CVE-2016-7601 Apple CVE debrief

Who should care

Organizations and individuals using affected iOS devices before 10.2, especially where Touch ID behavior and screen-lock timing are part of access-control or compliance assumptions. Mobile device administrators should also care because the issue affects local device-lock expectations rather than a network service.

Technical summary

The NVD record describes a flaw in iOS Local Authentication where the configured screen-lock interval is not enforced if the Touch ID prompt is visible. NVD associates the issue with iPhone OS versions up to 10.1.1 and assigns CVSS 3.0 6.8 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Defensive priority

Medium priority. Remediate promptly on any still-supported or unmanaged devices running iOS before 10.2, and verify that policy assumptions about lock timing remain valid after remediation.

Recommended defensive actions

• Update affected iPhone/iOS devices to 10.2 or later.
• Confirm MDM and compliance policies do not assume screen-lock timing is enforced during Touch ID prompts on unpatched devices.
• Review physical access controls for devices that may still run pre-10.2 iOS.
• Inventory and retire or isolate any legacy devices that cannot be updated.
• Validate that device lock behavior matches policy expectations after applying Apple updates.

Evidence notes

The vulnerability description and version scope come from the supplied NVD record, which lists iPhone OS versions through 10.1.1 as vulnerable and cites Apple’s support advisory. The record also references a SecurityFocus BID entry and SecurityTracker page, but the Apple support link is the primary vendor reference supplied here. No KEV record was provided.

Official resources