iOS 9 contains 101 fixes for security flaws

Apple has made iOS 9 generally available to the public and the update rolling out across the globe will probably be one worth installing if not for new features then at least for the security fixes.

iOS 9 includes a host of features from a new card-based app switcher that’s reminiscent of Android to improved password security and a simpler two factor authentication system. But now that the update is shipping to iOS devices, Apple has also revealed a massive list of security fixes that probably make it wiser to install the latest version of iOS ASAP rather than delay.

The new version of iOS includes fixes for 101 individual security bugs that exist in prior versions, which resolve vulnerabilities in Apple Pay, iTunes, OpenSSL, Safari, iOS encryption, Siri and the Safari browser engine WebKit.

The update arrives hours after security researcher Mark Dowd revealed a new bug that exploits Apple’s wireless iOS-OS X file transfer service AirDrop, which allows an attacker within Bluetooth range to install malware on an Apple device.

Dowd told Forbes iOS 8 was vulnerable to a “directory traversal attack” which allowed him to write files on locations anywhere on a vulnerable device. The attack used an enterprise certificate, which are often used by corporations to permit the installation of software on devices from outside of the App Store.

Interestingly, Apple’s support page for the iOS 9 update does not mention a credit to Dowd, and doesn’t reference AirDrop or any bug apparently related to the flaw discovered by the researcher.

However, according to Dowd, Apple has mitigated it in iOS 9 by sandboxing Airdrop.

A Youtube video posted by Dowd demonstrating the flaw on iOS 8.4.1 also shows the bug can be used for a lockscreen bypass. Details of the bug came as Google patched a lockscreen bypass affecting Nexus devices running Android 5.0.

Apple’s answer to Dowd’s attack however is just one of many fixes released with iOS 9, including a problem with Safari’s implementation of Google’s Safe Browsing database of known malicious websites.

Apple doesn’t rate the severity of the bugs it details with each update but some do stand out as potentially serious.

It turns out to the company’s implementation of Google’s Safe Browsing technology, which is meant to issue an alert when a browser visits a known malicious website, wasn’t functioning correctly. Apple notes that iPhones above 4s won’t see a security warning when Safari visits a known malicious website.

Safe Browsing is built into Chrome while Google’s Safe Browsing API is used by Apple and Mozilla to deliver the same functionality in Safari and Firefox respectively.

The latest version of iOS also includes a fix for Siri that allows a person to see content that shouldn’t be viewable on the lock screen.

Meanwhile, a bug affecting Apple on the iPhone 6 ad 6 Plus could leak recent transactions when making a payment, though Apple notes that it didn’t affect all cards registered with Apple’s mobile payments service.

“The transaction log functionality was enabled in certain configurations. This issue was addressed by removing the transaction log functionality. This issue did not affect iPad devices,” Apple noted.

The update also included a fix for a kernel bug reported to Apple in 2013 by security researcher Stefan Esser, who was recently accused by fellow researchers of having revealed the dyld zero-day bug in OS X without telling Apple ahead of time. That bug, as Malwarebytes noted in August, was responsibly disclosed to Apple by a South Korean researcher who uses the Twitter handle @beist.

Esser appeared to mock Apple in a tweet for crediting him in the iOS 9 release for a bug he’d told the company about more than two years ago.

As for the bug that @beist was credited with, Apple said the memory corruption issue in dld was “addressed through improved memory handling.”

The next update for OS X, dubbed by Apple as El Capitan, is scheduled for release on September 30 and is likely to contain fixes for many of the same flaws revealed in the iOS 9 update.

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?


Join the CSO newsletter!

Error: Please check your email address.

Tags iOS 9OpenSSLAndroidsandboxing AirdropsafariSiriiTunesApple Paysecurity flawsiOS encryptioniOS devices@beist.

More about AppleGoogleMalwarebytesMozillaTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts