14 DAY TRIAL // Given the urgency of yet another flaw in its mobile operating system – which iOS 7.0.6 fails to patch – Apple should be hard at work on iOS 7.0.7 as the next security update before the final iOS 7.1 build is deployed publicly.
Apple is known to be testing iOS 7.1 internally with a planned release date for March, but nothing is set in stone at this point.
More worryingly, security researchers have discovered a new vulnerability in the latest public version of the software (iOS 7.0.6/6.1.6) that cybercriminals could exploit to obtain the user’s personal information, including user names and passwords.
FireEye reports that “Background monitoring mobile applications has become a hot topic on mobile devices. Existing reports show that such monitoring can be conducted on jailbroken iOS devices.”
“FireEye mobile security researchers have discovered such vulnerability, and found approaches to bypass Apple's app review process effectively and exploit non-jailbroken iOS 7 successfully. We have been collaborating with Apple on this issue,” the security firm says.
The vulnerability – separate from the widely-covered SSL/TSL flaw that got resolved in iOS 7.0.6, iOS 6.1.6 and, more recently, in OS X 10.9.2 – affects non-jailbroken devices running any variant of iOS 7 and iOS 6.1.
FireEye claims that its proof-of-concept demo “exploits the latest 7.0.4 version of iOS system on a non-jailbroken iPhone 5s device successfully,” adding that the firm has been able to confirm that “the same vulnerability also exists in iOS versions 7.0.5, 7.0.6 and 6.1.x.”
“Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring,” FireEye reports.
In other words, Apple has another security flaw on its hands that it needs to address ASAP.
Currently, the only way for a user to stay out of harm’s way is to stop apps from running in the background by closing them from the Multitasking tray, “to prevent potential background monitoring,” according to FireEye.
“iOS7 users can press the Home button twice to enter the task manager and see preview screens of apps opened, and then swipe an app up and out of preview to disable unnecessary or suspicious applications running on the background,” the team explains, and shows some relevant screenshots.
Considering how Apple sometimes takes its time addressing these kinds of flaws, we could end up installing iOS 7.1 outright next week. However, if the company has become sensible enough to these issues, releasing iOS 7.0.7 and iOS 6.1.7 beforehand should be a no-brainer.