Apple iOS 7.1 patches 41 vulnerabilities

Summary:Dozens of fixes address many serious bugs, courtesy of Google, jailbreakers and others.

iOS 7.1, released today , fixes 41 vulnerabilities in the most recent version of the operating system.

The Webkit browser engine used by the Safari browser accounts for 19 of the vulnerabilities, and nine of these were reported to Apple by the Google Chrome Security Team. Any of the 19 could be used by a remote attacker to take user control of the device. Combined with a privilege escalation exploit, the user could take administrative control. (There are no such vulnerabilities in this set, but there have been many over the years.)

An especially interesting vulnerability is in dyld, OS X's dynamic linker/loader. The impact is "Text relocation instructions in dynamic libraries may be loaded by dyld without code signature validation. This issue was addressed by ignoring text relocation instructions." Normally bypassing code signing would be considered a very significant bug, but if the solution is to ignore the problem then perhaps it's not.

Even more interesting, Apple credits "evad3rs" for this vulnerability. They are likely referring to the purveyors of jailbreaks for iOS. Apple credits evad3rs with a total of four vulnerabilities, including one which could allow arbitrary code execution in the kernel, the stuff of which jailbreaks are made. [UPDATE: Previously the"evad3rs" link went to a different site which claimed to have an iOS 7,1 jailbreak. The site appears not to be a "legit" evad3rs site.]

It's not uncommon for Apple to patch vulnerabilities which were disclosed long ago. Several of the Webkit vulnerabilities date to last fall, but one (CVE-2012-2088), was reported in June, 2012. Apple patched it in OS X in March of 2013.

Topics: Security, Apple, iOS

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.