On the iOS system“Trident”vulnerability briefings-vulnerability warning-the black bar safety net

2016-08-28T00:00:00
ID MYHACK58:62201678463
Type myhack58
Reporter 佚名
Modified 2016-08-28T00:00:00

Description

! Recently, on the Internet to disclose about the iOS operating system there is“Trident”vulnerability, CNNVD-2 0 1 6 0 8-4 6 0, the CNNVD-2 0 1 6 0 8-4 6 1, THE CNNVD-2 0 1 6 0 8-4 6 2. 8 on 1 5 December, by the Canadian citizen lab the Citizen Lab and the U.S. Lookout mobile security companies combined notes that iOS 7. 0 version to 9. 3. 4 version there are three security vulnerabilities, an attacker can use the vulnerability of the affected iPhone for a remote attack, in order to achieve complete control purposes. 8 on 2 5 May, the United States, Apple for the above vulnerability released fixes. National information security vulnerability database(CNNVD for the tracking analysis, a detailed analysis of the situation is as follows: A, vulnerability introduction the iOS operating system is the United States Apple Apple Inc. Company for mobile devices the development of a set ofoperating system, the main application to the company for the production of the iPhone and other devices. The disclosure of the vulnerability in the iOS kernel components kernel and Apple Safari browser such as the widely used open source browser engine WebKit. 1, iOS 7. 0 version to 9. 3. 4 version of the kernel components kernel information disclosure vulnerability(vulnerability ID: CNNVD-2 0 1 6 0 8-4 6 0, the CVE-2 0 1 6-4 6 5 of 5). The attacker may be by means of construct a malicious app to exploit the vulnerability to obtain sensitive information. 2, iOS 7. 0 version to 9. 3. 4 version of the kernel components memory corruption vulnerability(vulnerability ID: CNNVD-2 0 1 6 0 8-4 6 1, CVE-2 0 1 6-4 6 5 6)。 The attacker may be by means of construct a malicious app to exploit the vulnerability kernel privilege to execute arbitrary code or cause a denial of service memory is corrupted. 3, iOS 7. 0 version to 9. 3. 4 version of WebKit memory corruption vulnerability(vulnerability ID: CNNVD-2 0 1 6 0 8-4 6 2, The CVE-2 0 1 6-4 6 5 7). The A remote attacker with a malicious website to exploit the vulnerability to execute arbitrary code or cause a denial of service memory is corrupted. Second, the attack process CNNVD the above-mentioned vulnerability of the process to sort out, summed up as follows: The first stage, the attacker convinces a user to the Mobile Safari browser to open a malicious link, the link points to for memory corruption vulnerability (CNNVD-2 0 1 6 0 8-4 6 2)the attack code, the attacker can be in the Safari browser sandbox arbitrary code execution. The second stage, the attacker uses the kernel information disclosure vulnerability(CNNVD-2 0 1 6 0 8-4 6 0)the query to the kernel memory address, and the use of the kernel in the presence of memory corruption vulnerability(CNNVD-2 0 1 6 0 8-4 6 1),to achieve kernel privileges to execute arbitrary code, and ultimately achieve full control of the user equipment for the purpose. Third, the vulnerability to hazards Using the above three vulnerabilities can cause the following hazards: 1, The user privacy leak, such as access to device data, view phone camera, Spy calls and recordings, view Application information, etc.; 2, The remote control device, such as monitoring of the GPS signal location. Fourth, the repair measures 1, The use of Apple mobile device users, should be timely check the iOS version is in the affected range. As affected, please upgrade as soon as possible to the latest iOS 9.3.5 version, the timely repair loopholes, eliminate hidden dangers. Announcement link: https://support.apple.com/HT207107 2, The system is not upgraded before, please users cautious of suspicious links. This report by the CNNVD technical support units—Beijing qihoo Technology Co., Ltd., Shanghai the elephants Information Technology Co., Ltd. to provide support. CNNVD will continue to track the vulnerability of the relevant circumstances, the timely release relevant information. If necessary, can be used with CNNVD timely contact. Contact phone: 010-82341439 it.