatedly the attacker may eventually have been able to decrypt the data being sent, such as a password.
  • Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This was due to a buffer underflow in the handling of PDF files.
  • A malicious local application could cause a crash in the Bluetooth subsystem which could potentially be exploited. The problem was that the Bluetooth USB host controller was deleting interfaces too early.
  •  By registering for a hotkey event, an unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled.

The Darwin kernel was also updated to fix a variety of problems that in some cases could force a kernel panic. These included:

  • Use of SHA-2 digest functions in the kernel may result in an unexpected system termination. This bug revolved around an incorrect output length that was used for the SHA-2 family of digest functions. It resulted in a kernel panic when these functions were used, primarily during IPSec connections.
  • The kernel random number generator would hold a lock while satisfying a request from userspace, allowing a local user to make a large request and hold the lock for long periods of time, denying service to other users of the random number generator. This issue was addressed by releasing and reacquiring the lock for large requests more frequently.
  • The kernel would panic when an invalid user-supplied iovec structure was detected. This issue was addressed through improved validation of iovec structures.
  • Unprivileged processes may be able to cause an unexpected system termination or arbitrary code execution in the kernel.
  • Source specific multicast program may cause an unexpected system termination when using Wi-Fi network
  • An attacker on a local network can send specially crafted IPv6 ICMP packets and cause high CPU load. The issue was addressed by rate limiting ICMP packets before verifying their
  • checksum.
  • An integer truncation issue existed in the kernel socket interface, which could be leveraged to force the CPU into an infinite loop. The issue was addressed by using a larger sized variable.

Lots of third party applications where also updated including Curl, dyld, OpenLDAP, Perl, Python and Ruby.

iOS 7

iOS 7.0.3 is also now available and addresses more passcode and lock screen related problems:

  • A NULL dereference existed in the lock screen which would cause it to restart if the emergency call button was tapped while a notification was being swiped and while the camera pane was partly visible. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed.
  • When returning to the passcode lock from the Phone app, the passcode entry view is sometimes visible when it should not be, and so may be accessed even if the iPhone has been disabled due to many incorrect passcode attempts.
  • A person with physical access to the device may be able to call arbitrary contacts because of a race conditions in the Phone app at the lock screen. Under various circumstances, the Phone app may allow access to the Contacts pane.

Safari 6.1

While OS X 10.9 includes the latest iteration of Apple’s web browser (Safari 7), Apple has also updated Safari 6 for OS X Lion v10.7.5, OS X Lion Server v10.7.5, and OS X Mountain Lion v10.8.5. Safari 6.1 fixes a number of problems most of them within WebKit, the rendering engine used by Apple and Google. Many of the bugs listed were previously fixed by Google in Chrome.

  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This was due to a memory corruption in the handling of
  • XML files.
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution, this time due to multiple memory corruption in WebKit.
  • An information disclosure issue existed in XSSAuditor. This issue was addressed through improved handling of URLs.
  • Dragging or pasting a selection may lead to a cross-site scripting attack. By dragging or pasting a selection from one site to another a user could allow scripts contained in the selection to be executed in the context of the new site. This issue is addressed through additional validation of content before a paste or a drag and drop operation.
  • Using the Web Inspector disabled Private Browsing.
  • A cross-site scripting issue existed in the handling of URLs. This issue was addressed through improved origin tracking.

OS X Server 3.0, iTunes and Apple Remote Desktop

Apple also released OS X Server 3.0 which addressed a number of security vulnerabilities including  a buffer overflow that existed in FreeRADIUS when parsing the ‘not after’ timestamp in a client certificate, when using TLS-based EAP methods. As a result of this, a remote attacker may have been able to cause a denial of service or arbitrary code execution.

Apple released two new versions of it Remote Desktop software, v3.7 and v3.5.4. Both versions fix the same security related bugs, the most severe of which could allow a remote attacker to execute arbitrary code because of a format string vulnerability in the handling of the VNC username.

Windows users also get an update in the form of iTunes 11.1.2. Several different errors are fixed, most are related to WebKit and are similar to the ones fixed in Safari 6.1.

More information about all of Apple’s security related updates can be found at http://support.apple.com/kb/HT1222

Apple updates OS X and Safari to fix critical security issues

(LiveHacking.Com) – Apple has released updates for Mac OS X 10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.3 to fix a range of Apple-logoCritical security vulnerabilities including a fix for an error that could allow a remote attacker to execute arbitrary code with system privileges on Macs with Directory Service enabled. At the same time Apple has also released Safari 6.0.5. The new release of the web browser, which is also included in OS X Mountain Lion v10.8.4, fixes a range of WebKit errors many of which have been previously fixed in Google Chrome.

Mac OS X

Several different security related bugs gave been fixed in OS X. Among them was an unbounded stack allocation issue that existed in the handling of text glyphs. It could be exploited by visiting a maliciously crafted site and may lead to an unexpected application termination or arbitrary code execution. The Directory Services vulnerability only applies to OS X 10.6. A remote attacker could execute arbitrary code with system privileges on Macs with Directory Service enabled due to an error with the way the directory server handled certain messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges.

There were also several fixes for OpenSSL. There are known attacks on the confidentiality of TLS 1.0 when compression was enabled. To address this Apple has disabled compression in OpenSSL. Also OpenSSL was updated to version 0.9.8x to address multiple vulnerabilities, which may lead to denial of service or disclosure of a private key.

Other fixes include:

  • An attacker with access to a user’s session may be able to log into previously accessed sites, even if Private Browsing was used
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
  • A local user in the lpadmin group may be able to read or write arbitrary files with system privileges
  • A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication.
  • Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted QTIF file may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted FPX file may lead to an unexpected application termination or arbitrary code execution
  • Playing a maliciously crafted MP3 file may lead to an unexpected application termination or arbitrary code execution

Also Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18.

It is worth noting that starting with OS X 10.8.4, Java Web Start (i.e. JNLP) applications downloaded from the Internet need to be signed with
a Developer ID certificate.

Safari

All the fixes in the new release of Safari are related to WebKit as follows:

  • Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • A cross-site scripting issue existed in the handling of iframes. This issue was addressed through improved origin tracking.
  • A cross-site scripting issue existed in the handling of copied and pasted data in HTML documents. This issue was addressed through additional validation of pasted content.
  • XSS Auditor may rewrite URLs to prevent cross-site scripting attacks. This may lead to a malicious alteration of the behavior of a form submission. This issue was addressed through improved validation of URLs.

More information about the security content of Safari 6.0.5 can be found here.

Apple releases fixes after its computers got hacked

Apple-logo(LiveHacking.Com) – Apple has revealed that a small number of its computers where hacked by the same group who recently targeted Facebook. The iPhone-maker said it has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. As a result Apple has released some updates for Java and Mac OS X 10.6.

Java for OS X 2013-001 and Mac OS X v10.6 Update 13 are now available and addresses the following:

  • Multiple vulnerabilities existed in Java 1.6.0_37, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
  • Multiple vulnerabilities existed in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.

The Java updates are available for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.x, OS X Lion Server v10.7.x, OS X Mountain Lion 10.8.x.

Apple also released a update to its malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed.

Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days

SMS fraud malware now targets OS X users

(LiveHacking.Com) –  SMS fraud is nothing new and is one of the preferred methods of generating income for malware writers on Android and on Windows. The Russian security firm Dr. Web has discovered a piece of malware which attempts to perpetrate SMS fraud on unsuspecting OS X users. Dubbed Trojan.SMSSend.3666, it  is the first program of its kind that targets Mac OS X.

With SMS fraud the malware writers attempt to subscribe victim’s to premium rate SMS services which charges high fees for useless messages. The Android variant is to cause the phone to send a message to one of these premium rate numbers.

The new Mac malware is a fake installer which can be downloaded under the guise of useful software. In this case, the Trojan pretends to be an installer for a program called VKMusic 4, a program meant for use on the VK social network. VK claims it is the largest European social network with more than a 100 million active users.

“In order to continue the ‘installation’ fraudsters ask that the victim enter their cellphone number into an appropriate field and then specify the code found in a reply SMS. By performing these actions the user agrees to terms of a chargeable subscription and a fee will be debited from their mobile phone account on a regular basis,” wrote Dr. Web.

Recent outbreaks of OS X malware have used vulnerabilities in Java, however this Trojan doesn’t use a known or unknown vulnerability, rather it is a simple social engineering ploy to trick the user into subscribing to a costly phone service. A relativity small number of OS X users will be affected as first it targets users of VK, second the OS X user needs to download the fake version of VKMusic from an underground web site.

It is anticipated that Apple’s XProtect malware utility will be updated to identify this new Trojan in due course.

Apple releases OS X Server v2.1.1 to fix problems in PostgreSQL & Jabber

(LiveHacking.Com) – Apple has released OS X Server v2.1.1 to address multiple vulnerabilities in PostgreSQL and fix an issue with the Jabber server’s handling of dialback result messages. Before Mac OS X 10.7, Apple sold a separate server edition of OS X, but now it is a separate set of server add-ons which can be bought directly from Apple’s online Mac App Store. OS X Server 2.1.1 is an update of that add-on component.

OS X Server adds the following capabilities to OS X: File sharing for Mac, PC, and iPad; Wiki Server; Profile Manager; Provide a Time Machine backup destination for Mac computers on your network; Standards-based SMTP, IMAP, and POP server; Calendar Server; Contacts Server; Messages Server; Encrypted VPN connections for Mac, iPad, iPhone, and PC; and Xsan

PostgreSQL
PostgreSQL has been updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html.

Messages Server
An issue existed in the Jabber server’s handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages.

From a security standpoint, OS X Server v2.1.1 includes the security updates of OS X Mountain Lion v10.8.2.

What’s New in Version 2.1.1

  • Managing DHCP service from within the Server application
  • iOS 6 device management support in Profile Manager
  • Using the Server application to create a large number of users or groups
  • Authenticating with Calendar Server when using an Active Directory account
  • Renewing certificates for use with the Apple Push Notification Service
  • Configuring DNS entries with second level domains and aliases
  • Retaining network, DNS and PHP settings installing or upgrading OS X Server
  • Migrating from Lion Server and Snow Leopard Server

In brief: Apples releases updates for OS X and Safari

(LiveHacking.Com) - Having released iOS 6 with a large number of security fixes, Apple has now released an update to OS X and a new verison of Safari. For OS X, Mountain Lion has been updated to v10.8.2, Lion jumps to v10.7.5 and for OS X 10.6 Snow Leopard Apple has released Security Update 2012-004. Safari has recevied a minor update to 6.0.1 to address a range of security issues.

The updates to OS X upgrade or fix a number of low level OS X components including:

  • Apache has been updated to version 2.2.22 to address several vulnerabilities, the most serious of which may lead to a denial of service.
  • A reachable assertion issue existed in the handling of DNS records. This issue was addressed by updating to BIND 9.7.6-P1.
  • PHP is updated to version 5.3.15 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.

Other components updated include: CoreText, DirectoryService, ImageIO, Kernel, Mail and QuickTime.

Safari has also been updated including a large set of fixes for WebKit. OS X Mountain Lion v10.8.2  automatically updates Safari to Safari 6.0.1.

Plethora of security updates in iOS 6

(LiveHacking.Com) - Yesterday Apple launched the latest version of its mobile operating system for the iPhone, iPad and iPod Touch. iOS 6 brings new features like Facebook integration and is the default OS for the new iPhone 5 which starts shipping on Friday. The new OS also includes lots of important security fixes.

Included in the fixes is an update to WebKit, the open source HTML rendering engine which Apple created and is also used in Google Chrome. Apple updated iTunes recently with a very similar set of WebKit fixes as those found in iOS 6. Apple describes the WebKit vulnerabilities by saying that “Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.” Which it explains is due to “multiple memory corruption issues existed in WebKit. These issues are addressed through improved memory handling.”

Other WebKit fixes also include several cross-site scripting fixes and better URL handling. According to Apple the Unicode fonts embedded in Safari could can been used to create a URL which contains look-alike characters. These look-alike characters can be used by a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain.

Apple also spent some time fixing issues with passcode which can be set from within iOS to stop unwanted access to the device. This included a design flaw in the support for viewing photos that were taken while the screen was locked. Previously to determine which photos should be displayed the passcode lock checked the time at which the device was locked and compared it to the time that a photo was taken. However, by spoofing the current time an attacker could gain access to photos that were taken before the device was locked. To fix this, iOS now explicitly keeps track of the photos that were taken while the device was locked.

Other fixes are:

  • CFNetwork – An issue existed in CFNetwork’s handling of malformed URLs. CFNetwork may send requests to an incorrect hostname, resulting in the disclosure of sensitive information. This issue was addressed through improvements to URL handling.
  • CoreGraphics – Multiple vulnerabilities existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. These issues were addressed by updating FreeType to version 2.4.9. Further information is available via the FreeType site at http://www.freetype.org/
  • CoreMedia – An uninitialized memory access existed in the handling of Sorenson encoded movie files. This issue was addressed through improved memory initialization.
  • DHCP – Upon connecting to a Wi-Fi network, iOS may broadcast MAC addresses of previously accessed networks per the DNAv4 protocol. This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi networks.
  • ImageIO – A buffer overflow existed in libtiff’s handling of ThunderScan encoded TIFF images. This issue was addressed by updating libtiff to version 3.9.5.
  • ImageIO – Multiple memory corruption issues existed in libpng’s handling of PNG images. These issues were addressed through improved validation of PNG images.
  • ImageIO – A double free issue existed in ImageIO’s handling of JPEG images. This issue was addressed through improved memory management.
  • ImageIO – An integer overflow issue existed in libTIFF’s handling of TIFF images. This issue was addressed through improved validation of TIFF images.
  • International Components for Unicode – A stack buffer overflow existed in the handling of ICU locale IDs. This issue was addressed through improved bounds checking.
  • IPSec – A buffer overflow existed in the handling of racoon configuration files. This issue was addressed through improved bounds checking.
  • Kernel – An invalid pointer dereference issue existed in the kernel’s handling of packet filter ioctls. This may allow an attacker to alter kernel memory. This issue was addressed through improved error handling.
  • Kernel – An uninitialized memory access issue existed in the Berkeley Packet Filter interpreter, which led to the disclosure of memory content. This issue was addressed through improved memory initialization.
  • libxml – Multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution. These issues were addressed by applying the relevant upstream patches.
  • Mail – A logic issue existed in Mail’s handling of attachments. If a subsequent mail attachment used the same Content-ID as a previous one, the previous attachment would be displayed, even in the case where the 2 mails originated from different senders. This could facilitate some spoofing or phishing attacks. This issue was addressed through improved handling of attachments.
  • Mail – A logic issue existed in Mail’s use of Data Protection on email attachments. This issue was addressed by properly setting the Data Protection class for email attachments.
  • Mail – S/MIME signed messages displayed the untrusted ‘From’ address, instead of the name associated with the message signer’s identity. This issue was addressed by displaying the address associated with the message signer’s identity when it is available.
  • Messages – When a user had multiple email addresses associated with iMessage, replying to a message may have resulted in the reply being sent from a different email address. This may disclose another email address associated to the user’s account. This issue was addressed by always replying from the email address the original message was sent to.
  • Office – Viewer An information disclosure issue existed in the support for viewing Microsoft Office files. When viewing a document, the Office Viewer would write a temporary file containing data from the viewed document to the temporary directory of the invoking process. For an application that uses data protection or other encryption to protect the user’s files, this could lead to information disclosure. This issue was addressed by avoiding creation of temporary files when viewing Office documents.
  • OpenGL – Multiple memory corruption issues existed in the handling of GLSL compilation. These issues were addressed through improved validation of GLSL shaders.
  • Passcode Lock – A logic issue existed with the display of the “Slide to Power Off” slider on the lock screen. This issue was addressed through improved lock state management.
  • Passcode Lock – A logic issue existed in the termination of FaceTime calls from the lock screen. This issue was addressed through improved lock state management.
  • Passcode Lock – A design issue existed in the support for viewing photos that were taken at the lock screen. In order to determine which photos to permit access to, the passcode lock consulted the time at which the device was locked and compared it to the time that a photo was taken. By spoofing the current time, an attacker could gain access to photos that were taken before the device was locked. This issues was addressed by explicitly keeping track of the photos that were taken while the device was locked.
  • Passcode Lock – A logic issue existed in the Emergency Dialer screen, which permitted FaceTime calls via Voice Dialing on the locked device. This could also disclose the user’s contacts via contact suggestions. This issue was addressed by disabling Voice Dialing on the Emergency Dialer screen.
  • Passcode Lock Using the camera from the screen lock could in some cases interfere with automatic lock functionality, allowing a person with physical access to the device to bypass the Passcode Lock screen. This issue was addressed through improved lock state management.
  • Passcode Lock – A state management issue existed in the handling of the screen lock. This issue was addressed through improved lock state management.
  • Restrictions – After disabling Restrictions, iOS may not ask for the user’s password during a transaction. This issue was addressed by additional enforcement of purchase authorization.
  • Safari – Websites could use a Unicode character to create a lock icon in the page title. This icon was similar in appearance to the icon used to indicate a secure connection, and could have lead the user to believe a secure connection had been established. This issue was addressed by removing these characters from page titles.
  • Safari – Password input elements with the autocomplete attribute set to “off” were being autocompleted. This issue was addressed through improved handling of the autocomplete attribute.
  • System Logs – Sandboxed apps had read access to /var/log directory, which may allow them to obtain sensitive information contained in system logs. This issue was addressed by denying sandboxed apps access to the /var/log directory.
  • Telephony – Messages displayed the return address of an SMS message as the sender. Return addresses may be spoofed. This issue was addressed by always displaying the originating address instead of the return address.
  • Telephony – An off-by-one buffer overflow existed in the handling of SMS user data headers. This issue was addressed through improved bounds checking.
  • UIKit – Applications that use UIWebView may leave unencrypted files on the file system even when a passcode is enabled. This issue was addressed through improved use of data protection.
  • WebKit – A cross-origin issue existed in the handling of CSS property values. This issue was addressed through improved origin tracking.
  • WebKit – A cross-origin issue existed in the handling of iframes in popup windows. This issue was addressed through improved origin tracking.
  • WebKit – A cross-origin issue existed in the handling of iframes and fragment identifiers. This issue was addressed through improved origin tracking.
  • WebKit – The International Domain Name (IDN) support and Unicode fonts embedded in Safari could have been used to create a URL which contains look-alike characters. These could have been used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This issue was addressed by supplementing WebKit’s list of known look-alike characters. Look- alike characters are rendered in Punycode in the address bar.
  • WebKit – A canonicalization issue existed in the handling of URLs. This may have led to cross-site scripting on sites which use the location.href property. This issue was addressed through improved canonicalization of URLs.
  • WebKit – An HTTP header injection issue existed in the handling of WebSockets. This issue was addressed through improved WebSockets URI sanitization.
  • WebKit – A state management issue existed in the handling of session history. Navigations to a fragment on the current page may cause Safari to display incorrect information in the URL bar. This issue was addressed through improved session state tracking.
  • WebKit – An uninitialized memory access issue existed in the handling of SVG images. This issue was addressed through improved memory initialization.