The security content of iOS 10.3.3

[pjmlp]

2 x "A buffer overflow issue was addressed through improved memory handling."

7 x "A memory corruption issue was addressed with improved bounds checking."

Oh well....

[pqdbr]

With 13x arbitrary code execution, being 5x with either kernel or system privileges.

[hellbanner]

Yes, and previous decimal versions had similarly powerful exploits.

[BinaryRage]

They should rewrite in Rust...

[pjmlp]

No, they should stop using C or C style coding in C++, and write those parts in a mix of modern C++17 and Swift.

[vijayr02]

Or maybe... just maybe, an agency belatedly realised the "Defending Our Nation" part of its motto really means something.

[PhantomGremlin]

This is depressing.

I normally shrug off security vulnerabilities in iOS. But so many in such a minor release?

I know it's not a valid extrapolation ... but if there are so many being fixed just today, that means there are hundreds if not thousands of still undiscovered ones remaining.

And Android is probably even worse.

To repeat myself: this is depressing.

[ccrush]

https://technet.microsoft.com/en-us/library/security/ms17-01...

This is Microsoft's patch covering ShadowBrokers-leaked ETERNALBLUE SMB remote code execution 0day. The iOS 10.3.3 is likely the response to either the CIA Vault7 Wikileaks stash or the ShadowBrokers NSA EquationGroup stash. These exploits are probably out there in the hands of many people, and Apple had to respond.

[WalterGR]

That Microsoft link lists 6 CVEs.

Apple's security content page lists 48.

That's probably an unfair comparison. How many vulnerabilities have been patched for all of those leaks / stashes by Apple and Microsoft?

It seems like we'd need to know those numbers in order to fairly judge whether PhantomGremlin should feel depressed or not.