In addition to many new features, Apple’s iOS 9 addresses a long list of security vulnerabilities. The iOS 9 security updates follow the iOS 8.4 security updates, which came out June 30.
Apple Pay received a patch for a vulnerability identified as CVE-2015-5916 that erroneously enables transaction log functionality on some configurations. Among the key promises of Apple Pay is the confidentially of information.
“Some cards may allow a terminal to retrieve limited recent transaction information when making a payment,” Apple noted in its security advisory.
As with most modern mobile operating systems, iOS offers users the option of enabling a passcode to protect access to a device. The CVE-2015-5850 flaw that was fixed in iOS 9 could have enabled an attacker to reset a passcode with an iOS backup.
Access credentials are also being secured in iOS 9 with a patch to the iTunes Store component. CVE-2015-5832, reported to Apple by security researcher Kasif Dekel from Check Point Software, is a vulnerability in which AppleID credentials remained persistent in iOS even after a user signed out. Stored AppleID credentials were recently identified by Palo Alto Networks as being at risk on jailbroken iOS devices in the so-called Keyraider attack that affected users in 18 countries.
The iOS 9 security patches deal with a particularly nasty spoofing risk in the Mail application that Salesforce.com Principal Security Engineer Emre Saglam reported to Apple.
“An attacker can send an email that appears to come from a contact in the recipient’s address book,” Apple warns in its advisory. “This issue was addressed through improved validation.”
The issue of application trust is always top of mind for enterprises. For iOS 9, researchers from security firm FireEye informed Apple of the CVE-2015-5837 flaw, which could have enabled a malicious enterprise application to install extensions, even if the application is not yet trusted by the enterprise.
The CFNetwork component, which provides core networking technologies to iOS, is being patched for nine different security issues. Among the CFNetwork vulnerabilities is CVE-2015-5858, a Web address parsing flaw in handling HSTS (HTTP Strict Transport Security). With HSTS, a Website can specify that it is only available over an HTTPS encrypted connection. The flaw is that an attacker could bypass HSTS, potentially leaking sensitive data.
CVE-2015-5860 is another CFNetwork flaw in HSTS handling that affects the Safari Web browser running in private browsing mode. The purpose of private browsing mode is not to store history or cookies. With the CVE-2015-5860 flaw, an attacker could have potentially tracked users in Safari private browsing mode.
CFNetwork is also being hardened to limit the risk of Secure Sockets Layer (SSL) decryption by way of the RC4 encryption cipher, which is known to be insecure.
“An attacker could force the use of RC4, even if the server preferred better ciphers, by blocking TLS 1.0 and higher connections until CFNetwork tried SSL 3.0, which only allows RC4,” Apple warns. “This issue was addressed by removing the fallback to SSL 3.0.”
The issue of SSL 3.0 fallback has affected many vendors in the last year, including Apple (which patched for the POODLE flaw, which was first disclosed in October 2014).
The largest single source of patched vulnerabilities in iOS 9 is found in the WebKit rendering engine, which is being fixed for 34 different issues. Of those, Apple identified 25 as memory corruption issues that could lead to arbitrary code execution.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.