Apple is known for doing things up big. True to form, the company has recently joined the Patch Party in a big way. Not so long ago, users of Apple products boasted that their operating systems weren’t vulnerable to exploit like Windows. Even though some security experts noted that the relative safety was in large part a matter of hackers not aiming their efforts at those systems because they didn’t get as much “bang for the buck” (that is, the much larger Windows market share made it a more attractive target), many people switched to Apple because they believed they wouldn’t have to worry about security flaws.
And while OS X still has only a small fraction of market share (around 7 percent), Apple’s mobile operating system, iOS, is wildly popular. And as computing in general moves to a more mobile model, with worldwide shipments of tablets projected to surpass that of PCs in the fourth quarter of 2013, that makes iOS an attractive target indeed. And now iPhone users are facing more and more reports of security vulnerabilities each month.
This month’s US-CERT Security Bulletin lists four high severity vulnerabilities in iOS and a whopping twenty-six of medium severity, along with six rated low severity. Those are just for Apple’s mobile OS; they also show nine medium and low severity vulnerabilities for OS X and OS X server, along with a medium severity QuickTime vulnerability and a high severity iTunes vulnerability. And that’s just for September. For comparison, there’s only one Microsoft product listed, a vulnerability in Internet Explorer (although to be fair, the iTunes vulnerability is an ActiveX related flaw that impacts the Apple software installed on Windows).
The good news is that the iPhone vulnerabilities on the list affect pre-iOS 7 operating systems. In fact, according to the Apple Mailing list as reported by Larry Seltzer on ZDNet, iOS 7 fixes eighty vulnerabilities. This might explain why Apple has been pushing so hard to convince owners of existing iPhones to upgrade. Those efforts seem to be working; iPhone users are upgrading to the new OS in record numbers. As of Monday, 200 million devices were said to be running iOS 7. On the other hand, that represents only a little over 50 percent of iOS devices, which means there are another 200 million or so out that that can still be impacted by these vulnerabilities.
The most concerning of the iOS vulnerabilities is CVE-2013-5139. This is a flaw in the IOSerialFamily driver that could allow an attacker to run arbitrary code, with no authentication required for the exploit, and it could result in disclosure of information stored on the phone as well as denial of service. The other high severity vulnerabilities can also be exploited to create a denial of service attack.
Other iOS vulnerabilities, although rated as medium severity, can have some serious consequences. A number of these allow arbitrary code execution or denial of service, injection of arbitrary web script, bypass passcode requirements, or obtain sensitive information. Many of these flaws are related to WebKit, which is a rendering component in Apple’s Safari web browser (it’s also used in Chrome web browsers and the default Android browser). Mobile Safari is also the object of additional vulnerabilities, one of which allows cross-site scripting attacks and one that can be used to spoof the URL address bar. Other iOS vulnerabilities involve the Passcode Lock system, the Push Notifications subsystem, the Sandbox subsystem, the Telephony subsystem and the Twitter subsystem. There’s also a kernel vulnerability that could allow an attacker to access sensitive information in the kernel stack memory.
Unfortunately, as we reported yesterday, iOS 7 has security issues of its own. Even before it was released to the public, hackers were hunting for potential exploits. Its first patch, iOS 7.01 was released immediately after sales of the new iPhone 5s and 5c began and 7.02 can’t be far behind. But despite the fact that some law enforcement officers are urging people to install iOS 7.x, some iPhone users are resistant to upgrading, for reasons discussed by Zack Whittaker in a recent article on ZDNet.
For those desktop aficionados who use OS X versions previous to 10.8.5, most of the vulnerabilities involve the risk of arbitrary code execution and/or denial of service, as well as a problem with the Screen Lock feature that could be used by a remote authenticated user to bypass locking.
Like so many celebrities, Apple is beginning to realize that there’s a downside to being popular. The company – and the users of its products – can no longer take security for granted.
Like our posts? Subscribe to our RSS feed or email feed (on the right hand side), and be the first to get them!