Sophos Cloud Optix
If you have an Apple device that is capable of running iOS 6, you might have resisted upgrading it after hearing people complain about Apple’s new mapping application.
But you ought to have grabbed it with both hands for security reasons: iOS 6 patched a whopping 197 CVE-numbered vulnerabilities in 41 system components, broken down as follows:
- 6 security bypasses
- 1 denial of service (DoS) problem
- 1 privilege escalation
- 15 data leakage issues
- 11 remote code execution (RCE) holes
- 7 spoofing flaws
Now, with the release of iOS 6.0.1, there are four more reasons to get onto iOS 6 if you’re still one of the holdouts.
Bugs fixed include:
- A kernel data leakage issue, by means of which the kernel could be persuaded to reveal information about which code was at what address. This might not sound like much, but it subverts Address Space Layout Randomisation (ASLR).
→ If all you can do with an vulnerability is make the CPU to jump to a memory address, you need to know in advance what address to choose. Otherwise, your exploit will probably just crash the device, not take it over. ASLR is deliberately intended to make it hard for you to know where to go, thus helping to turn RCE exploits (crash and keep control) into DoSes (crash and burn out).
- A Passcode bypass, potentially allowing your Passbook application to be accessed even after you locked your device.
→ Since Passbook can store coupons, loyalty programme details and even airline boarding cards, having your Passbook unlocked even when your device is locked presents a rather obvious personal security risk.
- Two RCE flaws in WebKit, the core of any web browsing app on any iDevice.
→ One of these bugs can be triggered by deliberately-dodgy Javascript; the other by a craftily-tweaked SVG (scalable vector graphics) file. These sorts of vulnerability are highly regarded by cybercrooks, as they can be used for drive-by infections. That’s where just visiting a page can trick your browser into running malware, without waiting for you to click through any security warnings.
There you have it. Four good reasons for iOS 6.0.1.
Apple’s writeup can be found in knowledgebase article HT5567.
Now if I could only get full web browsing capability on my Iphone with out having to jail break it, I would have a reason to upgrade
What abt wifi issues? has that been fixed?
The points above are only to do with security holes and vulnerability aspects of the upgrade.
Reports are that changes *have* been made in the Wi-Fi software, but apparently just as a way to improve connectivity…not as security fix. Not sure what effect these changes might have on your iDevice.
Right Holding Back, is that before or after you download your music and movies illegally??
Lots of people jailbreak without ever downloading music and/or other content illegally; personally I have done so for the health benefits of f.lux but considerable other functionality is only available by routing around the iOS restrictions. Naturally this comes at a risk; I lose some security for increased functionality, and that trade off is to some extent a personal judgement call. I would rather Apple allowed a broader range of apps in App Store that fit under the category of 'tweaks' in cydia, thus allowing this functionality whilst maintaining security, but that's not Apple's policy.
Jailbreaking have nothing to do with pirating music or movies. it just gives you more control over your device.
Can you say more about the SVG exploit through WebKit? It would be interesting to hear more about the JS exploit as well.
Yo! Apple..Fix the Toutube thing so i can use my Apple TV agin Then i'll upgrade…WTF 99.00 dollars for what? The new youtube app sucks All i get is audio.and no video.And the youtube setting that come with Apple TV is a Joke! The app was a one click sigan on.
I can't pause music by double clicking the home button while the device is locked anymore. The music controls pop up but only volume works. 🙁
I haven't read anything on this, but I've noticed a *MAJOR* increase in battery life.
)