Apple has patched several vulnerabilities in iOS that could lead to arbitrary code execution, including a handful of memory corruption bugs and a flaw that enables an attacker to use a malicious JPEG file to run arbitrary code.
The release of iOS 10.1 includes patches for 13 vulnerabilities, many of which can be used for arbitrary code execution. The most intriguing of those flaws is CVE-2016-4673, a bug in the Core Graphics component of iOS. Core Graphics is a framework used to handle drawing and images, and researchers from the Keen Lab in China discovered an issue with the way the framework handles JPEG files.
“Viewing a maliciously crafted JPEG file may lead to arbitrary code execution. A memory corruption issue was addressed through improved memory handling,” the Apple iOS 10.1 advisory says.
This vulnerability also affects macOS, and Apple patched it with the release of Sierra 10.12.1 on Monday.
Among the other serious bugs fixed in iOS 10.1 is a vulnerability that could allow an application to run arbitrary code with root privileges. The problem is the result of an issue with logic in libxpc. Apple also patched a vulnerability in the iOS kernel that allows an app to disclose kernel memory.
Users should see iOS 10.1 as an available download in the software update section in iOS.