With the release of iOS 10.3 today, Apple has patched more than two dozen vulnerabilities that could lead to arbitrary code execution in a new release of iOS.
Many of the code-execution bugs are in the iOS kernel and several others are in the FontParser component of the operating system. Among the kernel vulnerabilities, there are several memory corruption flaws that can allow an app to run arbitrary code. Google’s Project Zero team reported a large number of those flaws, and several groups of researchers in China submitted many of the others, including Tencent Security and Qihoo 360.
This update is one of the larger iOS patch releases in the last few years. Apple often saves large updates like this for major releases, not point releases, but the high volume of arbitrary code execution flaws in this one clearly couldn’t wait for the next version. In addition to fixing all of the memory corruption and other code-execution flaws, Apple also made a significant change in the iOS crypto system.
“An attacker may be able to exploit weaknesses in the DES cryptographic algorithm. Support for the 3DES cryptographic algorithm was added to the SCEP client and DES was deprecated,” Apple said in its advisory.
Security experts and cryptographers consider DES to be unsuitable for modern applications. DES is 40 years old and NIST, the federal agency that sets technology standards for the government, withdrew it from use in 2005. Apple also patched a problem with the way that iOS handles some certificates.
“Processing a maliciously crafted x509 certificate may lead to arbitrary code execution. A memory corruption issue existed in the parsing of certificates. This issue was addressed through improved input validation,” the advisory says.
Apple also patched 19 vulnerabilities in the WebKit framework, including several code-execution flaws and a pair of universal cross-site scripting bugs.