The vulnerabilities patched by iOS 7 cover a wide array of undesirable behaviours – some of them years old.
“The changes made in iOS 7 aren’t significant from any other software upgrade Apple has introduced,” Cigital principal consultant Scott Matsumoto said in an email. “They are doing their job as the platform provider,” he continued. “Platforms inevitably get more secure over time in the field; it’s a natural maturation process that every piece of software goes through.
“Are there still vulnerabilities in iOS?” he added. “Yes. I imagine that there will be a similar list with every release of iOS.”
One apparent vulnerability not addressed in the first release of iOS 7 is a defect uncovered just hours after the software became available last Wednesday for downloading by the public.
Ironically, the vulnerability attacks the new lockscreen feature in iOS that’s been praised as a security improvement over past versions of the OS.
Even when an Apple mobile device running iOS 7 is locked, a new feature called the Control Center can be accessed by swiping upward on a device’s screen. The centre gives a user access to four often-used apps on the device: flashlight, timer, calculator and camera.
Two of those apps – the calculator and timer – can be used to gain access to full functionality on the camera app through a series of steps using the Home button. Once in control of the camera app, an unauthorised user could shoot photos, share them through email and SMS messaging, post them to a device owner’s social media accounts and edit or delete pics.
To a limited extent, the app can be used to modify contacts on the device, as well as kill any running applications on it.
Until Apple fixes the vulnerability, some security experts recommend disabling Control Center, Notification Center and Siri on the lockscreen.
Another lockscreen issue was addressed in the scores of vulnerabilities tackled in iOS 7. That issue allowed the lockscreen to be bypassed by leveraging a race condition involving phone calls and injections of a SIM card. Apple said it addressed that problem by improving the operating system’s lock state management.
Apple also patched a vulnerability allowing an app in the operating system’s third-party sandbox to snatch the passcode to a device. Apple addressed the issue by requiring additional entitlement checks.
Another flaw involving multiple buffer overflows had allowed attackers to execute arbitrary code – even after a system reboot. That problem was fixed by improved bounds checking in the code.
A flaw that allowed apps running in the background to inject UI (user interface) events into an app running in the foreground was also addressed. That was fixed by imposing access controls on foreground and background processes that handle the UI events.
The new iOS also fixes a glitch that allowed sandboxed apps to send tweets without a user’s permission. The problem lay in the Twitter subsystem. “Bypassing supported APIs, sandboxed apps could make requests directly to a system daemon interfering with or controlling Twitter functionality,” Apple explained. That issue was patched by enforcing access controls on interfaces exposed by the Twitter daemon.
Many of the flaws, although potentially dangerous, weren’t likely to affect most users, said PJ Gupta, CEO of Amtel. “We work with corporations and, for them, Apple’s platform is the most secure compared to other platforms,” he said in an interview.
Plaudits have been heaped on Apple for its security improvements in iOS 7, which should make system administrators more comfortable with the OS. “With every release of iOS, Apple adds a few features and functions that further the level of security they’re providing,” John Dasher, vice president of product marketing for Good Technology, said in an interview.
by John P Mello, CSO (US)