If you’re concerned about apps being able to run any code they want on your iPhone, you’re going to want to update iOS somewhat soon. Like, today.
Apple on Monday released a new version of iOS that includes patches for several arbitrary code execution vulnerabilities, including two such flaws in the iOS kernel. There are two separate code execution vulnerabilities in the kernel that Apple patched in iOS 10.2.1, one of which is a buffer overflow and the other of which is a use-after-free bug. Both of these flaws can be triggered by a malicious application. Both of those vulnerabilities were discovered by Ian Beer, a security researcher with Google’s Project Zero.
One of the other remote code execution bugs Apple fixed with this release is another buffer overflow, this one is libarchive. An attacker who can get a user to open a malicious archive can then execute arbitrary code on the target device. Apple also patched seven vulnerabilities in the WebKit framework, three of which can be used for arbitrary code execution.
As is the norm, Apple hasn’t released any of the specific details about the vulnerabilities it patched with this release.