Today’s iOS 11 Update Fixes Persistent Denial-of-Service, Unencrypted Backup & Several Other Security Issues

Author Photo
Sep 19
13Shares
Submit

Apple has today officially released its latest generation of mobile operating system, the iOS 11. Today’s release is a major update in terms of several features that will take the iOS world by a storm. (I’m going crazy over the screen recorder – I know, Androiders are laughing at us all…) You can read all about iOS 11 in our in-depth review of the operating system. But, if the feature-packed update isn’t enough to push you to hit that install button, you have another reason to install it ASAP.

Apple iOS 11 security updates

Today’s update brings a number of fixes to security vulnerabilities, making iOS 11 a must-update for your devices. While we may like to delay an update as downloading an annual update right after its release is nothing short of a headache, you might be in for more troubles if you delay installing iOS 11.

iOS 11 security bulletin isn’t a large one comparing to the last public release, but it does fix some critical issues in the operating system. Apple doesn’t rate its vulnerabilities like other tech companies, but vulnerabilities that enable backup to “perform an unencrypted backup despite a requirement to perform only encrypted backups” could be a disaster for the users.

Here are all the security issues that Apple has fixed with iOS 11.

Exchange ActiveSync

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: An attacker in a privileged network position may be able to erase a device during Exchange account setup

Description: A validation issue existed in AutoDiscover V1. This issue was addressed through requiring TLS.

CVE-2017-7088: Ilya Nesterov, Maxim Goncharov

iBooks

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service

Description: Multiple denial of service issues were addressed through improved memory handling.

CVE-2017-7072: Jędrzej Krysztofiak

Mail MessageUI

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Processing a maliciously crafted image may lead to a denial of service

Description: A memory corruption issue was addressed with improved validation.

CVE-2017-7097: Xinshu Dong and Jun Hao Tan of Anquan Capital

Messages

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Processing a maliciously crafted image may lead to a denial of service

Description: A denial of service issue was addressed through improved validation.

CVE-2017-7118: Kiki Jiang and Jason Tokoph

MobileBackup

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Backup may perform an unencrypted backup despite a requirement to perform only encrypted backups

Description: A permissions issue existed. This issue was addressed with improved permission validation.

CVE-2017-7133: Don Sparks of HackediOS.com

Safari

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Visiting a malicious website may lead to address bar spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2017-7085: xisigr of Tencent’s Xuanwu Lab (tencent.com)

WebKit

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Visiting a malicious website may lead to address bar spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com)

WebKit

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management.

CVE-2017-7089: Frans Rosén of Detectify, Anton Lopanitsyn of ONSEC

Submit