Don’t Forget to Install Latest iOS 10.3.3 ASAP as it Fixes Some Critical Security Bugs
[Originally Published on July, 19]
Apple today released iOS 10.3.3 to the public following several weeks of beta testing. Today’s update comes after over two months of the last iOS release, which means there are a number of security fixes coming in as well. While the update is a minor one since Apple is focusing on the next versions of its mobile and desktop software, iOS 11 and macOS High Sierra, there are a number of security fixes that make this update a must-install.
iOS 10.3.3 security changelog
Today’s iOS 10.3.3 fixes a number of security issues, that include:
- Arbitrary code execution with system and/or kernel privileges
- Disclosure of user information
- Unexpected application termination
- Address bar spoofing
- Multiple memory corruption issues
- Arbitrary code execution on the Wi-Fi chip
The last flaw in the WiFi chip can enable attackers in WiFi range to find your device, take over its WiFi chip and crash your iOS device without requiring your pin. Known as the Broadpwn exploit that received a major 9.8 out of 10 score in the US’s National Institute of Standards and Technology severity scale, the flaw was patched by Google earlier this month and now Apple has fixed it too.
Here’s the complete changelog of iOS 10.3.3 security fixes. For details about the security fixes that today’s macOS Sierra 10.12.6 is bringing in, visit Apple.
Contacts
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
CVE-2017-7062: Shashank (@cyberboyIndia)
CoreAudio
Impact: Processing a maliciously crafted movie file may lead to arbitrary code execution
CVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team
EventKitUI
Impact: A remote attacker may cause an unexpected application termination
CVE-2017-7007: José Antonio Esteban (@Erratum_) of Sapsi Consultores
IOUSBFamily
Impact: An application may be able to execute arbitrary code with kernel privileges
CVE-2017-7009: shrek_wzw of Qihoo 360 Nirvan Team
Kernel
Impact: An application may be able to execute arbitrary code with system privileges
CVE-2017-7022: an anonymous researcher
CVE-2017-7024: an anonymous researcher
CVE-2017-7026: an anonymous researcher
Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
CVE-2017-7023: an anonymous researcher
CVE-2017-7025: an anonymous researcher
CVE-2017-7027: an anonymous researcher
CVE-2017-7069: Proteas of Qihoo 360 Nirvan Team
Kernel
Impact: An application may be able to read restricted memory
CVE-2017-7028: an anonymous researcher
CVE-2017-7029: an anonymous researcher
libarchive
Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution
CVE-2017-7068: found by OSS-Fuzz
libxml2
Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information
CVE-2017-7010: Apple
CVE-2017-7013: found by OSS-Fuzz
libxpc
Impact: An application may be able to execute arbitrary code with system privileges
CVE-2017-7047: Ian Beer of Google Project Zero
Messages
Impact: A remote attacker may cause an unexpected application termination
CVE-2017-7063: Shashank (@cyberboyIndia)
Notifications
Impact: Notifications may appear on the lock screen when disabled
CVE-2017-7058: an anonymous researcher
Safari
Impact: Visiting a malicious website may lead to address bar spoofing
CVE-2017-2517: xisigr of Tencent’s Xuanwu Lab (tencent.com)
Safari Printing
Impact: Processing maliciously crafted web content may lead to an infinite number of print dialogs
CVE-2017-7060: Travis Kelley of City of Mishawaka, Indiana
Telephony
Impact: An attacker in a privileged network position may be able to execute arbitrary code
CVE-2017-8248
WebKit
Impact: A malicious website may exfiltrate data cross-origin
CVE-2017-7006: an anonymous researcher, David Kohlbrenner of UC San Diego
WebKit
Impact: Visiting a malicious website may lead to address bar spoofing
CVE-2017-7011: xisigr of Tencent’s Xuanwu Lab (tencent.com)
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2017-7018: lokihardt of Google Project Zero
CVE-2017-7020: likemeng of Baidu Security Lab
CVE-2017-7030: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)
CVE-2017-7037: lokihardt of Google Project Zero
CVE-2017-7039: Ivan Fratric of Google Project Zero
CVE-2017-7052: cc working with Trend Micro’s Zero Day Initiative
CVE-2017-7055: The UK’s National Cyber Security Centre (NCSC)
CVE-2017-7056: lokihardt of Google Project Zero
WebKit
Impact: Processing maliciously crafted web content with DOMParser may lead to cross site scripting
CVE-2017-7038: Egor Karbutov (@ShikariSenpai) of Digital Security and Egor Saltykov (@ansjdnakjdnajkd) of Digital Security, Neil Jenkins of FastMail Pty Ltd
CVE-2017-7059: an anonymous researcher
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2017-7049: Ivan Fratric of Google Project Zero
WebKit
Impact: An application may be able to read restricted memory
CVE-2017-7064: lokihardt of Google Project Zero
WebKit Page Loading
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2017-7019: Zhiyang Zeng of Tencent Security Platform Department
WebKit Web Inspector
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2017-7012: Apple
Wi-Fi
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
CVE-2017-9417: Nitay Artenstein of Exodus Intelligence
