iOS 9 contains 101 fixes for security flaws

Apple has made iOS 9 generally available to the public and the update rolling out across the globe will probably be one worth installing if not for new features then at least for the security fixes.

iOS 9 includes a host of features from a new card-based app switcher that’s reminiscent of Android to improved password security and a simpler two factor authentication system. But now that the update is shipping to iOS devices, Apple has also revealed a massive list of security fixes that probably make it wiser to install the latest version of iOS ASAP rather than delay.

The new version of iOS includes fixes for 101 individual security bugs that exist in prior versions, which resolve vulnerabilities in Apple Pay, iTunes, OpenSSL, Safari, iOS encryption, Siri and the Safari browser engine WebKit.

The update arrives hours after security researcher Mark Dowd revealed a new bug that exploits Apple’s wireless iOS-OS X file transfer service AirDrop, which allows an attacker within Bluetooth range to install malware on an Apple device.

Dowd told Forbes iOS 8 was vulnerable to a “directory traversal attack” which allowed him to write files on locations anywhere on a vulnerable device. The attack used an enterprise certificate, which are often used by corporations to permit the installation of software on devices from outside of the App Store.

Interestingly, Apple’s support page for the iOS 9 update does not mention a credit to Dowd, and doesn’t reference AirDrop or any bug apparently related to the flaw discovered by the researcher.

However, according to Dowd, Apple has mitigated it in iOS 9 by sandboxing Airdrop.

A Youtube video posted by Dowd demonstrating the flaw on iOS 8.4.1 also shows the bug can be used for a lockscreen bypass. Details of the bug came as Google patched a lockscreen bypass affecting Nexus devices running Android 5.0.

Apple’s answer to Dowd’s attack however is just one of many fixes released with iOS 9, including a problem with Safari’s implementation of Google’s Safe Browsing database of known malicious websites.

Apple doesn’t rate the severity of the bugs it details with each update but some do stand out as potentially serious.

It turns out to the company’s implementation of Google’s Safe Browsing technology, which is meant to issue an alert when a browser visits a known malicious website, wasn’t functioning correctly. Apple notes that iPhones above 4s won’t see a security warning when Safari visits a known malicious website.

Safe Browsing is built into Chrome while Google’s Safe Browsing API is used by Apple and Mozilla to deliver the same functionality in Safari and Firefox respectively.

The latest version of iOS also includes a fix for Siri that allows a person to see content that shouldn’t be viewable on the lock screen.

Meanwhile, a bug affecting Apple on the iPhone 6 ad 6 Plus could leak recent transactions when making a payment, though Apple notes that it didn’t affect all cards registered with Apple’s mobile payments service.

“The transaction log functionality was enabled in certain configurations. This issue was addressed by removing the transaction log functionality. This issue did not affect iPad devices,” Apple noted.

The update also included a fix for a kernel bug reported to Apple in 2013 by security researcher Stefan Esser, who was recently accused by fellow researchers of having revealed the dyld zero-day bug in OS X without telling Apple ahead of time. That bug, as Malwarebytes noted in August, was responsibly disclosed to Apple by a South Korean researcher who uses the Twitter handle @beist.

Esser appeared to mock Apple in a tweet for crediting him in the iOS 9 release for a bug he’d told the company about more than two years ago.

As for the bug that @beist was credited with, Apple said the memory corruption issue in dld was “addressed through improved memory handling.”

The next update for OS X, dubbed by Apple as El Capitan, is scheduled for release on September 30 and is likely to contain fixes for many of the same flaws revealed in the iOS 9 update.

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags iOS 9OpenSSLAndroidsandboxing AirdropsafariSiriiTunesApple Paysecurity flawsiOS encryptioniOS devices@beist.

More about AppleGoogleMalwarebytesMozillaTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place