Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Fixes Security Flaws With Release of iOS 8.1

Apple released on Monday a new version of its mobile operating system and, in addition to some interesting new features, the latest version includes fixes for several security issues.

Apple released on Monday a new version of its mobile operating system and, in addition to some interesting new features, the latest version includes fixes for several security issues.

According to an advisory published by the company, one of the fixed vulnerabilities (CVE-2014-4428) could have been exploited to establish a connection from a malicious Bluetooth input device by bypassing pairing.

“Unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy accessories. If an iOS device had paired with such an accessory, an attacker could spoof the legitimate accessory to establish a connection. The issue was addressed by denying unencrypted HID connections,” Apple said in its advisory.

Another issue addressed with the release of iOS 8.1, which has been assigned the CVE identifier CVE-2014-4448, refers to insufficient cryptographic protections applied to files transferred to a device. In previous versions of iOS, files transferred to an application’s “Documents” directory may be encrypted with a key that’s protected only by the hardware UID. In iOS 8.1, the key is protected by both the hardware UID and the user’s passcode.

A TLS certificate validation flaw affecting iCloud (CVE-2014-4449) has also been addressed. The vulnerability could have been exploited by an attacker with privileges on the network to leak sensitive iCloud data.

Another interesting bug is caused by QuickType, which can “learn” users’ credentials when switching between elements.

“This issue was addressed by QuickType not learning from fields where autocomplete is disabled and reapplying the criteria when switching between DOM input elements in legacy WebKit,” Apple said.

Carl Mehner of USAA, Jonathan Zdziarski, Kevin DeLong, and Mike Ryan of iSEC Partners have been credited for identifying the vulnerabilities.

In addition to these vulnerabilities, Apple has also disabled CBC cipher suites when TLS connection attempts fail in an effort to protect customers against the recently discovered SSL 3.0 flaw dubbed POODLE.

The SSL 3.0 vulnerability and the Bluetooth pairing bypass issue have also been addressed by the company in Apple TV with the release of version 7.0.1.

With the release of iOS 8.1, Apple has introduced Apple Pay, a new contactless payment system that should prevent fraud.

“In general, we cannot say with certainty that mobile payment systems are more secure than payment cards; only time will tell. However, as with any new addition or feature to a platform, even ones meant to enhance security, this expands the overall attack surface, making it attractive for criminals looking for vulnerabilities to exploit,” Mike Park, managing consultant at Trustwave, told SecurityWeek.

“For instance, previously mobile payments were usually done via an app or third-party add on, and only very few of these were targeted. With the introduction of this type of functionality into a platform, it makes every device a possible target,” Park added. “It’s still very early, but with this new feature attackers are likely looking to steal identities and mass harvest payment card information as they do in other platforms and verticals now. With a credit card selling for more than $100 USD in black forums, this is an incentive to go after these new containers.”

Last week, Apple released security updates for OS X to fix the POODLE flaw and several other vulnerabilities.

 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.