Don’t Forget to Install Latest iOS 10.3.3 ASAP as it Fixes Some Critical Security Bugs

Jul 20, 2017

[Originally Published on July, 19]

Apple today released iOS 10.3.3 to the public following several weeks of beta testing. Today’s update comes after over two months of the last iOS release, which means there are a number of security fixes coming in as well. While the update is a minor one since Apple is focusing on the next versions of its mobile and desktop software, iOS 11 and macOS High Sierra, there are a number of security fixes that make this update a must-install.

iOS 10.3.3 security changelog

Today’s iOS 10.3.3 fixes a number of security issues, that include:

Arbitrary code execution with system and/or kernel privileges
Disclosure of user information
Unexpected application termination
Address bar spoofing
Multiple memory corruption issues
Arbitrary code execution on the Wi-Fi chip

The last flaw in the WiFi chip can enable attackers in WiFi range to find your device, take over its WiFi chip and crash your iOS device without requiring your pin. Known as the Broadpwn exploit that received a major 9.8 out of 10 score in the US’s National Institute of Standards and Technology severity scale, the flaw was patched by Google earlier this month and now Apple has fixed it too.

Here’s the complete changelog of iOS 10.3.3 security fixes. For details about the security fixes that today’s macOS Sierra 10.12.6 is bringing in, visit Apple.

Contacts

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

CVE-2017-7062: Shashank (@cyberboyIndia)

CoreAudio

Impact: Processing a maliciously crafted movie file may lead to arbitrary code execution

CVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team

EventKitUI

Impact: A remote attacker may cause an unexpected application termination

CVE-2017-7007: José Antonio Esteban (@Erratum_) of Sapsi Consultores

IOUSBFamily

Impact: An application may be able to execute arbitrary code with kernel privileges

CVE-2017-7009: shrek_wzw of Qihoo 360 Nirvan Team

Kernel

Impact: An application may be able to execute arbitrary code with system privileges

CVE-2017-7022: an anonymous researcher

CVE-2017-7024: an anonymous researcher

CVE-2017-7026: an anonymous researcher

Kernel

Impact: An application may be able to execute arbitrary code with kernel privileges

CVE-2017-7023: an anonymous researcher

CVE-2017-7025: an anonymous researcher

CVE-2017-7027: an anonymous researcher

CVE-2017-7069: Proteas of Qihoo 360 Nirvan Team

Kernel

Impact: An application may be able to read restricted memory

CVE-2017-7028: an anonymous researcher

CVE-2017-7029: an anonymous researcher

libarchive

Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution

CVE-2017-7068: found by OSS-Fuzz

libxml2

Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information

CVE-2017-7010: Apple

CVE-2017-7013: found by OSS-Fuzz

libxpc

Impact: An application may be able to execute arbitrary code with system privileges

CVE-2017-7047: Ian Beer of Google Project Zero

Messages

Impact: A remote attacker may cause an unexpected application termination

CVE-2017-7063: Shashank (@cyberboyIndia)

Notifications

Impact: Notifications may appear on the lock screen when disabled

CVE-2017-7058: an anonymous researcher

Safari

Impact: Visiting a malicious website may lead to address bar spoofing

CVE-2017-2517: xisigr of Tencent’s Xuanwu Lab (tencent.com)

Safari Printing

Impact: Processing maliciously crafted web content may lead to an infinite number of print dialogs

CVE-2017-7060: Travis Kelley of City of Mishawaka, Indiana

Telephony

Impact: An attacker in a privileged network position may be able to execute arbitrary code

CVE-2017-8248

WebKit

Impact: A malicious website may exfiltrate data cross-origin

CVE-2017-7006: an anonymous researcher, David Kohlbrenner of UC San Diego

WebKit

Impact: Visiting a malicious website may lead to address bar spoofing

CVE-2017-7011: xisigr of Tencent’s Xuanwu Lab (tencent.com)

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

CVE-2017-7018: lokihardt of Google Project Zero

CVE-2017-7020: likemeng of Baidu Security Lab

CVE-2017-7030: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)

CVE-2017-7037: lokihardt of Google Project Zero

CVE-2017-7039: Ivan Fratric of Google Project Zero

CVE-2017-7052: cc working with Trend Micro’s Zero Day Initiative

CVE-2017-7055: The UK’s National Cyber Security Centre (NCSC)

CVE-2017-7056: lokihardt of Google Project Zero

WebKit

Impact: Processing maliciously crafted web content with DOMParser may lead to cross site scripting

CVE-2017-7038: Egor Karbutov (@ShikariSenpai) of Digital Security and Egor Saltykov (@ansjdnakjdnajkd) of Digital Security, Neil Jenkins of FastMail Pty Ltd

CVE-2017-7059: an anonymous researcher

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

CVE-2017-7049: Ivan Fratric of Google Project Zero

WebKit

Impact: An application may be able to read restricted memory

CVE-2017-7064: lokihardt of Google Project Zero

WebKit Page Loading

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

CVE-2017-7019: Zhiyang Zeng of Tencent Security Platform Department

WebKit Web Inspector

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

CVE-2017-7012: Apple

Wi-Fi

Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip

CVE-2017-9417: Nitay Artenstein of Exodus Intelligence