Apple išleido iOS 7.1.2 atnaujinimą
Apple išleido iOS 7 atnaujinimą ištaisantį tris specifines klaidas susijusias su: iBeacon, prisegamais failais Mail aplikacijoje bei duomenų perdavimu naudojant 3-ų šalių priedus.
iOS 7.1.2 atnaujinimas:
- pagerina iBeacon prisijungimą bei darbo stabilumą
- ištaiso duomenų perdavimo klaidas pasitaikančias naudojant įrenginius su iOS 7.1.1 kai prie jų pajungti kitų gamintojų priedai, tame tarpe barkodų skeneriai.
- ištaisyta Mail aplikacijos prisegamų failų duomenų apsaugos klasė
Šis atnaujinimas ištaiso 35-ias iOS 7 saugumo klaidas. tame tarpe 18 jų vien Safari naršyklėje. Viena iš ištaisytų klaidų yra ta, kuri leido pasinaudojant Siri apeiti iOS įrenginio užrakinimą ir gauti prieigą prie kontaktų.
iOS 7.1.2 atsisiųsti galite per iTunes ar įdiegti tiesiai savo įrenginiuose. Atnaujinant per iTunes atnaujinimas yra didesnis, apie 1,44GB, tačiau atnaujinant tiesiai įrenginyje: iPhone 5s - 32,3MB; iPad Air 28,8MB, iPad mini (ne Retina) 22,4MB.
Norėdami atnaujinti savo įrenginio iOS versiją (ne per iTunes): Settings > General > Software Update > Download and Install. Atminkite, kad jei baterijos lygis mažesnis nei 50% - atnaujinimas gali būti nediegiamas.
Žemiau pilnas ištaisytų klaidų saugumo spragų sąrašas angliškai:
Certificate Trust Policy Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Update to the certificate trust policy Description: The certificate trust policy was updated. The complete list of certificates may be viewed at http://support.apple.com/kb/HT5012.
CoreGraphics Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Viewing a maliciously crafted XBM file may lead to an unexpected application termination or arbitrary code execution Description: An unbounded stack allocation issue existed in the handling of XBM files. This issue was addressed through improved bounds checking. CVE–2014–1354 : Dima Kovalenko of codedigging.com
Kernel Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application could cause the device to unexpectedly restart Description: A null pointer dereference existed in the handling of IOKit API arguments. This issue was addressed through additional validation of IOKit API arguments. CVE–2014–1355 : cunzhang from Adlab of Venustech
launchd Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A heap buffer overflow existed in launchd’s handling of IPC messages. This issue was addressed through improved bounds checking. CVE–2014–1356 : Ian Beer of Google Project Zero
launchd Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A heap buffer overflow existed in launchd’s handling of log messages. This issue was addressed through improved bounds checking. CVE–2014–1357 : Ian Beer of Google Project Zero
launchd Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in launchd. This issue was addressed through improved bounds checking. CVE–2014–1358 : Ian Beer of Google Project Zero
launchd Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer underflow existed in launchd. This issue was addressed through improved bounds checking. CVE–2014–1359 : Ian Beer of Google Project Zero
Lockdown Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker possessing an iOS device could potentially bypass Activation Lock Description: Devices were performing incomplete checks during device activation, which made it possible for malicious individuals to partially bypass Activation Lock. This issue was addressed through additional client-side verification of data received from activation servers. CVE–2014–1360
Lock Screen Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker in possession of a device may exceed the maximum number of failed passcode attempts Description: In some circumstances, the failed passcode attempt limit was not enforced. This issue was addressed through additional enforcement of this limit. CVE–2014–1352 : mblsec
Lock Screen Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A person with physical access to a locked device may be able to access the application that was in the foreground prior to locking Description: A state management issue existed in the handling of the telephony state while in Airplane Mode. This issue was addressed through improved state management while in Airplane Mode. CVE–2014–1353
Mail Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Mail attachments can be extracted from an iPhone 4 Description: Data protection was not enabled for mail attachments, allowing them to be read by an attacker with physical access to the device. This issue was addressed by changing the encryption class of mail attachments. CVE–2014–1348 : Andreas Kurtz of NESO Security Labs
Safari Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in Safari’s handling of invalid URLs. This issue was addressed through improved memory handling. CVE–2014–1349 : Reno Robert and Dhanesh Kizhakkinan
Settings Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A person with physical access to the device may be able to disable Find My iPhone without entering an iCloud password Description: A state management issue existed in the handling of the Find My iPhone state. This issue was addressed through improved handling of Find My iPhone state. CVE–2014–1350
Secure Transport Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Two bytes of uninitialized memory could be disclosed to a remote attacker Description: An uninitialized memory access issue existed in the handling of DTLS messages in a TLS connection. This issue was addressed by only accepting DTLS messages in a DTLS connection. CVE–2014–1361 : Thijs Alkemade of The Adium Project
Siri Available for: iPhone 4S and later, iPod touch (5th generation) and later, iPad (3rd generation) and later Impact: A person with physical access to the phone may be able to view all contacts Description: If a Siri request might refer to one of several contacts, Siri displays a list of possible choices and the option ‘More…’ for a complete contact list. When used at the lock screen, Siri did not require the passcode before viewing the complete contact list. This issue was addressed by requiring the passcode. CVE–2014–1351 : Sherif Hashim
WebKit Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE–2013–2875 : miaubiz CVE–2013–2927 : cloudfuzzer CVE–2014–1323 : banty CVE–2014–1325 : Apple CVE–2014–1326 : Apple CVE–2014–1327 : Google Chrome Security Team, Apple CVE–2014–1329 : Google Chrome Security Team CVE–2014–1330 : Google Chrome Security Team CVE–2014–1331 : cloudfuzzer CVE–2014–1333 : Google Chrome Security Team CVE–2014–1334 : Apple CVE–2014–1335 : Google Chrome Security Team CVE–2014–1336 : Apple CVE–2014–1337 : Apple CVE–2014–1338 : Google Chrome Security Team CVE–2014–1339 : Atte Kettunen of OUSPG CVE–2014–1341 : Google Chrome Security Team CVE–2014–1342 : Apple CVE–2014–1343 : Google Chrome Security Team CVE–2014–1362 : Apple, miaubiz CVE–2014–1363 : Apple CVE–2014–1364 : Apple CVE–2014–1365 : Apple, Google Chrome Security Team CVE–2014–1366 : Apple CVE–2014–1367 : Apple CVE–2014–1368 : Wushi of Keen Team (Research Team of Keen Cloud Tech) CVE–2014–1382 : Renata Hodovan of University of Szeged / Samsung Electronics CVE–2014–1731 : an anonymous member of the Blink development community
WebKit Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious site can send messages to a connected frame or window in a way that might circumvent the receiver’s origin check Description: An encoding issue existed in the handling of unicode characters in URLs. A maliciously crafted URL could have led to sending an incorrect postMessage origin. This issue was addressed through improved encoding/decoding. CVE–2014–1346 : Erling Ellingsen of Facebook
WebKit Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A maliciously crafted website may be able to spoof its domain name in the address bar Description: A spoofing issue existed in the handling of URLs. This issue was addressed through improved encoding of URLs. CVE–2014–1345 : Erling Ellingsen of Facebook
Tikiuosi ant iPad air nebelūžinės Safaris, nes dažnai nulūždavo Safari ir iPad restartuodavosi... Ir kažkaip su Safari tabs geriau, nesirefreshina perjunginėjant.