Apple released its 11.1 iOS security update on Nov 3, 2017. In total, the following 23 vulnerabilities are fixed.
- 14 WebKit vulnerabilities – Developers use iOS WebKit to display web pages inside their applications. Thus, WebKit vulnerabilities allow malicious websites to compromise applications using WebKit, which may potentially affect user devices.
- 3 WiFi vulnerabilities – These WiFi vulnerabilities allow an attacker to launch Key Reinstallation Attacks (KRACK), where data sent from devices can be decrypted and seen by the attacker.
- 1 Kernel vulnerability – The kernel is the underlying foundation of iOS. Kernel vulnerabilities may lead to memory issues and arbitrary code execution with kernel privileges.
- 1 Messages vulnerability – This vulnerability allows an attacker with close proximity to access photos from locked iOS devices by abusing the Reply With Message function. This may result in leakage of user photos.
- 1 Siri vulnerability – With this vulnerability, an attacker may use Siri to read notifications which are not displayed at the lock screen. This type of attack may result in leakage of user information, such as social media and message information.
- 1 Streaming ZIP vulnerability – Processing a malicious ZIP file may lead to modifications to the file system in restricted areas. This may lead to remote code execution and privilege escalation attacks where a remote attacker may compromise user devices.
- 1 UIKit vulnerability – This vulnerability shows that the characters in a secure text field were revealed during focus change events. This may lead to malicious keylogging apps accessing user passwords.
- 1 CoreText vulnerability – This vulnerability shows that processing a maliciously crafted text file may lead to app process termination. Compared to others, this vulnerability is less severe, since it can only launch a denial of service attack on the app.
Enhance Your Security by Keeping Up with OS Updates
Enterprise users should note that, although Apple has fixed a range of vulnerabilities with the 11.1 update, the security benefits are not reflected on devices unless users update iOS. Thus, before attackers exploit these vulnerabilities, enterprise users should go to “Settings > General > Software Update” and update iOS to the latest version.
OS updates are among the easiest and most cost-effective ways to prevent attacks from exploiting holes in older operating systems and we certainly recommend updating to this latest OS release given the numerous security updates it provides.