SAN FRANCISCO, Jan. 28, 2016 – Zimperium, the leader in enterprise mobile threat protection, discovered a code execution vulnerability in Apple’s iOS and OS X operating system affecting all iOS devices running versions 6.0 to 9.2, and OS X 10.9 through 10.11.2.
With its recent iOS 9.2.1 and OS X 10.11.3 update, Apple provided patches for several flaws allowing attackers to take advantage of users and their mobile devices. The update fixed a total of 13 vulnerabilities, including two with low severity, five with medium severity and six with critical severity. All of the six critical vulnerabilities allow remote device takeover simply by visiting a malicious website.
Among these issues was CVE-2016-1722, a vulnerability Zimperium zLabs’ researchers Nikias Bassen and Joshua J. Drake identified in the system’s syslog logging function potentially leading to remote code execution, local code execution with root permissions or a Denial of Service (DoS) attack.
Drake is the researcher who also identified Stagefright vulnerability which had enormous impact on the Android ecosystem, pushing vendors to provide security updates for its users after years of no updates.
“Our zLabs research team is constantly researching ways to improve the state of security on mobile devices,” said Zuk Avraham, Founder, Chairman and CTO at Zimperium. “Discovering this vulnerability is part of our ongoing mission to find and help fix flaws across the entire mobile ecosystem including both Android and iOS.”
“It’s exciting to see Zimperium helping global giants such as Apple and Google to improve the company’s operating systems,” said Mark Fernandes, managing director of Sierra Ventures. “We’re continually impressed by the efforts of Zimperium’s research arm and look forward to its future success in the cybersecurity industry.”
“By promoting advanced mobile security research, we tackle issues before the bad guys do,” said Shridhar Mittal, CEO of Zimperium. “Given today’s increasingly mobile workforce, it’s imperative for companies to implement a comprehensive security strategy that enables and secures all devices. We focus on finding ways to make this a reality and will continue to work with companies like Apple and Google to help minimize the risk of mobile vulnerabilities.”
You can read more about CVE-2016-1722 here. If you have not updated your iOS or OS X, it is recommended to do so as soon as possible.
Zimperium, the industry leader in Mobile Threat Defense, offers real-time, on-device protection against both known and previously unknown threats, enabling detection and remediation of attacks on all three mobile threat vectors – Device, Network and Applications. Zimperium’s patented z9™ detection engine uses machine learning to power zIPS™, mobile on-device Intrusion Prevention System app, and zIAP™, an embedded, In-App Protection SDK that delivers self-protecting iOS and Android apps.
Leaders across the mobile ecosystem partner with Zimperium, including mobile operators (Airtel, Deutsche Telekom, SmarTone, SoftBank and Telstra), device manufacturers (Samsung, SIRIN, TriGem), and leading enterprise mobility management (EMM) providers (AirWatch, MobileIron, BlackBerry, Citrix and SAP). Headquartered in San Francisco, Zimperium is backed by Sierra Ventures, Samsung, Telstra, Warburg Pincus and SoftBank. Learn more at www.zimperium.com or our official blog at https://blog.zimperium.com.
Zimperium, the Zimperium name and logo, Powered by Zimperium, zIPS, zIAP and z9 are registered trademarks or trademarks of Zimperium, Inc. in the US and other countries.
Darah Patton (Inkhouse PR for Zimperium)