5 of 8Image
iOS 7 patches scores of vulnerabilities in iOS 6
Every new version of iOS fixes security problems in the previous one, but iOS 7 does more of this than usual. As I wrote about separately, iOS 7 patches 80 vulnerabilities in iOS 6. This alone puts heavy pressure on users and IT to upgrade, as Apple is not going to patch iOS 6.
Every new iOS device also usually casts some old one into the "unsupported" bin. The iPhone 3GS and iPad (first generation) can't upgrade to iOS 7 and therefore will remain vulnerable.
Two specific vulnerabilities demonstrate the severity of the situation: CVE-2013-1025 is a buffer overflow in iOS CoreGraphics, allowing an attacker to take control of the process with a malicious PDF, but only in the context of the sandboxed browser. CVE-2013-3953 is a privilege escalation vulnerability which allows a malicious program to break out of the sandbox. Combined, CVE-2013-1025 and CVE-2013-3953 can lead to full control just by viewing a web site. This, incidentally is exactly what the famous JailbreakMe did: combining code execution and privilege escalation vulnerabilities to create a complete compromise via simple web browsing.
Yes, both the CVE-2013-1025 and CVE-2013-3953 are now patched patched, but it shows that these things happen on iOS.
When a user clicks "Share" to specify an app in which a document should open, he creates many potential software problems: Open in makes a copy of the document and the application may not be considered secure.
In iOS 7, through the MDM interfaces, IT can specify which apps are allowed to handle specific content types, potentially limiting that access to managed apps. They call this "Managed Open-In."
System-wide VPNs on mobiles are considered undesirable, partly as a security measure and partly because the company doesn't necessarily want to run all a user's personal traffic through their VPN.
For some time, MDM vendors have been allowing IT to specify per-app VPNs: each instance of each managed app gets its own VPN tunnel. Now iOS 7 allows these per-app VPNs through the MDM interfaces.
The VPN is managed entirely by IT. When the app is launched it opens up a VPN tunnel and when it terminates it closes that tunnel. The user launches and uses the app as they normally would, and should see no difference from it running through the VPN.
At the company end, the VPN could be any of dozens of VPN products from F5, Cisco, Juniper or anyone else, but the VPN products may need to be updated to support this feature.
Image: Wikimedia Commons