Apple has published their regular inventory of security updates in iOS 9. By my count it is a new record of patches: 107 vulnerabilities.
Apple's been getting better and better at documenting and fixing security vulnerabilities. So please do your part and update your devices!
Source: Apple Security Updates
Bushel, an Apple device management solution, powered by JAMF Software, today announced general availability, expanding Apple device management to businesses of all sizes. Bushel is a cloud-based solution designed to make it simple and quick for regular people to complete their management tasks, including Apple device setup, security and usability. The software had been in beta for some time now, and users could use it on an invitation-only basis. Bushel has just today become generally available to the public to sign up for either a free or paid account. You can find out more and sign up on the Bushel website.
iOS 8.0.2 was released last night, just eight days after 8.0, and just a day or so after 8.0.1 was released but quickly pulled. Our database of iOS Devices has all the links for direct downloads. Here are the release notes.
This release contains improvements and bug fixes, including:
- Fixes an issue in iOS 8.0.1 that impacted cellular network connectivity and Touch ID on iPhone 6 and iPhone 6 Plus
- Fixes a bug so HealthKit apps can now be made available on the App Store
- Addresses an issue where 3rd party keyboards could become deselected when a user enters their passcode
- Fixes an issue that prevented some apps from accessing photos from the Photo Library
- Improves the reliability of the Reachability feature on iPhone 6 and iPhone 6 Plus
- Fixes an issue that could cause unexpected cellular data usage when receiving SMS/MMS messages
- Better support of Ask To Buy for Family Sharing for In-App Purchases
- Fixes an issue where ringtones were sometimes not restored from iCloud backups
- Fixes a bug that prevented uploading photos and videos from Safari
For information on the security content of this update, please visit this website:
About a week ago, security researcher Jonathan Zdziarski revealed what apparently is a number of "backdoors" to iOS. These allow access to data on even encrypted devices, as long as a pairing record is available from a trusted source (not trivial). Although Jonathan took pains to qualify the announcement, several reports have seemed to exaggerate the issue.
In response, Jonathan has compiled a list of more reputable tech articles on the topic. I've reprinted the list below.
iOS Lockdown “Backdoors” (TL;DR)
Dino Dai Zovi, Co-Author “iOS Hacker’s Handbook”
Surveillance Mechanisms in iOS Devices – Don’t Panic but… Do Read This
Elissa Shevinsky, CEO of Glimpse
Apple iPhones allow extraction of deep personal data, researcher finds
Reuters / Joseph Menn
Is Apple’s iOS Backdoor Not a Backdoor
Wall Street Cheat Sheet / Nathaniel Arnold
iOS slurp ware brouhaha: It’s for diagnostics, honest, says Apple
The Register / Iain Thomson
Apple has published a list of security content in iOS 7.1.1, which was released this afternoon. Here are the highlights:
- 'CFNetwork HTTPProtocol:' An attacker in a privileged network position can obtain web site credentials
- IOKit Kernel: A local user can read kernel pointers, which can be used to bypass kernel address space layout randomization
- Security - Secure Transport: An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL
- WebKit: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Quite a bit for a dot-dot-one release. Set your compliance rules accordingly and encourage updates.
I'm curious: do any of you have stats on how quickly your users update?
Yesterday a vulnerability came to light in OpenSSL, which underpins much of the security infrastructure on web servers and application servers around the Internet. Today the technology world is on fire about the bug. Basically, any server running OpenSSL versions 1.0.1 through 1.0.1f is at risk to a simple query. There is an online tool available to check your servers.
The bug, however, doesn't only affect SSL. OpenSSL is also commonly used for generating the asymmetric encryption keys that are the foundation of, oh, the Apple Push Notification Service. And APNS is the foundation for MDM.
If your MDM service happens to be vulnerable, or was vulnerable any time in the last two years the bug has been available, then it is possible someone has stolen your server's private APNS key. And if they do that then your MDM is compromised. But since the attack leaves no trace, well it may be better to err on the safe side.
The "safe side" for MDM means revoking your APNS certificate, and re-enrolling all devices. By hand. That is going to be a huge a bucket of pain.
So here is hoping your particular MDM service is not and was not vulnerable. I've heard from a few already, but will wait for official statements to become available before posting. Watch this thread for more as this develops.
Apple today released iOS 7.0.6 with an important security fix:
Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
Available, as always, via Software Update. Direct download links for each build are in our database of iOS Devices.
There is a lot to like about Apple's new iPhone 5s announced Tuesday. The faster and 64-bit chip, the battery-saving M7 motion processor, the really nice camera. And gold, if that's what rings your bell. But for enterprises, the headline features seems to be "Touch ID", the fingerprint sensor built into the home button of the top-end phones.
It is clearly a leap forward, and journalists are getting very excited. But we need a reality check here, as there are some subtle but critical details that don't seem to be getting attention. Touch ID is not going to replace your passcode, it isn't more secure than your passcode, and it isn't two-factor authentication. If used properly, it can improve security for many of us. And in truth, it is a hell of a lot better than nothing.
Let me 'splain what I'm thinking.
Today, the key info about this feature comes from an article in the Wall Street Journal. An unnamed Apple representative says this:
Apple customers who wish the use Touch ID also have to create a passcode as a backup. Only that passcode (not a finger) can unlock the phone if the phone is rebooted or hasn’t been unlocked for 48 hours.
The way I interpret this statement is this: the passcode is, as today, the primary means of securing the device. The passcode is always available. The fingerprint sensor is an alternate means on unlocking the device, but the passcode will always be there. The fingerprint sensor is, in a sense, a shortcut to the passcode.
No additional security (unless you add it)
An iPhone with no passcode is like leaving the door to your house wide open.
Use a passcode, and you've closed and locked that door.
Not only is the phone locked, but you are now encrypting the data on your phone. So even if someone breaks open the hardware and removes the chips, your encrypted data is safe.
Introduce Touch ID, and here's what you have:
Now you have two ways into your house: Use the same passcode door as before or use the fingerprint door. If one door doesn't let you in maybe the other will. To me, it is clear this is not more secure than one door. If your passcode is "1-1-1-1" then I don't care about your fingers, I'll just enter through the passcode.
The standard 4-digit numeric passcode is pretty easy to crack. There are only 10,000 combinations, after all, and if you enter them through a tethered connection you can try them pretty quickly. But if you don't use a 4-digit numeric passcode, you get a lot more secure.
But there is a way Touch ID can enable stronger security. Since the fingerprint is effectively a shortcut around a passcode, I can now make a really difficult passcode to get into my phone. A passcode with 18 characters and symbols and caps and emoji and stuff. A passcode that was so difficult to enter that it would drive me crazy if I needed to enter it every 5 minutes. But if I need to enter the complex passcode only when rebooting the phone (almost never) or after 48 hours idle (absolutely never) then I can live with that.
Better security, but only indirectly enabled by biometrics.
Not two-factor authentication
Maybe you can see by now that the fingerprint sensor on the iPhone 5s does not provide two-factor authentication. 2FA is like two locks on the same door.
I use Google 2-Step Verification for my Google accounts — you should too — and that makes me happy. When I use that I need to enter BOTH my password and my 1-time code. [Experts will say this isn't true 2FA, but it keeps me feeling warm and fuzzy.]
Way better than nothing
Greater improvements to security are to come in iOS 7. On setup, users are prompted — actually encouraged even — to enter a passcode. And apps used to have to opt-in to use the protected data store; now it is on by default.
In truth, we should remember that not enough iOS users enter any passcode. Instead they leave their door wide open. Maybe having the fingerprint sensor is going to be just cool technology and smart shortcuts to get people to lock their front doors.
Update: You may know that using Mobile Device Management, configuration profiles, and/or ActiveSync, an administrator can require a passcode. I've heard many people asking if there will be a similar key to require a fingerprint. If I'm right in my thinking, we won't see that. If I'm right that the current implementation otherwise diminishes security (slightly), we'll see a key to disable fingerprint sensing instead.
Update 9/22: Yup, right. The new Configuration Profile Reference has a key "allowFingerprintForUnlock" that defaults to true. So you can disable fingerprint unlock, but not enforce it. Oh, and the CCC claims it has just cracked Touch ID using a high-resolution photo.
In case you need another reason to update to iOS 7, here is a really long list of its security fixes
Apple has posted a remarkably long list of security vulnerabilities friend iOS 6, and fixed in iOS 7. See this link: http://support.apple.com/kb/HT5934
Forum topic added by Mahesh 1 week ago
Story comment by taylor 2 weeks ago
Mobile Management Provider changed by Aaron Freimark 2 weeks ago
Wiki Page changed by Aaron Freimark 2 weeks ago
Story added by Aaron Freimark 2 weeks ago
Mobile Management Provider changed by Aaron Freimark 2 weeks ago
Forum topic comment by Elizabeth Hale 17 weeks ago
Mobile Management Provider changed by Simo Kari 18 weeks ago
Forum topic comment by jpref 19 weeks ago
Forum topic comment by bugfrisch 20 weeks ago
Mobile Management Provider changed by krypted 20 weeks ago
Mobile Management Provider changed by JAMFSoftware 21 weeks ago
Forum topic comment by spurtipreetham 21 weeks ago
Forum topic added by okta 21 weeks ago
Forum topic added by am.imran.ahmed 21 weeks ago
Forum topic comment by Samuelbrown 21 weeks ago
Mobile Management Provider changed by NeerajOR 22 weeks ago
Forum topic comment by Elizabeth Hale 22 weeks ago
Forum topic comment by taylor 22 weeks ago
Forum topic comment by bhaveshagrawal1014 22 weeks ago