Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips
iOS 10.2.1

Apple released its 10.2.1 iOS security update on January 23, 2017, about a month after the 10.2 security update. Although this new update patches fewer vulnerabilities, it addresses serious gaps such as allowing arbitrary code execution on user devices. The 10.2.1 update includes security fixes on:

  • 2 Kernel vulnerabilities that allow arbitrary code execution with Kernel-level privileges
  • 7 WebKit vulnerabilities (3 allow arbitrary code execution, 2 allow exfiltrate data cross-origin and 1 allow malicious websites to open pop-up)
  • 1 libarchive vulnerability that allow arbitrary code execution
  • 1 Apple watch related vulnerability that unlocks the device
  • 1 contact card related vulnerability that crashes the contact app
  • 1 Wifi related vulnerability that shows home screen

Kernel Vulnerabilities – Apple controls the privileges of applications via its iOS sandbox security mechanism. By exploiting kernel vulnerabilities, malicious applications can break their sandbox constraints, escalate their privileges to Kernel-level and compromise user devices.

Webkit Vulnerabilities – Developers use iOS WebKit to display web pages inside their applications. Thus, a vulnerability in WebKit allows malicious websites to compromise applications using WebKit to potentially affect user devices. Note that Trident/Pegasus exploited Webkit vulnerabilities. Remediating these vulnerabilities is an important protection against similar targeted attacks.

Libarchive Vulnerabilities – Libarchive is used to archive and unarchive files, such as “.tar” files. Attackers can exploit this vulnerability by sending malicious archive files and enable arbitrary code execution on user devices.

Additional Vulnerabilities – Although there are security updates in Apple WatchOS separately, this is the first time we’re seeing an Apple watch related vulnerability on iOS. There are also vulnerabilities related to Apple’s contact card application and Wi-Fi. Nonetheless, they are not as serious as the above 10 exploits related to arbitrary code execution.

Enhance Your Security by Keeping Up with OS Updates

With the 10.2.1 update, Apple did a great job of catching these vulnerabilities before any known exploits in the wild. This is in contrast to the few cases in which vulnerabilities were discovered only after the damage was done. For instance, Pegasus exploited a Safari WebKit vulnerability and delivered the malware payload when a user clicked on a malicious link. The malware would then jailbreak the device and install monitoring packages. The related vulnerabilities were fixed in iOS 9.3.5, but that was released after exploits had been reported.

Enterprise users should note that although these vulnerabilities have been fixed by Apple, they are not reflected on devices unless users update the iOS. Thus, before attackers exploit these vulnerabilities and create Pegasus-like malware, enterprise users should go to “Settings > General > Software Update” and update their iOS to the latest version.


Image credit: Amit Chowdhry via