Posts

iOS 8

Apple has released the latest version of its mobile OS on Wednesday, and in it has fixed over 50 vulnerabilities, many of which are very serious:
Two vulnerabilities allowed a local attacker to escalate privileges and install unverified (likely malicious) applications
A validation issue in the handling of update check responses allowed an attacker with a privileged network position to cause an iOS device to think that it is up to date even when it is not
Two vulnerabilities in CoreGraphics made it possible for a maliciously crafted PDF file to terminate apps or execute arbitrary code
Several vulnerabilities in the IOHIDFamily kernel extension made it posible for a malicious app to read kernel pointers, which can be used to bypass kernel address space layout randomization, or to execute arbitrary code with system privileges (the latter was also made possible by the existence of several IOKit bugs)
A Libnotify bug allowed a malicious application may be able to execute arbitrary code with root privileges
Two Safari vulnerabilities made it possible for attackers and websites to intercept or harvest user credentials
12 WebKit bugs could have been misused by attackers to execute arbitrary code on the device by simply creating a malicious website and tricking users into visiting it.
With iOS 8, Apple has also updated its certificate trust policy and has randomised the MAC address to prevent potential device tracking attacks via passive WiFi scans.

If you can, it’s a good idea to update to iOS 8, because all these bugs remain unpatched in all earlier version of the OS.

More information:
http://www.net-security.org/secworld.php?id=17378
http://support.apple.com/kb/HT6441

iOS 7.1 Update

Apple released an update to their iOS, 7.1.
This update contains a lot of security updates, so it’s recommended to update your devices as soon as possible.

More information:
http://support.apple.com/kb/HT6162

iOS 7.0.2 – fixes lock screenvulnerability

iOS 7.0.2 is now available and addresses the following:

Passcode Lock
Available for: iPhone 4 and later
Impact: A person with physical access to the device may be able to
make calls to any number
Description: A NULL dereference existed in the lock screen which
would cause it to restart if the emergency call button was tapped
repeatedly. While the lock screen was restarting, the call dialer
could not get the lock screen state and assumed the device was
unlocked, and so allowed non-emergency numbers to be dialed. This
issue was addressed by avoiding the NULL dereference.
CVE-ID
CVE-2013-5160 : Karam Daoud of PART – Marketing & Business
Development, Andrew Chung, Mariusz Rysz

Passcode Lock
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
see recently used apps, see, edit, and share photos
Description: The list of apps you opened could be accessed during
some transitions while the device was locked, and the Camera app
could be opened while the device was locked.
CVE-ID
CVE-2013-5161 : videosdebarraquito

This update is available through iTunes and Software Update on your iOS device.

iOS 7 released – fixes vulnerabilities

Apple have released the latest version of their iOS, version 7. This release contains a lot of features, but a lot of security vulnerabilities have also been fixed which means it’s important to update your iOS device as soon as possible.

More information: http://support.apple.com/kb/HT5934

Cisco IOS Multiple DoS Vulnerabilities

Information regarding 7 DoS vulnerabilities for Cisco IOS was released yesterday by Cisco.
All of them are regarding DoS attacks, so it’s recommended to upgrade as soon as possible.

Cisco IOS Software Internet Key Exchange Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-ike

Cisco IOS Software Smart Install Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-smartinstall

Cisco IOS Software Zone-Based Policy Firewall Session Initiation
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-cce

Cisco IOS Software Network Address Translation Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-nat

Cisco IOS Software Protocol Translation Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-pt

Cisco IOS Software Resource Reservation Protocol Denial of Service
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-rsvp

Cisco IOS Software IP Service Level Agreement Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-ipsla

iOS 6.1.3 Released

iOS 6.1.3 has been released, and fixes six security issues (for example the “partly unlock your iphone without entering your code” issue and and a flaw in WebKit that can be used to execute arbitrary code). It’s recommended to update as soon as possible.
You can update by going to Settings, General, Software Update and then download the latest version.

More information:
http://support.apple.com/kb/ht1222
http://nakedsecurity.sophos.com/2013/02/15/unlock-iphone-without-password/