Security News

The bug had been around since iOS 6, but its impact was minor; very few people knew it even existed. The iPhone text message bug was promulgated by a simple post on Reddit, and subsequently spread like wildfire across the Interwebs — and probably sent to your own iPhone, causing it to restart. A vulnerability allowed anyone to restart iPhones by sending a text message with a specific series of Unicode characters. Apple has finally rolled out a security update with the release of iOS 8.4, fixing the bug, as well as a wide range of other issues affecting iOS devices.

iOS 8.4 is available for: iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later.

Apple’s software update describes all the new improvements and features added, including fixes for the bug causing iPhones to restart:

Other improvements and bug fixes

• Fixes an issue where receiving a specific series of Unicode characters causes device to reboot
• Fixes an issue that prevented GPS accessories from providing location data
• Fixes an issue where deleted Apple Watch apps could re-install

According to Apple’s security notice, iOS 8.4 addresses the following vulnerabilities:

• CVE-2015-3722 : A malicious universal provisioning profile app may prevent apps from launching. An issue existed in the install logic for universal provisioning profile apps, which allowed a collision to occur with existing bundle IDs. This issue was addressed through improved collision checking.
• CVE-2015-3684 : Following a maliciously crafted URL may lead to arbitrary code execution. A memory corruption issue existed in handling of certain URL credentials. This issue was addressed with improved memory handling.
• CVE-2015-3723, CVE-2015-3724 : Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in the handling of ICC profiles. These issues were addressed through improved memory handling.
• CVE-2015-1157 : CoreText in Apple iOS 8.x through 8.3 allows remote attackers to cause a denial of service (reboot and messaging disruption) via crafted Unicode text that is not properly handled during display truncation in the Notifications feature, as demonstrated by Arabic characters in (1) an SMS message or (2) a WhatsApp message.
• CVE-2015-3685, CVE-2015-3686, CVE-2015-3687, CVE-2015-3688, CVE-2015-3689 : Processing a maliciously crafted text file may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in the processing of text files. These issues were addressed through improved bounds checking.
• CVE-2015-4000 : An attacker with a privileged network position may intercept SSL/TLS connections. coreTLS accepted short ephemeral Diffie-Hellman (DH) keys, as used in export-strength ephemeral DH cipher suites. This issue, also known as Logjam, allowed an attacker with a privileged network position to downgrade security to 512-bit DH if the server supported an export-strength ephemeral DH cipher suite. The issue was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits.
• CVE-2015-3690 : A malicious application may be able to determine kernel memory layout. An information disclosure issue existed in the processing of disk images. This issue was addressed through improved memory management.
• CVE-2015-3694, CVE-2015-3719 : Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in the processing of font files. These issues were addressed through improved input validation.
• CVE-2015-3703 : Processing a maliciously crafted .tiff file may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in the processing of .tiff files. This issue was addressed with improved bounds checking.
• CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130 : Multiple vulnerabilities exist in libtiff, the most serious of which may lead to arbitrary code execution. Multiple vulnerabilities existed in libtiff versions prior to 4.0.4. They were addressed by updating libtiff to version 4.0.4.
• CVE-2015-3721 : A malicious application may be able to determine kernel memory layout. A memory management issue existed in the handling of HFS parameters which could have led to the disclosure of kernel memory layout. This issue was addressed through improved memory management.
• CVE-2015-3710 : A maliciously crafted email can replace the message content with an arbitrary webpage when the message is viewed. An issue existed in the support for HTML email which allowed message content to be refreshed with an arbitrary webpage. The issue was addressed through restricted support for HTML content.
• CVE-2015-3725 : A malicious universal provisioning profile app can prevent a Watch app from launching. An issue existed in the install logic for universal provisioning profile apps on the Watch which allowed a collision to occur with existing bundle IDs. This issue was addressed through improved collision checking.
• CVE-2015-1155 : Visiting a maliciously crafted website may compromise user information on the filesystem. A state management issue existed in Safari that allowed unprivileged origins to access contents on the filesystem. This issue was addressed through improved state management.
• CVE-2015-3658 : Visiting a maliciously crafted website may lead to account takeover. An issue existed where Safari would preserve the Origin request header for cross-origin redirects, allowing malicious websites to circumvent CSRF protections. The issue was addressed through improved handling of redirects.
• CVE-2013-1741 : A remote attacker may cause an unexpected application termination or arbitrary code execution. An integer overflow existed in the Security framework code for parsing S/MIME e-mail and some other signed or encrypted objects. This issue was addressed through improved validity checking.
• CVE-2015-3717 : A remote attacker may cause an unexpected application termination or arbitrary code execution. Multiple buffer overflows existed in SQLite’s printf implementation. These issues were addressed through improved bounds checking.
• CVE-2015-3726 : Maliciously crafted SIM cards may lead to arbitrary code execution. Multiple input validation issues existed in the parsing of SIM/UIM payloads. These issues were addressed through improved payload validation.
• CVE-2015-1156 : Visiting a malicious website by clicking a link may lead to user interface spoofing. An issue existed in the handling of the rel attribute in anchor elements. Target objects could get unauthorized access to link objects. This issue was addressed through improved link type adherence.
• CVE-2015-1152, CVE-2015-1153 : Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
• CVE-2015-3659 : Visiting a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution. An insufficient comparison issue existed in SQLite authorizer which allowed invocation of arbitrary SQL functions. This issue was addressed with improved authorization checks.
• CVE-2015-3727 : A maliciously crafted website can access the WebSQL databases of other websites. An issue existed in the authorization checks for renaming WebSQL tables which could have allowed a maliciously crafted website to access databases belonging to other websites. This was addressed through improved authorization checks.
• CVE-2015-3728 : iOS devices may auto-associate with untrusted access points advertising a known ESSID but with a downgraded security type. An insufficient comparison issue existed in WiFi manager’s evaluation of known access point advertisements. This issue was addressed through improved matching of security parameters.

If you’re worried about the security of your iOS mobile devices, we encourage you to update to Apple’s iOS 8.4. If you own an iPhone 4 and cannot update to the latest iOS version (iOS 7 is the last update iPhone 4 users can receive), now is a great time to upgrade to a newer iPhone and boost your mobile security.

iPhone, iPod and iPad users can get the latest update directly on the iOS devices (Settings > General > Software Update), or it can be downloaded and installed in iTunes when the iOS device is connected to a computer with an Internet connection.