About the security content of iOS 9.3.3

This document describes the security content of iOS 9.3.3.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.

Apple security documents reference vulnerabilities by CVE-ID when possible.

iOS 9.3.3

Released July 18, 2016

Calendar

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A maliciously crafted calendar invite may cause a device to unexpectedly restart

Description: A null pointer dereference was addressed through improved memory handling.

CVE-2016-4605 : Henry Feldman MD at Beth Israel Deaconess Medical Center

CFNetwork Credentials

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker in a privileged network position may be able to leak sensitive user information

Description: A downgrade issue existed with HTTP authentication credentials saved in Keychain. This issue was addressed by storing the authentication types with the credentials.

CVE-2016-4644 : Jerry Decime coordinated via CERT

CFNetwork Proxies

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker in a privileged network position may be able to leak sensitive user information

Description: A validation issue existed in the parsing of 407 responses. This issue was addressed through improved response validation.

CVE-2016-4643 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua University; Jerry Decime coordinated via CERT

CFNetwork Proxies

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An application may unknowingly send a password unencrypted over the network

Description: Proxy authentication incorrectly reported HTTP proxies received credentials securely. This issue was addressed through improved warnings.

CVE-2016-4642 : Jerry Decime coordinated via CERT

CoreGraphics

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A remote attacker may be able to execute arbitrary code

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com/vulnerability-reports)

FaceTime

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated

Description: User interface inconsistencies existed in the handling of relayed calls. These issues were addressed through improved FaceTime display logic.

CVE-2016-4635 : Martin Vigo

GasGauge

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.

CVE-2016-7576 : qwertyoruiop

Entry added September 27, 2016

ImageIO

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A remote attacker may be able to cause a denial of service

Description: A memory consumption issue was addressed through improved memory handling.

CVE-2016-4632 : Evgeny Sidorov of Yandex

ImageIO

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A remote attacker may be able to execute arbitrary code

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com/vulnerability-reports)

ImageIO

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-7705: Craig Young of Tripwire VERT

Entry added November 30, 2017

IOAcceleratorFamily

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to read kernel memory

Description: An out-of-bounds read was addressed through improved bounds checking.

CVE-2016-4628 : Ju Zhu of Trend Micro

IOAcceleratorFamily

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to execute arbitrary code with kernel privileges

Description: A null pointer dereference was addressed through improved validation.

CVE-2016-4627 : Ju Zhu of Trend Micro

IOHIDFamily

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to execute arbitrary code with kernel privileges

Description: A null pointer dereference was addressed through improved input validation.

CVE-2016-4626 : Stefan Esser of SektionEins

Kernel

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-1863 : Ian Beer of Google Project Zero

CVE-2016-4653 : Ju Zhu of Trend Micro

CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team

Kernel

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to cause a system denial of service

Description: A null pointer dereference was addressed through improved input validation.

CVE-2016-1865 : CESG, Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent

Libc

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A buffer overflow existed within the "link_ntoa()" function in linkaddr.c. This issue was addressed through additional bounds checking.

CVE-2016-6559 : Apple

Entry added January 10, 2017

libxml2

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Multiple vulnerabilities in libxml2

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2015-8317 : Hanno Boeck

CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological University

CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological University

CVE-2016-4448 : Apple

CVE-2016-4483 : Gustavo Grieco

CVE-2016-4614 : Nick Wellnhofer

CVE-2016-4615 : Nick Wellnhofer

CVE-2016-4616 : Michael Paddon

Entry updated June 4, 2017

libxml2

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information

Description: An access issue existed in the parsing of maliciously crafted XML files. This issue was addressed through improved input validation.

CVE-2016-4449 : Kostya Serebryany

libxslt

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Multiple vulnerabilities in libxslt

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-1683 : Nicolas Grégoire

CVE-2016-1684 : Nicolas Grégoire

CVE-2016-4607 : Nick Wellnhofer

CVE-2016-4608 : Nicolas Grégoire

CVE-2016-4609 : Nick Wellnhofer

CVE-2016-4610 : Nick Wellnhofer

Entry updated April 11, 2017

Safari

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a malicious website may lead to user interface spoofing

Description: Redirect responses to invalid ports may have allowed a malicious website to display an arbitrary domain while displaying arbitrary content. This issue was addressed through improved URL display logic.

CVE-2016-4604 : xisigr of Tencent's Xuanwu Lab (www.tencent.com)

Sandbox Profiles

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local application may be able to access the process list

Description: An access issue existed with privileged API calls. This issue was addressed through additional restrictions.

CVE-2016-4594 : Stefan Esser of SektionEins

Siri Contacts

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A person with physical access to a device may be able to see private contact information

Description: A privacy issue existed in the handling of Contact cards. This was addressed through improved state management.

CVE-2016-4593 : Pedro Pinheiro (facebook.com/pedro.pinheiro.1996)

Web Media

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Viewing a video in Safari's Private Browsing mode displays the URL of the video outside of Private Browsing mode

Description: A privacy issue existed in the handling of user data by Safari View Controller. This issue was addressed through improved state management.

CVE-2016-4603 : Brian Porter (@portex33)

WebKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a maliciously crafted website may result in the disclosure of process memory

Description: A memory initialization issue was addressed through improved memory handling.

CVE-2016-4587 : Apple

WebKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a malicious website may disclose image data from another website

Description: A timing issue existed in the processing of SVG. This issue was addressed through improved validation.

CVE-2016-4583 : Roeland Krak

WebKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks.

CVE-2016-4591 : ma.la of LINE Corporation

WebKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-4589 : Tongbo Luo and Bo Qu of Palo Alto Networks

CVE-2016-4622 : Samuel Gross working with Trend Micro's Zero Day Initiative

CVE-2016-4623 : Apple

CVE-2016-4624 : Apple

WebKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a malicious website may lead to user interface spoofing

Description: An origin inheritance issue existed in parsing of about: URLs. This was addressed through improved validation of security origins.

CVE-2016-4590 : xisigr of Tencent's Xuanwu Lab (www.tencent.com)

WebKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a maliciously crafted webpage may lead to a system denial of service

Description: A memory consumption issue was addressed through improved memory handling.

CVE-2016-4592 : Mikhail

WebKit JavaScript Bindings

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a maliciously crafted website may lead to script execution in the context of a non-HTTP service

Description: A cross-protocol cross-site scripting (XPXSS) issue existed in Safari when submitting forms to non-HTTP services compatible with HTTP/0.9. This issue was addressed by disabling scripts and plugins on resources loaded over HTTP/0.9.

CVE-2016-4651 : Obscure

WebKit Page Loading

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious website may exfiltrate data cross-origin

Description: A cross-site scripting issue existed in Safari URL redirection. This issue was addressed through improved URL validation on redirection.

CVE-2016-4585 : Takeshi Terada of Mitsui Bussan Secure Directions, Inc. (www.mbsd.jp)

WebKit Page Loading

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-4584 : Chris Vienneau

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: