Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips

Apple released its 10.3 iOS security update on March 27, 2017, about two months after the 10.2.1 security update. In total, 65 vulnerabilities are fixed on iOS 10.3. This is a much higher number of vulnerabilities fixed compared to the 13 vulnerabilities fixed on iOS 10.2.1.

In its most recent Mobile Security and Risk Review, MobileIron found that only 9% of organizations globally currently enforce OS updates their enterprise despite the easy security win this provides. OS updates are among the easiest and most cost-effective ways to prevent attacks from exploiting holes in older operating systems and we certainly recommend updating to this latest OS release given the numerous security updates it provides.

The 10.3 update includes:

  • 20 WebKit vulnerabilities
  • 8 Kernel vulnerabilities
  • 6 Safari vulnerabilities
  • 4 ImageIO vulnerabilities
  • 4 Security vulnerabilities
  • 3 Core Text vulnerabilities
  • 3 Font Parser vulnerabilities
  • 2 Core Graphics vulnerabilities
  • 15 other vulnerabilities: one each in Account, Audio, Carbon, Data Access, Home Kit, HTTP Protocol, iTunes Store, Keyboards, libarchive, libc++abi, Pasteboard, Phone, Profiles, Quick Look and Siri
Vulnerability Explanations

Webkit Vulnerabilities – Developers use iOS WebKit to display web pages inside their applications. Thus, WebKit vulnerabilities allow malicious websites to compromise applications using WebKit to potentially affect user devices.

Kernel Vulnerabilities – Apple controls the privileges of applications via its iOS sandbox security mechanism. By exploiting kernel vulnerabilities, malicious applications can break their sandbox constraints, escalate their privileges to Kernel-level and compromise user devices.

Safari Vulnerabilities – Safari is the default browser on iOS devices. Vulnerabilities in Safari may lead to malicious address bar spoofing, phishing or compromised private browsing mode.

ImageIO Vulnerabilities – ImageIO is responsible for viewing or processing images and files. If ImageIO is vulnerable, viewing or processing a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution.

Security Vulnerabilities – Apple’s security feature processes certificates, signatures and SSL/TLS transactions. However, there can be vulnerabilities in validation steps leading to compromised network sessions or arbitrary code execution.

Core Text, Font Parser and Core Graphics Vulnerabilities – These iOS features are responsible for laying out text and handling fonts. The vulnerabilities allow maliciously crafted text messages and fonts to execute arbitrary codes.

Enhance Your Security by Keeping Up with OS Updates

Enterprise users should note that, although Apple has fixed a range of vulnerabilities with the 10.3 update, the security benefits are not reflected on devices unless users update the iOS. Thus, before attackers exploit these vulnerabilities, enterprise users should go to “Settings > General > Software Update” and update their iOS to the latest version. Because of the high number of vulnerabilities addressed in 10.3 compared to prior OS updates, we highly recommend that users update iOS as soon as possible.

Additionally, many mobile security solutions like Appthority Mobile Threat Protection (MTP) can deliver OS update reminders (directly or in conjunction with an MDM/EMM), providing employee education for self management and self remediation to reduce mobile risk without increasing the burden to corporate IT and Security teams.