Since the iOS 10.3 was released today, Apple brought some new fixes for over two dozen vulnerabilities and bugs that may have determined some arbitrary code execution in the newest iOS release. Quite a lot of the code-execution bugs were found in the iOS kernel, while many others were found in the FontParser component of the software.
Vulnerabilities
Some of the kernel vulnerabilities were in fact memory corruption flaws that could let an app run arbitrary codes. The Project Zero team at Google had reported that there were lots such flaws. At the same time, various researching groups from China sent over many other flaws, some of which were the Qihoo 360 or Tencent Security ones.
More about the update
This is one of the biggest patch releases that the team prepared in the last couple of years. Apple usually keeps bug and vulnerabilities fixes of this king for major releases, not point ones, but since there were so many flaws regarding arbitrary code execution here, they couldn’t afford to risk and wait until they released the next version. Besides fixing these issues, the tech giant also performed some changes on the crypto system of the software.
Apple explained that they added support for the 3DES cryptographic algorithm to the SCEP client, plus they deprecated the DES. According to cryptographers and security experts, DES is not suitable for modern apps, since it is 40 years old. NIST, which is the fed agency in charge of establishing technological standards for the government, has withdrawn it since 2005.
According to official information, the company has patched 19 vulnerabilities found in the WebKit framework. Among these there were lots of code-execution flaws, plus a couple of cross-site scripting bugs. All in all, this is quite a consistent update and people appreciate the company even more for fixing these issues now.
Leave a Reply