Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: iOS 6 Security Roundup - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
iOS 6 Security Roundup

With the release of iOS 6 earlier this week, a couple of iOS security related features changed in how they behaved. These come in addition to the long list of security fixes that Apple released in iOS 6. [1]

Siri: Siri gained additional capabilities, including the ability to Tweet and update Facebook. This feature is available even on a locked iPhone. To disable this feature, make sure Siri is disabled when the phone is locked.

Password less updates: Updating Apps no longer requires that you enter your password. I haven't found a method yet to turn this off (but actually like it, as my iTunes password is quite complex)

Social Media Integration: Adding a Facebook account to your iOS device will sync your contact settings with Facebook (there is a clear warning that this will happen). Facebook recently changed the default address of all accounts to @facebook.com and e-mail addresses in your contact list may be updated with the @facebook.com address as a result.

A bug found at this week's pwn20wn contest at the EuSecWest conference apparently leaks personal information like contacts and pictures to malicious websites. The bug was demonstrated in iOS 5.1.1, but has not been fixed yet in iOS 6 as it was just reported to Apple this week. [2]]

[1] http://prod.lists.apple.com/archives/security-announce/2012/Sep/msg00003.html
[2] http://www.techspot.com/news/50232-galaxy-s3-and-iphone-4s-exploited-at-pwn2own-competition.html

Any other security related issues you noticed?

Update: Link to patches added per the comment below.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019

Johannes

3631 Posts
ISC Handler
Another new feature I liked is the privacy entry in the menu. You can see over there which apps accessed you pictures or agenda for instance
Anonymous
Not an issue, but I'm glad to see all these CVEs being closed:

http://support.apple.com/kb/HT5503

(I count 197)
Anonymous

Sign Up for Free or Log In to start participating in the conversation!