Apple has patched a wide range of serious vulnerabilities in iOS 10.3.2, including several flaws in the kernel and a number of others that can be used to execute arbitrary code.
Among the more serious vulnerabilities fixed in the new version of iOS are several flaws in SQLite, all of which can lead to arbitrary code execution. Many of the bugs are memory corruption issues, including a buffer overflow, and a use after free vulnerability. Interestingly, several of the SQLite vulnerabilities were discovered through Google’s OSS-Fuzz program, which searches for flaws in widely used open source software applications.
Apple also fixed two kernel vulnerabilities in iOS, one of which could allow an attacker to execute arbitrary code.
“An application may be able to execute arbitrary code with kernel privileges. A race condition was addressed through improved locking,” Apple said in its advisory.
The other kernel vulnerability is a validation issue that that could allow an application to read restricted memory.
There are a few rather odd vulnerabilities patched in iOS 10.3.2, including two issues in iBooks, the mobile app for reading books on iPhones and iPads. One of the vulnerabilities could allow a malicious book file to open any website without permission, while the other could let an application execute arbitrary code with root privileges.
There also are patches for more than 20 vulnerabilities in WebKit, many of which are cross-site scripting bugs. But there also are a number of arbitrary code execution flaws in WebKit that Apple patched in iOS 10.3.2.