| Researchers July 20, 2016

July 20, 2016

A closer look at iOS 9.3.3: Apple patches 43 security vulnerabilities

By Andrew Blaich

Apple released the latest version of iOS version 9.3.3 on July 18 including patches for 43 security vulnerabilities. Industry watchers have been anticipating this update as one of the final patch cycles for iOS 9 before iOS 10 is released in the fall.
For enterprises with iOS deployments, regardless if they are corporately- or personally-provided, it’s important to know about the vulnerabilities and the latest patches and encourage users to update their devices.
Since it launched in September 2015, Apple has issued 334 security patches to iOS 9. This is already a little ahead of iOS 8, which only had 273 patches during its lifetime.
Screen Shot 2016-07-20 at 3.19.05 PM
Let’s take a look at the patches in more depth:
Process enumeration patch
As expected, Apple released a patch to prevent any application from enumerating the processes on a device. A number of developers used this access as a workaround to get process and app information, as this information was otherwise unavailable. While the ability to get the process information could help developers provide a variety of services, it can also be used by malicious actors — as is the case with Android — and it’s important to prevent the accidental disclosure of personal information without a user’s knowledge.
Remote Controllable Executable (RCE) attacks
There were at least three remote controllable executable (RCE) attacks patched in this update. An RCE essentially enables an attacker to take over your device just by getting you to click a link, view an image, or open a corporate document.
While we continue to see RCE’s monthly in both iOS and Android this does not diminish the critical nature of them. It is incredibly important that when one is found and patched that users immediately patch their devices to avoid exploitation.
Enterprises should pay special attention to RCEs as they allow attackers easy access to company data. Sixty-four percent of IT and security leaders say it is very likely that sensitive corporate data is present on their employees’ mobile devices, according to a recent survey from analyst firm ESG. That information needs to be protected, and ensuring employee devices are running the latest software versions is good place to start.
The other patches
Apple released several other patches that prevent: denial of service attacks, remote code execution, privilege escalation, and user information disclosure. The patches in this release affect Apple’s own libraries and services in addition to several third-party libraries such libxml2 and libxslt that have previously had security issues, which were patched earlier this year.
As always, iOS users are advised to update when the OS update becomes available for your device.


Andrew Blaich,
Manager - Vulnerability Research