maxim
@maxim_apps
Si tenéis un dispositivo iOS es muy importante actualizar urgentemente a IOS 9.3.2, estás con el culo vendido. Estos son todos los parches que tapa la última actualización.
Accessibility
Impact: An application may be able to determine kernel memory layout
Description: A buffer overflow was addressed through improved size validation.
CVE-2016-1790 : Rapelly Akhil
CFNetwork Proxies
Impact: An attacker in a privileged network position may be able to leak sensitive user information
Description: An information leak existed in the handling of HTTP and HTTPS requests. This issue was addressed through improved URL handling.
CVE-ID
CVE-2016-1801 : Alex Chapman and Paul Stone of Context Information Security
CommonCrypto
Impact: A malicious application may be able to leak sensitive user information
Description: An issue existed in the handling of return values in CCCrypt. This issue was addressed through improved key length management.
CVE-2016-1802 : Klaus Rodewig
CoreCapture
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A null pointer dereference was addressed through improved validation.
CVE-2016-1803 : Ian Beer of Google Project Zero, daybreaker working with Trend Micro’s Zero Day Initiative
Disk Images
Impact: A local attacker may be able to read kernel memory
Description: A race condition was addressed through improved locking.
CVE-2016-1807 : Ian Beer of Google Project Zero
Disk Images
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue existed in the parsing of disk images. This issue was addressed through improved memory handling.
CVE-2016-1808 : Moony Li (Flyic) and Jack Tang (jacktang310) of Trend Micro
ImageIO
Impact: Processing a maliciously crafted image may lead to a denial of service
Description: A null pointer dereference was addressed through improved validation.
CVE-2016-1811 : Lander Brandt (landaire)
IOAcceleratorFamily
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-1817 : Moony Li (Flyic) and Jack Tang (jacktang310) of Trend Micro working with Trend Micro's Zero Day Initiative
CVE-2016-1818 : Juwei Lin of TrendMicro
CVE-2016-1819 : Ian Beer of Google Project Zero
IOAcceleratorFamily
Impact: An application may be able to cause a denial of service
Description: A null pointer dereference was addressed through improved locking.
CVE-2016-1814 : Juwei Lin of TrendMicro
IOAcceleratorFamily
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A null pointer dereference was addressed through improved validation.
CVE-2016-1813 : Ian Beer of Google Project Zero
IOHIDFamily
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-1823 : Ian Beer of Google Project Zero
CVE-2016-1824 : Marco Grassi (marcograss) of KeenLab (keen_lab), Tencent
Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-1827 : Brandon Azad
CVE-2016-1829 : CESG
CVE-2016-1830 : Brandon Azad
libc
Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved input validation.
CVE-2016-1832 : Karl Williamson
libxml2
Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-1833 : Mateusz Jurczyk
CVE-2016-1835 : Wei Lei and Liu Yang of Nanyang Technological University
CVE-2016-1838 : Mateusz Jurczyk
CVE-2016-1840 : Kostya Serebryany
libxslt
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-1841 : Sebastian Apelt
MapKit
Impact: An attacker in a privileged network position may be able to leak sensitive user information
Description: Shared links were sent with HTTP rather than HTTPS. This was addressed by enabling HTTPS for shared links.
CVE-2016-1842 : Richard Shupak
OpenGL
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-1847 : Tongbo Luo and Bo Qu of Palo Alto Networks
Safari
Impact: A user may be unable to fully delete browsing history
Description: "Clear History and Website Data" did not clear the history. The issue was addressed through improved data deletion.
CVE-2016-1849 : Adham Ghrayeb
Siri
Impact: A person with physical access to an iOS device may be able to use Siri to access contacts and photos from the the lock screen
Description: A state management issue existed when accessing Siri results on the lock screen. This issue was addressed by disabling data detectors in Twitter results when the device is locked.
CVE-2016-1852 : videosdebarraquito
WebKit
Impact: Visiting a malicious website may disclose data from another website
Description: An insufficient taint tracking issue in the parsing of svg images was addressed through improved taint tracking.
CVE-2016-1858 : an anonymous researcher
WebKit
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-1854 : Anonymous working with Trend Micro's Zero Day Initiative
CVE-2016-1855 : Tongbo Luo and Bo Qu of Palo Alto Networks
CVE-2016-1856 : lokihardt working with Trend Micro's Zero Day Initiative
CVE-2016-1857 : Jeonghoon ShinA.D.D and Liang Chen, Zhen Feng, wushi of KeenLab, Tencent working with Trend Micro's Zero Day Initiative
WebKit Canvas
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-1859 : Liang Chen, wushi of KeenLab, Tencent working with Trend Micro's Zero Day Initiative
Accessibility
Impact: An application may be able to determine kernel memory layout
Description: A buffer overflow was addressed through improved size validation.
CVE-2016-1790 : Rapelly Akhil
CFNetwork Proxies
Impact: An attacker in a privileged network position may be able to leak sensitive user information
Description: An information leak existed in the handling of HTTP and HTTPS requests. This issue was addressed through improved URL handling.
CVE-ID
CVE-2016-1801 : Alex Chapman and Paul Stone of Context Information Security
CommonCrypto
Impact: A malicious application may be able to leak sensitive user information
Description: An issue existed in the handling of return values in CCCrypt. This issue was addressed through improved key length management.
CVE-2016-1802 : Klaus Rodewig
CoreCapture
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A null pointer dereference was addressed through improved validation.
CVE-2016-1803 : Ian Beer of Google Project Zero, daybreaker working with Trend Micro’s Zero Day Initiative
Disk Images
Impact: A local attacker may be able to read kernel memory
Description: A race condition was addressed through improved locking.
CVE-2016-1807 : Ian Beer of Google Project Zero
Disk Images
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue existed in the parsing of disk images. This issue was addressed through improved memory handling.
CVE-2016-1808 : Moony Li (Flyic) and Jack Tang (jacktang310) of Trend Micro
ImageIO
Impact: Processing a maliciously crafted image may lead to a denial of service
Description: A null pointer dereference was addressed through improved validation.
CVE-2016-1811 : Lander Brandt (landaire)
IOAcceleratorFamily
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-1817 : Moony Li (Flyic) and Jack Tang (jacktang310) of Trend Micro working with Trend Micro's Zero Day Initiative
CVE-2016-1818 : Juwei Lin of TrendMicro
CVE-2016-1819 : Ian Beer of Google Project Zero
IOAcceleratorFamily
Impact: An application may be able to cause a denial of service
Description: A null pointer dereference was addressed through improved locking.
CVE-2016-1814 : Juwei Lin of TrendMicro
IOAcceleratorFamily
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A null pointer dereference was addressed through improved validation.
CVE-2016-1813 : Ian Beer of Google Project Zero
IOHIDFamily
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-1823 : Ian Beer of Google Project Zero
CVE-2016-1824 : Marco Grassi (marcograss) of KeenLab (keen_lab), Tencent
Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-1827 : Brandon Azad
CVE-2016-1829 : CESG
CVE-2016-1830 : Brandon Azad
libc
Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved input validation.
CVE-2016-1832 : Karl Williamson
libxml2
Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-1833 : Mateusz Jurczyk
CVE-2016-1835 : Wei Lei and Liu Yang of Nanyang Technological University
CVE-2016-1838 : Mateusz Jurczyk
CVE-2016-1840 : Kostya Serebryany
libxslt
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-1841 : Sebastian Apelt
MapKit
Impact: An attacker in a privileged network position may be able to leak sensitive user information
Description: Shared links were sent with HTTP rather than HTTPS. This was addressed by enabling HTTPS for shared links.
CVE-2016-1842 : Richard Shupak
OpenGL
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-1847 : Tongbo Luo and Bo Qu of Palo Alto Networks
Safari
Impact: A user may be unable to fully delete browsing history
Description: "Clear History and Website Data" did not clear the history. The issue was addressed through improved data deletion.
CVE-2016-1849 : Adham Ghrayeb
Siri
Impact: A person with physical access to an iOS device may be able to use Siri to access contacts and photos from the the lock screen
Description: A state management issue existed when accessing Siri results on the lock screen. This issue was addressed by disabling data detectors in Twitter results when the device is locked.
CVE-2016-1852 : videosdebarraquito
WebKit
Impact: Visiting a malicious website may disclose data from another website
Description: An insufficient taint tracking issue in the parsing of svg images was addressed through improved taint tracking.
CVE-2016-1858 : an anonymous researcher
WebKit
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-1854 : Anonymous working with Trend Micro's Zero Day Initiative
CVE-2016-1855 : Tongbo Luo and Bo Qu of Palo Alto Networks
CVE-2016-1856 : lokihardt working with Trend Micro's Zero Day Initiative
CVE-2016-1857 : Jeonghoon ShinA.D.D and Liang Chen, Zhen Feng, wushi of KeenLab, Tencent working with Trend Micro's Zero Day Initiative
WebKit Canvas
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-1859 : Liang Chen, wushi of KeenLab, Tencent working with Trend Micro's Zero Day Initiative
