Skip to main content
Learn More
McNeese Information Security keyboard banner

Multiple Vulnerabilities in Apple iOS

Multiple Vulnerabilities in Apple iOS

CIS ADVISORY NUMBER: 2014-057

Executive Summary

07/01/2014
Multiple vulnerabilities have been discovered in Apple's mobile operating system, iOS. These vulnerabilities can be exploited by an attacker having physical access to the device, or if the user visits a specially crafted webpage. Successful exploitation could result in an attacker executing arbitrary code, cause denial-of-service conditions, gain unauthorized access, acquire sensitive information, bypass security restrictions, and perform other unauthorized actions.

Threat Intelligence

Due to the trivial nature of these vulnerabilities, there is not any known proof-of-concept code available.

System Affected

  • Apple iOS Prior to 7.1.2

Risk

Government
  • Large and medium government entities: High
  • Small government entities: High
Businesses
  • Large and medium business entities: High
  • Small business entities: High
Home users
  • High

Technical Summary

Nine vulnerabilities have been reported in Apple iOS. Details of the vulnerabilities are as follows:
  • A spoofing vulnerability when handling a specially crafted website. [CVE-2014-1345]
  • A security weakness exists due to data protection being disabled. [CVE-2014-1348]
  • A use-after-free error when handling a specially crafted website. [CVE-2014-1349]
  • A security-bypass vulnerability when handling "Find My iPhone". [CVE-2014-1350]
  • A security-bypass vulnerability exists due to a failure to restrict access to view all contacts. [CVE-2014-1351]
  • A security-bypass vulnerability exists due to a failure to properly enforce a maximum number of failed passcode attempts. [CVE-2014-1352]
  • A security-bypass vulnerability exists due to improper state management in Airplane Mode [CVE-2014-1353]
  • A remote-code execution when handling a specially crafted XMB file. [CVE-2014-1354]
  • A security-bypass vulnerability due to a failure to properly check during device activation. [CVE-2014-1360]
Successful exploitation could result in an attacker executing arbitrary code, cause denial-of-service conditions, gain unauthorized access, acquire sensitive information, bypass security restrictions, and perform other unauthorized actions.

Recommendations

We recommend the following actions be taken:
  • Update Apple iOS to the most current version, 7.1.2.
  • Use safe web browsing techniques to avoid visiting specially crafted webpages.
  • Avoid leaving Apple iOS devices unattended.

References


TLP:WHITE
Traffic Light Protocol (TLP): WHITE information may be distributed without restriction, subject to copyright controls.
http://www.us-cert.gov/tlp/
 
Note: This alert is intended to identify system-related announcements (system exploits, vulnerabilities, virus attacks, etc.) The information is obtained from several sources including the DHS/US-CERT, SANS, and vendor community. The OIT security office does not validate the information. The intent is to alert the agency personnel on possible exploits, system vulnerabilities, virus attacks and hacker attacks. In each instance we will attempt to provide a specific address relative to the problem and the corresponding patch or fix.

OIT-SEC-ALERT@LISTSERV.DOA.LA.GOV