X

iOS 8 also comes with bucket of security fixes

Long list of iOS 8 security fixes makes your iPhone and iPad safer to use, but Apple doesn't say how severe some of the problems were -- again.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
3 min read

ios-8-logo-small.jpg

Apple published a long list of iOS 8 security changes on Wednesday as the operating system update got delivered to users. While Apple credited many independent security experts, it continued to not differentiate bugs by severity and buried the fix to a major vulnerability.

The most notable fix of the Apple Knowledge Base list -- more than 53 vulnerabilities long -- was hidden at the bottom of the list separated from the other vulnerabilities as a "note" that read, "iOS 8 contains changes to some diagnostic capabilities."

The note linked to another new Knowledge Base article, which detailed changes to the diagnostic tools in iOS 8. Previously, the tools had allowed people with unauthorized access to iOS's encryption keys to connect wirelessly to the iPhone or iPad and extract sensitive information including text messages and pictures -- without having to unlock the device.

The "backdoor" was revealed at the Hope-X conference in July by independent security and forensics expert Jonathan Zdziarski, who has devoted much of his research to iOS. The vulnerability affected around 600 million iOS devices and could be exploited by anyone, from parents to ex-lovers to government agencies, who paired a computer with the target iOS device until the iOS device was wiped.

At the time, Apple denied that the diagnostic tools were a backdoor created with "any government agency." There was also much debate among security experts as to whether the flaw even met the standard definition of "backdoor." But today, Apple updated the diagnostic tools to prevent that kind of persistent remote access. The company did not credit Zdziarski for exposing the problem, although it did credit other security researchers for finding other bugs on the list, including Zdziarski for another, unrelated bug.

Zdziarski wrote an open letter to Apple about his concerns and said that he worried that Apple buried notice of the bug fix because of the company's ongoing rocky relationship with independent security researchers.

"If it's a small bug that doesn't seem to directly affect several million people, it winds up in the security release notes," Zdziarski told CNET. "If it is a major issue, such as the trust dialog box, or gotofail, it winds up getting downplayed."

Zdziarski is referring to another flaw repaired in iOS 8 that allows users to untrust all previously trusted computers. Like the diagnostic tool fix, it was only mentioned in the Notes section of the vulnerability list.

"For these vulnerabilities to have existed in iOS 7, they could have been big risks to diplomats, executives, even Tim Cook," he said.

Apple did not respond to a request for comment.

Nevertheless, Zdziarski did cheer Apple for rapidly addressing recent security concerns, including the iCloud breach and the diagnostic tools problem.

However, these repairs aren't likely to reach people who refuse to or can't upgrade to iOS 8 since Apple rarely offers security updates for older versions of iOS. The full list of vulnerabilities covers nearly every aspect of how iOS operates, from the kernel to Bluetooth functionality to Safari's WebKit engine to how account data gets managed.

Aside from the diagnostic tool flaw, the worst of them would allow a hacker to run malicious code on your iPhone or iPad after gaining root access.

Other major flaws repaired in iOS 8 included tracking by Wi-Fi MAC address, Apple ID information available through a hole in the sandbox, user credentials open to anyone with a privileged status on the network, and a vulnerability that could allow an attacker with local access to the phone to install unverified apps without permission.

One WebKit bug was fixed last December in Safari for Mac, noted CNET sister site ZDNet, but only fixed in iOS today.

While many are heralding the era of a kinder, gentler Apple, those cultural changes have yet to extend to the security community.