Apple Squashes 11 Security Holes in iOS 10.2

Apple released iOS 10.2 on Monday, and the company was much quicker than normal in releasing the security patch notes for the release. According to those notes, there are 11 security holes fixed in the release. Most of those holes are serious, and some allowed access to various aspects of a device when it should be locked.

You can read more about iOS 10.2 in our main coverage. Apple’s security patch notes for iOS 10.2 in full:

iOS 10.2

Released December 12, 2016

Accessibility

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: A nearby user may be able to overhear spoken passwords

Description: A disclosure issue existed in the handling of passwords. This issue was addressed by disabling the speaking of passwords.

CVE-2016-7634: Davut Hari

Accessibility

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: A person with physical access to an iOS device may be able to access photos and contacts from the lock screen

Description: A lock screen issue allowed access to photos and contacts on a locked device. This issue was addressed by restricting options offered on a locked device.

CVE-2016-7664: Miguel Alvarado of iDeviceHelp

Accounts

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: An issue existed which did not reset the authorization settings on app uninstall

Description: This issue was addressed through improved sanitization.

CVE-2016-7651: Ju Zhu and Lilang Wu of Trend Micro

Find My iPhone

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: An attacker with an unlocked device may be able to disable Find My iPhone

Description: A state management issue existed in the handling of authentication information. This issue was addressed through improved storage of account information.

CVE-2016-7638: Sezer Sakiner, an anonymous researcher

Graphics Driver

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: Watching a maliciously crafted video may lead to a denial of service

Description: A denial of service issue existed in the handling of video. This issue was addressed through improved input validation.

CVE-2016-7665: Moataz El Gaml of Schlumberger, an anonymous researcher

Image Capture

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: A malicious HID device may be able to cause arbitrary code execution

Description: A validation issue existed in the handling of USB image devices. This issue was addressed through improved input validation.

CVE-2016-4690: Andy Davis of NCC Group

Local Authentication

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: The device may not lock the screen after the idle timeout

Description: A logic issue existed in the handling of the idle timer when the Touch ID prompt is shown. This issue was addressed through improved handling of the idle timer.

CVE-2016-7601: an anonymous researcher

Mail

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: An email signed with a revoked certificate may appear valid

Description: S/MIME policy failed to check if a certificate was valid. This issue was addressed by notifying a user if an email was signed with a revoked certificate.

CVE-2016-4689: an anonymous researcher

Media Player

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: A user may be able to view photos and contacts from the lockscreen

Description: A validation issue existed in the handling of media selection. This issue was addressed through improved validation.

CVE-2016-7653

Profiles

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: Opening a maliciously crafted certificate may lead to arbitrary code execution

Description: A memory corruption issue existed in the handling of certificate profiles. This issue was addressed through improved input validation.

CVE-2016-7626: Maksymilian Arciemowicz (cxsecurity.com)

SpringBoard

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: A person with physical access to an iOS device may be able to unlock the device

Description: In some cases, a counter issue existed in the handling of passcode attempts when resetting the passcode. This was addressed through improved state management.

CVE-2016-4781: an anonymous researcher

SpringBoard

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: A person with physical access to an iOS device may be able to keep the device unlocked

Description: A cleanup issue existed in the handling of Handoff with Siri. This was addressed through improved state management.

CVE-2016-7597: an anonymous researcher