Apple iOS < 10.2.1 Multiple Vulnerabilities

The version of iOS running on the mobile device is prior to 10.2.1, and is affected by multiple vulnerabilities :

• A prototype access flaw exists that is triggered when handling exceptions. With specially crafted web content, a context-dependent attacker may exfiltrate cross-origin data. (CVE-2017-2350)
• A flaw exists in WiFi that is triggered when handling user input. This may allow a physically present attacker to bypass the lock and briefly access the home screen. (CVE-2017-2351)
• A logic flaw exists related to state management in Auto Unlock. This may allow a physically present attacker to potentially unlock a watch when it is off the user’s wrist. (CVE-2017-2352)
• A type confusion flaw exists that is triggered as input is not properly validated when handling ‘SearchInputType’ objects. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2017-2354)
• An unspecified memory initialization flaw exists that may allow a context-dependent attacker to potentially execute arbitrary code. No further details have been provided. (CVE-2017-2355)
• A flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2017-2356, CVE-2017-2362, CVE-2017-2366, CVE-2017-2369, CVE-2017-2373)
• A use-after-free error exists in the ‘host_self_trap’ mach trap. This may allow a local attacker to dereference already freed memory and gain elevated privileges. (CVE-2017-2360)
• A flaw exists that is triggered as input is not properly validated when handling page loading. This may allow a context-dependent attacker to exfiltrate cross-origin data. (CVE-2017-2363, CVE-2017-2364)
• A flaw exists that is triggered as input is not properly validated when handling variables. This may allow a context-dependent attacker to exfiltrate cross-origin data. (CVE-2017-2365)
• A flaw exists in Contacts that is triggered as input is not properly validated during the handling of a specially crafted contact card. This may allow a context-dependent attacker to crash the system. (CVE-2017-2368)
• An overflow condition exists in the ‘mach_voucher_extract_attr_recipe_trap()’ function that is triggered as certain input is not properly validated. This may allow a local attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2017-2370)
• An unspecified flaw exists that may allow a context-dependent attacker to bypass popup restrictions via a specially crafted website. No further details have been provided. (CVE-2017-2371)