Apple has released the final version of iOS 10.3.2 to the public, after just about a month and a half of beta testing. Notably, the update fixes and patches a whopping 23 known issues and bugs.
Like the iOS 10.3.1 update before it, Apple’s newest OS firmware is an incremental update packed with under-the-hood bug fixes, security improvements and performance enhancing patches. No forward-facing changes or new features have been discovered so far, so it’s likely that the patch is just a security and bug fix update (but that makes it no less important). A full list of the included fixes is available below.
The new iOS update manages to squash a wide range of various bugs, including two bugs in iBooks — one of which would allow a malicious book to open websites without user permission. A similar bug in Safari would allow malicious websites to apply an application denial of service. The patch also fixes a Kernel bug, a Notifications issue, several SQLite bugs and a total of eight WebKit bugs, among several others.
It’s important to note that, with the security fix announcement, these bugs and exploits are now public knowledge. In turn, it’s definitely a good idea to update your device to iOS 10.3.2 as soon as possible to prevent attackers from using these now-patched vulnerabilities on iOS devices running older versions. iOS 10.3.2 can be installed on any iOS device that can run iOS 10 — which includes the following:
- iPhone 5 and newer
- Fourth-gen iPad and newer
- iPad mini 2 and newer
- All iPad Pro models
- Sixth-gen iPod Touch and newer
iOS 10.3.2 is currently available as an over-the-air update for the devices above. Alternatively, you can download and install the update via iTunes.
iOS 10.3.2 Security Fixes
AVEVideoEncoder
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to gain kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-6989: Adam Donenfeld (@doadam) of the Zimperium zLabs Team
CoreAudio
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-2502: Yangkang (@dnpushme) of Qihoo360 Qex Team
iBooks
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: A maliciously crafted book may open arbitrary websites without user permission
Description: A URL handling issue was addressed through improved state management.
CVE-2017-2497: Jun Kokatsu (@shhnjk)
iBooks
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with root privileges
Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization.
CVE-2017-6981: evi1m0 of YSRC (sec.ly.com)
IOSurface
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to gain kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-6979: Adam Donenfeld of Zimperium zLabs
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A race condition was addressed through improved locking.
CVE-2017-2501: Ian Beer of Google Project Zero
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-2507: Ian Beer of Google Project Zero
CVE-2017-6987: Patrick Wardle of Synack
Notifications
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to cause a denial of service
Description: A denial of service issue was addressed through improved memory handling.
CVE-2017-6982: Vincent Desmurs (vincedes3), Sem Voigtlander (OxFEEDFACE), and Joseph Shenton of CoffeeBreakers
Safari
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Visiting a maliciously crafted webpage may lead to an application denial of service
Description: An issue in Safari’s history menu was addressed through improved memory handling.
CVE-2017-2495: Tubasa Iinuma (@llamakko_cafe) of Gehirn Inc.
Security
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Update to the certificate trust policy
Description: A certificate validation issue existed in the handling of untrusted certificates. This issue was addressed through improved user handling of trust acceptance.
CVE-2017-2498: Andrew Jerman
SQLite
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: A maliciously crafted SQL query may lead to arbitrary code execution
Description: A use after free issue was addressed through improved memory management.
CVE-2017-2513: found by OSS-Fuzz
SQLite
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: A maliciously crafted SQL query may lead to arbitrary code execution
Description: A buffer overflow issue was addressed through improved memory handling.
CVE-2017-2518: found by OSS-Fuzz
CVE-2017-2520: found by OSS-Fuzz
SQLite
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: A maliciously crafted SQL query may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-2519: found by OSS-Fuzz
SQLite
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved input validation.
CVE-2017-6983: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro’s Zero Day Initiative
CVE-2017-6991: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro’s Zero Day Initiative
TextInput
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Parsing maliciously crafted data may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-2524: Ian Beer of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-2496: Apple
CVE-2017-2505: lokihardt of Google Project Zero
CVE-2017-2506: Zheng Huang of the Baidu Security Lab working with Trend Micro’s Zero Day Initiative
CVE-2017-2514: lokihardt of Google Project Zero
CVE-2017-2515: lokihardt of Google Project Zero
CVE-2017-2521: lokihardt of Google Project Zero
CVE-2017-2525: Kai Kang (4B5F5F4B) of Tencent’s Xuanwu Lab (tencent.com) working with Trend Micro’s Zero Day Initiative
CVE-2017-2526: Kai Kang (4B5F5F4B) of Tencent’s Xuanwu Lab (tencent.com) working with Trend Micro’s Zero Day Initiative
CVE-2017-2530: an anonymous researcher
CVE-2017-2531: lokihardt of Google Project Zero
CVE-2017-2538: Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative
CVE-2017-2539: Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative
CVE-2017-2544: 360 Security (@mj0011sec) working with Trend Micro’s Zero Day Initiative
CVE-2017-2547: lokihardt of Google Project Zero, Team Sniper (Keen Lab and PC Mgr) working with Trend Micro’s Zero Day Initiative
CVE-2017-6980: lokihardt of Google Project Zero
CVE-2017-6984: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in the handling of WebKit Editor commands. This issue was addressed with improved state management.
CVE-2017-2504: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in the handling of WebKit container nodes. This issue was addressed with improved state management.
CVE-2017-2508: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in the handling of pageshow events. This issue was addressed with improved state management.
CVE-2017-2510: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in the handling of WebKit cached frames. This issue was addressed with improved state management.
CVE-2017-2528: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues with addressed through improved memory handling.
CVE-2017-2536: Samuel Groß and Niklas Baumstark working with Trend Micro’s Zero Day Initiative
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in frame loading. This issue was addressed with improved state management.
CVE-2017-2549: lokihardt of Google Project Zero
WebKit Web Inspector
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to execute unsigned code
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-2499: George Dan (@theninjaprawn)
Want a FREE iPhone 7? Click here to enter our monthly contest for a chance!
Follow us on Apple News by pressing the (+) button at the top of our channel
from iDrop http://ift.tt/2qkxZrI
via IFTTT
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.