iOS 9.2.1 Release, Changelog and exploit patched list.

iOS 9.2.1 was just pushed out to users using a OTA update. The update was just pushed out with the comment:

This update contains security updates and bug fixes including a fix for an issue that could prevent the completion of app installation when using an MDM server.
For information on the security content of this update, please visit this website: https://support.apple.com/HT201222

The official list of exploits patched was just released to public domain here:

Disk Images

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue existed in the parsing of disk images. This issue was addressed through improved memory handling.

CVE-ID

CVE-2016-1717 : Frank Graziano of Yahoo! Pentest Team

IOHIDFamily

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue existed in an IOHIDFamily API. This issue was addressed through improved memory handling.

CVE-ID

CVE-2016-1719 : Ian Beer of Google Project Zero

IOKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-ID

CVE-2016-1720 : Ian Beer of Google Project Zero

Kernel

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-ID

CVE-2016-1721 : Ian Beer of Google Project Zero and Ju Zhu of Trend Micro

libxslt

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

Description: A type confusion issue existed in libxslt. This issue was addressed through improved memory handling.

CVE-ID

CVE-2015-7995 : puzzor

syslog

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to execute arbitrary code with root privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-ID

CVE-2016-1722 : Joshua J. Drake and Nikias Bassen of Zimperium zLabs

WebKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.

CVE-ID

CVE-2016-1723 : Apple

CVE-2016-1724 : Apple

CVE-2016-1725 : Apple

CVE-2016-1726 : Apple

CVE-2016-1727 : Apple

WebKit CSS

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Websites may know if the user has visited a given link

Description: A privacy issue existed in the handling of the “a:visited button” CSS selector when evaluating the containing element’s height. This was addressed through improved validation.

CVE-ID

CVE-2016-1728 : an anonymous researcher coordinated via Joe Vennix

WebSheet

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious captive portal may be able to access the user’s cookies

Description: An issue existed that allowed some captive portals to read or write cookies. The issue was addressed through an isolated cookie store for all captive portals.

CVE-ID

CVE-2016-1730 : Adi Sharabani and Yair Amit of Skycure

Open

Close