Posted in Commentary

iOS 10.2.1 Update


iOS 10

Apple has released an update to iOS 10. Version 10.2.1 offers various fixes and security enhancements. It is safer to make a backup of your iOS device before updating.

To update, while using a Wi-Fi network, tap on Settings > General > Software Update then download and install.

The security fixes include the following items:

Auto Unlock
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Auto Unlock may unlock when Apple Watch is off the user’s wrist
Description: A logic issue was addressed through improved state management.
CVE-2017-2352: Ashley Fernandez of raptAware Pty Ltd
Contacts
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing a maliciously crafted contact card may lead to unexpected application termination
Description: An input validation issue existed in the parsing of contact cards. This issue was addressed through improved input validation.
CVE-2017-2368: Vincent Desmurs (vincedes3)
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow issue was addressed through improved memory handling.
CVE-2017-2370: Ian Beer of Google Project Zero
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed through improved memory management.
CVE-2017-2360: Ian Beer of Google Project Zero
libarchive
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution
Description: A buffer overflow issue was addressed through improved memory handling.
CVE-2016-8687: Agostino Sarubbo of Gentoo
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may exfiltrate data cross-origin
Description: A prototype access issue was addressed through improved exception handling.
CVE-2017-2350: Gareth Heyes of Portswigger Web Security
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2017-2354: Neymar of Tencent’s Xuanwu Lab (tencent.com) working with Trend Micro’s Zero Day Initiative
CVE-2017-2362: Ivan Fratric of Google Project Zero
CVE-2017-2373: Ivan Fratric of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory initialization issue was addressed through improved memory handling.
CVE-2017-2355: Team Pangu and lokihardt at PwnFest 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved input validation.
CVE-2017-2356: Team Pangu and lokihardt at PwnFest 2016
CVE-2017-2369: Ivan Fratric of Google Project Zero
CVE-2017-2366: Kai Kang of Tencent’s Xuanwu Lab (tencent.com)
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may exfiltrate data cross-origin
Description: A validation issue existed in the handling of page loading. This issue was addressed through improved logic.
CVE-2017-2363: lokihardt of Google Project Zero
CVE-2017-2364: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: A malicious website can open popups
Description: An issue existed in the handling of blocking popups. This was addressed through improved input validation.
CVE-2017-2371: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may exfiltrate data cross-origin
Description: A validation issue existed in the handling of variable handling. This issue was addressed through improved validation.
CVE-2017-2365: lokihardt of Google Project Zero
WiFi
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An activation-locked device can be manipulated to briefly present the home screen
Description: An issue existed with handling user input that caused a device to present the home screen even when activation locked. This was addressed through improved input validation.
CVE-2017-2351: Sriram (@Sri_Hxor) of Primefort Pvt. Ltd., Hemanth Joseph

You can view more information about the various iOS updates here.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s