Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Apple iOS < 10.2.1 Multiple Vulnerabilities

High

Synopsis

The remote host is missing a critical Apple iOS patch update.

Description

The version of iOS running on the mobile device is prior to 10.2.1, and is affected by multiple vulnerabilities :

- A prototype access flaw exists that is triggered when handling exceptions. With specially crafted web content, a context-dependent attacker may exfiltrate cross-origin data. (CVE-2017-2350) - A flaw exists in WiFi that is triggered when handling user input. This may allow a physically present attacker to bypass the lock and briefly access the home screen. (CVE-2017-2351) - A logic flaw exists related to state management in Auto Unlock. This may allow a physically present attacker to potentially unlock a watch when it is off the user's wrist. (CVE-2017-2352) - A type confusion flaw exists that is triggered as input is not properly validated when handling 'SearchInputType' objects. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2017-2354) - An unspecified memory initialization flaw exists that may allow a context-dependent attacker to potentially execute arbitrary code. No further details have been provided. (CVE-2017-2355) - A flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2017-2356, CVE-2017-2362, CVE-2017-2366, CVE-2017-2369, CVE-2017-2373) - A use-after-free error exists in the 'host_self_trap' mach trap. This may allow a local attacker to dereference already freed memory and gain elevated privileges. (CVE-2017-2360) - A flaw exists that is triggered as input is not properly validated when handling page loading. This may allow a context-dependent attacker to exfiltrate cross-origin data. (CVE-2017-2363, CVE-2017-2364) - A flaw exists that is triggered as input is not properly validated when handling variables. This may allow a context-dependent attacker to exfiltrate cross-origin data. (CVE-2017-2365) - A flaw exists in Contacts that is triggered as input is not properly validated during the handling of a specially crafted contact card. This may allow a context-dependent attacker to crash the system. (CVE-2017-2368) - An overflow condition exists in the 'mach_voucher_extract_attr_recipe_trap()' function that is triggered as certain input is not properly validated. This may allow a local attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2017-2370) - An unspecified flaw exists that may allow a context-dependent attacker to bypass popup restrictions via a specially crafted website. No further details have been provided. (CVE-2017-2371)

Solution

Upgrade to Apple iOS 10.2.1 or later.