With the release of iOS 11, Apple has included security updates to fix certain software bugs. The Apple security updates page includes a list of the bugs in iOS 11, macOS High Sierra, tvOS 11 and watchOS 4. The following is a list of vulnerabilities patched with the iOS 11.0 release.
Exchange ActiveSync
- Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
- Impact: An attacker in a privileged network position may be able to erase a device during Exchange account setup
- Description: A validation issue existed in AutoDiscover V1. This issue was addressed through requiring TLS.
- CVE-2017-7088: Ilya Nesterov, Maxim Goncharov
iBooks
- Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
- Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service
- Description: Multiple denial of service issues were addressed through improved memory handling.
- CVE-2017-7072: Jędrzej Krysztofiak
Mail MessageUI
- Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
- Impact: Processing a maliciously crafted image may lead to a denial of service
- Description: A memory corruption issue was addressed with improved validation.
- CVE-2017-7097: Xinshu Dong and Jun Hao Tan of Anquan Capital
Messages
- Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
- Impact: Processing a maliciously crafted image may lead to a denial of service
- Description: A denial of service issue was addressed through improved validation.
- CVE-2017-7118: Kiki Jiang and Jason Tokoph
MobileBackup
- Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
- Impact: Backup may perform an unencrypted backup despite a requirement to perform only encrypted backups
- Description: A permissions issue existed. This issue was addressed with improved permission validation.
- CVE-2017-7133: Don Sparks of HackediOS.com
Safari
- Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
- Impact: Visiting a malicious website may lead to address bar spoofing
- Description: An inconsistent user interface issue was addressed with improved state management.
- CVE-2017-7085: xisigr of Tencent’s Xuanwu Lab (tencent.com)
WebKit
- Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting
- Description: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management.
- CVE-2017-7089: Anton Lopanitsyn of ONSEC, Frans Rosén of Detectify
WebKit
- Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
- Impact: Visiting a malicious website may lead to address bar spoofing
- Description: An inconsistent user interface issue was addressed with improved state management.
- CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com)
The details on the Common Vulnerabilites and Exposures (CVE) website aren’t available yet. This is because Apple imposed a moratorium on publishing until the bugs were patched. We’ll know more about them in the days ahead.