Apple released iOS 10, Xcode 8 and watchOS 3, which patch vulnerabilities attackers could leverage.
iOS 10 resolves seven vulnerabilities, one of which is CVE-2016-4741, which can end up exploited by a man-in-the-middle (MitM) attacker to prevent a device from receiving updates. Apple fixed the issue by ensuring iOS updates end up performed over an HTTPS connection.
There were two additional iOS vulnerabilities that can end up exploited by malicious applications to access location data (CVE-2016-4719) or determine whom a user is texting (CVE-2016-4620).
iOS 10 also fixes a vulnerability related to how the keyboard autocorrect feature could reveal sensitive information (CVE-2016-4746), an issue that allows an MitM attacker to intercept email credentials (CVE-2016-4747), and a flaw that exposes messages on devices not been signed in to the Messages app (CVE-2016-4740).
An anonymous researcher discovered a flaw in the AirPrint preview feature can result in unencrypted documents written to a temporary file (CVE-2016-4749).
Users reported their iPhones and iPads ended up bricked after they updated iOS to version 10. This forced Apple to quickly release iOS 10.0.1, which also includes another fix for one of the “Trident” vulnerabilities patched by the company last month in iOS 9.3.5.
Since the Apple Watch operating system watchOS end up based on iOS, CVE-2016-4719 affects both OSs. watchOS 3 patched this information disclosure flaw.
Xcode version 8 fixed two vulnerabilities that allow a local attacker to crash the application or execute arbitrary code. The holes have the case numbers CVE-2016-4704 and CVE-2016-4705.