Apple iOS8: more open, but is it secure?
Apple iOS8: more open, but is it secure?

More than seven years after the iPhone Operating System - now known as iOS - was first released, Apple has completed a root and branch upgrade of its mobile OS, taking it to version 8.0. In parallel with this, Apple has quietly fixed more than 40 security vulnerabilities, making it the biggest upgrade for the mobile OS in its history.

Apple's CEO Tim Cook posted a letter to his customers on the company Web site last night, launching a new section focused solely on "Apple's commitment to your privacy," as well as explaining how the new two-factor authentication system for iCloud and other Apple features works.

According to Apple, the list of new and enhanced features includes patches for a series of kernel flaws, multiple WebKit vulnerabilities, and two interesting bugs - that appear not to have been discussed previously - that allow apps to be freely installed from outside the official Apple app store resources.

The most interesting patch/re-code, however, seems to be a system to block a hybrid man-in-the-middle attack on WiFi networks.

As Apple says on it iOS 8.0 details section, "an attacker could have impersonated a WiFi access point, offered to authenticate with LEAP [Cisco's Lightweight Extensible Authentication Protocol], broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even - if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default."

According to ThreatPost's Dennis Fisher's analysis of iOS8.0, amongst the other issues fixed is a longstanding problem that caused Bluetooth to be enabled by default whenever iOS was updated.

"Apple also patched an integer overflow flaw in CoreGraphics that could lead to remote code execution. There also is a fix for a vulnerability that enables a malicious app to bypass kernel ASLR, one of the key exploit mitigations in iOS," he says.

1.1 Gigabytes large

That's the good news. The potentially bad news is that the update weighs in at around the 1.1 gigabytes mark, meaning that the upgrade needs to be loaded across a WiFi connection, rather than a 3G/4G link - and unconfirmed reports suggest that the installation process can take around an hour in total.