iOS 9.2 released, 360 found 5 security vulnerabilities and was thanked

On December 9, Beijing time, Apple released the official version of iOS 9.2. This upgrade improved the functions of applications such as Apple Music, News, iBooks, Podcasts, etc. In addition, Apple fixed multiple security vulnerabilities in iOS and Xcode. The five vulnerabilities submitted by the 360 ​​Security Team were also confirmed and fixed, and Apple publicly thanked them.

Figure 1: Three vulnerabilities discovered by 360Vulcan Team have been fixed

The official version of iOS 9.2 pushed by Apple this time fixes three iOS kernel vulnerabilities discovered and submitted by 360Vulcan Team, numbered CVE-2015-7040, CVE-2015-7041, and CVE-2015-7042.

According to Zheng Wenbin, head of the Vulcan Team, these three vulnerabilities are security vulnerabilities in the kernel of Apple's iOS operating system. Malicious apps or apps with vulnerabilities may use these vulnerabilities to break through the iOS sandbox, attack or enter the Apple system kernel, causing the user's mobile phone and other devices to restart or the data and applications in the mobile phone to be controlled. The vulnerability affects Apple operating systems of iOS 9.1 and lower versions, including iPhone, iPad, Apple touch and other devices.

Figure 2: Two vulnerabilities found by 360Nirvan Team were fixed

In addition, in the Xcode 7.2 security report released by Apple at the same time, two security vulnerabilities discovered by the 360 ​​Nirvan Team were confirmed and thanked.

The two vulnerabilities, numbered CVE-2015-7049 and CVE-2015-7057, are memory corruption vulnerabilities in the otool program (reverse analysis tool), affecting Mac OS X Yosemite operating system v10.10.5 or later. Nirvan Team leader Gao Xuefeng said that the existence of the vulnerability can cause local arbitrary code execution or DoS, which can attack people who use the tool.

360Nirvan Team is a young security research team under 360 company that specializes in iOS security research. In one year, it has obtained 4 vulnerabilities from Apple. In the recent XCode malicious code infection incident, 360Nirvan Team was the first in the world to publish the most comprehensive list of infected apps.

For security vendors, quickly discovering and responding to vulnerabilities is an essential foundation for improving protection capabilities. In addition to Apple, 360 has received many thanks from giants such as Microsoft, Google, and Adobe for discovering and assisting in fixing vulnerabilities. 360's vulnerability research capabilities have ranked first in the global security industry.