Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Apple
    • Apple
    • Cybersecurity

    Apple’s iOS 9 Addresses Long List of Vulnerabilities

    By
    Sean Michael Kerner
    -
    September 17, 2015
    Share
    Facebook
    Twitter
    Linkedin
      iOS 9 security

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      In addition to many new features, Apple’s iOS 9 addresses a long list of security vulnerabilities. The iOS 9 security updates follow the iOS 8.4 security updates, which came out June 30.

      Apple Pay received a patch for a vulnerability identified as CVE-2015-5916 that erroneously enables transaction log functionality on some configurations. Among the key promises of Apple Pay is the confidentially of information.

      “Some cards may allow a terminal to retrieve limited recent transaction information when making a payment,” Apple noted in its security advisory.

      As with most modern mobile operating systems, iOS offers users the option of enabling a passcode to protect access to a device. The CVE-2015-5850 flaw that was fixed in iOS 9 could have enabled an attacker to reset a passcode with an iOS backup.

      Access credentials are also being secured in iOS 9 with a patch to the iTunes Store component. CVE-2015-5832, reported to Apple by security researcher Kasif Dekel from Check Point Software, is a vulnerability in which AppleID credentials remained persistent in iOS even after a user signed out. Stored AppleID credentials were recently identified by Palo Alto Networks as being at risk on jailbroken iOS devices in the so-called Keyraider attack that affected users in 18 countries.

      The iOS 9 security patches deal with a particularly nasty spoofing risk in the Mail application that Salesforce.com Principal Security Engineer Emre Saglam reported to Apple.

      “An attacker can send an email that appears to come from a contact in the recipient’s address book,” Apple warns in its advisory. “This issue was addressed through improved validation.”

      The issue of application trust is always top of mind for enterprises. For iOS 9, researchers from security firm FireEye informed Apple of the CVE-2015-5837 flaw, which could have enabled a malicious enterprise application to install extensions, even if the application is not yet trusted by the enterprise.

      The CFNetwork component, which provides core networking technologies to iOS, is being patched for nine different security issues. Among the CFNetwork vulnerabilities is CVE-2015-5858, a Web address parsing flaw in handling HSTS (HTTP Strict Transport Security). With HSTS, a Website can specify that it is only available over an HTTPS encrypted connection. The flaw is that an attacker could bypass HSTS, potentially leaking sensitive data.

      CVE-2015-5860 is another CFNetwork flaw in HSTS handling that affects the Safari Web browser running in private browsing mode. The purpose of private browsing mode is not to store history or cookies. With the CVE-2015-5860 flaw, an attacker could have potentially tracked users in Safari private browsing mode.

      CFNetwork is also being hardened to limit the risk of Secure Sockets Layer (SSL) decryption by way of the RC4 encryption cipher, which is known to be insecure.

      “An attacker could force the use of RC4, even if the server preferred better ciphers, by blocking TLS 1.0 and higher connections until CFNetwork tried SSL 3.0, which only allows RC4,” Apple warns. “This issue was addressed by removing the fallback to SSL 3.0.”

      The issue of SSL 3.0 fallback has affected many vendors in the last year, including Apple (which patched for the POODLE flaw, which was first disclosed in October 2014).

      The largest single source of patched vulnerabilities in iOS 9 is found in the WebKit rendering engine, which is being fixed for 34 different issues. Of those, Apple identified 25 as memory corruption issues that could lead to arbitrary code execution.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Artificial Intelligence

      10 Best AI 3D Generators 2023

      Aminu Abdullahi - November 17, 2023 0
      AI 3D Generators are powerful tools for creating 3D models and animations. Discover the 10 best AI 3D Generators for 2023 and explore their features.
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×