iOS 8 fixes dozens of security flaws

Many severe vulnerabilities are fixed in the new version and remain in iOS 7.1.
Written by Larry Seltzer, Contributor

With the release of iOS 8 Apple has disclosed 53 vulnerabilities that are fixed in the new version. 

The most serious vulnerabilities would allow an attacker to execute code on the device with root privileges. Several others allow execution of code with kernel or system privileges. These vulnerabilities require the ability to execute code on the device, but that could be accomplished with one of the many remote code execution vulnerabilities also disclosed. Many of these are in the Webkit browser engine, meaning that such an attack could be launched if the user visited a malicious web page.

These issues, many of them severe, remain in earlier versions of iOS. It is Apple's usual practice not to fix them on earlier versions, so users who remain on iOS 7.x remain vulnerable to these issues.

Less shocking, but still severe is the ability for a rogue access point to steal iOS Wi-Fi credentials using an old and broken authentication protocol which was on by default in iOS. The protocol (LEAP) is disabled by default in iOS 8.

Another bug could allow an attacker with write access to /tmp to install unverified apps. Several vulnerabilities allow an app to turn the device off or restart it.

Other vulnerabilities are serious, if not so serious as those already described. They could allow attackers to access sensitive information such as logs or the user's Apple ID. Several allow attackers to determine kernel memory characteristics and bypass protections such as ASLR (Address Space Layout Randomization).

Many of the most serious vulnerabilities were disclosed to Apple by Ian Beer of Google Project Zero. Beer accounts for six of the vulnerabilities overall.

Another common feature of Apple disclosures is that they often involve vulnerabilities which are quite old. Four of these 53 vulnerabilities date to 2013, some of them serious. CVE-2013-5227, for example, involved two methods by which Safari would send usernames and passwords to the wrong site. It was disclosed by Apple in December 2013, but only fixed in OS X at that time.

Editorial standards