July 20, 2016

A Closer Look at iOS 9.3.3: Apple Patches 43 Security Vulnerabilities

Apple released the latest version of iOS version 9.3.3 on July 18 including patches for 43 security vulnerabilities. Industry watchers have been anticipating this update as one of the final patch cycles for iOS 9 before iOS 10 is released in the fall.For enterprises with iOS deployments, regardless if they are corporately- or personally-provided, it’s important to know about the vulnerabilities and the latest patches and encourage users to update their devices.

Since it launched in September 2015, Apple has issued 334 security patches to iOS 9. This is already a little ahead of iOS 8, which only had 273 patches during its lifetime.

Let’s take a look at the patches in more depth:

Process enumeration patch

As expected, Apple released a patch to prevent any application from enumerating the processes on a device. A number of developers used this access as a workaround to get process and app information, as this information was otherwise unavailable. While the ability to get the process information could help developers provide a variety of services, it can also be used by malicious actors — as is the case with Android — and it’s important to prevent the accidental disclosure of personal information without a user’s knowledge.

Remote Controllable Executable (RCE) attacks

There were at least three remote controllable executable (RCE) attacks patched in this update. An RCE essentially enables an attacker to take over your device just by getting you to click a link, view an image, or open a corporate document.

While we continue to see RCE’s monthly in both iOS and Android this does not diminish the critical nature of them. It is incredibly important that when one is found and patched that users immediately patch their devices to avoid exploitation.

Enterprises should pay special attention to RCEs as they allow attackers easy access to company data. Sixty-four percent of IT and security leaders say it is very likely that sensitive corporate data is present on their employees’ mobile devices, according to a recent survey from analyst firm ESG. That information needs to be protected, and ensuring employee devices are running the latest software versions is good place to start.

The other patches

Apple released several other patches that prevent: denial of service attacks, remote code execution, privilege escalation, and user information disclosure. The patches in this release affect Apple’s own libraries and services in addition to several third-party libraries such libxml2 and libxslt that have previously had security issues, which were patched earlier this year.

As always, iOS users are advised to update when the OS update becomes available for your device.

Authors

Andrew Blaich

Head of Device Intelligence

Andrew Blaich is Head of Device Intelligence at Lookout where he is focused on mobile threat hunting and vulnerability research. Prior to Lookout, Andrew was the Lead Security Analyst at Bluebox Security. He holds a Ph.D. in computer science, and engineering from the University of Notre Dame in enterprise security and wireless networking. In the past Andrew has worked at both Samsung and Qualcomm Research. Andrew is a regular presenter at security conferences including BlackHat, RSA, Kaspersky SAS, SecTor, SANS DFIR, Interop, and ACSC. In his free time he loves to run and hack on IoT.

Platform(s) Affected
iOS
Threat Type
Vulnerability
Entry Type
Threat Summary
Platform(s) Affected
iOS
Vulnerability
Threat Summary

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell