Appleは5月16日(現地時間5月15日)、iPhone、iPadおよびiPod touch向けiOS 10.3バージョン2度目となる修正版「iOS 10.3.2」をリリースしました。互換性のあるiPhone、iPad、およびiPod touchを搭載したiOSデバイス ユーザーは、改善、機能追加、または安定性を強化したこの最新のファームウェアをダウンロード&インストールできるようになりました。
今回の「iOS 10.3.2」アップデートは、前回4月4日にリリースされたiOS 10.3.1のような緊急性はなく、最初のベータ版リリース(4月4日)より一ヶ月以上のベータプロセスを経てブラッシュアップされてのリリースとなりました。
AppleはiOS 10.3.2のベータプロセスをiOS 10.3.1をスキップして始め、急遽古い32ビットiOSデバイスをサポートするためにiOS 10.3.1をリリースした経緯があります。今回のiOS 10.3.2の正式版リリースでは、この驚きはありません。期待するとすればiOS 10.3のブラッシュアップで、マイナーな修正が行われているにとどまっています。新しい機能や外向きに目立つ機能の修正なども見当たりません。事実、Appleのリリースノートも以下のようにそっけないものとなっています。
iOS 10.3.2にはバグの修正およびiPhoneまたはiPadのセキュリティの問題の改善が含まれます。
細かな修正には、Siri利用やCarPlay対応の乗用車を所有するユーザーにとって関心のある事柄が含まれています。Appleは新しいSiriKitカーコマンドが期待どうりに機能するように改善を行ったと言っています。
また、iOS 10.3.2には上記のようにバグ修正のみならずセキュリティの問題の改善が含まれており、iPhoneやiPadのセキュリティが向上しています。その詳細はApple サポートに以下のように掲載されています。
iOS 10.3.2のセキュリティコンテンツ
AVEVideoEncoder
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to gain kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-6989: Adam Donenfeld (@doadam) of the Zimperium zLabs Team
CoreAudio
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-2502: Yangkang (@dnpushme) of Qihoo360 Qex Team
iBooks
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: A maliciously crafted book may open arbitrary websites without user permission
Description: A URL handling issue was addressed through improved state management.
CVE-2017-2497: Jun Kokatsu (@shhnjk)
iBooks
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with root privileges
Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization.
CVE-2017-6981: evi1m0 of YSRC (sec.ly.com)
IOSurface
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to gain kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-6979: Adam Donenfeld of Zimperium zLabs
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A race condition was addressed through improved locking.
CVE-2017-2501: Ian Beer of Google Project Zero
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-2507: Ian Beer of Google Project Zero
CVE-2017-6987: Patrick Wardle of Synack
Notifications
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to cause a denial of service
Description: A denial of service issue was addressed through improved memory handling.
CVE-2017-6982: Vincent Desmurs (vincedes3), Sem Voigtlander (OxFEEDFACE), and Joseph Shenton of CoffeeBreakers
Safari
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Visiting a maliciously crafted webpage may lead to an application denial of service
Description: An issue in Safari’s history menu was addressed through improved memory handling.
CVE-2017-2495: Tubasa Iinuma (@llamakko_cafe) of Gehirn Inc.
Security
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Update to the certificate trust policy
Description: A certificate validation issue existed in the handling of untrusted certificates. This issue was addressed through improved user handling of trust acceptance.
CVE-2017-2498: Andrew Jerman
SQLite
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: A maliciously crafted SQL query may lead to arbitrary code execution
Description: A use after free issue was addressed through improved memory management.
CVE-2017-2513: found by OSS-Fuzz
SQLite
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: A maliciously crafted SQL query may lead to arbitrary code execution
Description: A buffer overflow issue was addressed through improved memory handling.
CVE-2017-2518: found by OSS-Fuzz
CVE-2017-2520: found by OSS-Fuzz
SQLite
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: A maliciously crafted SQL query may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-2519: found by OSS-Fuzz
SQLite
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved input validation.
CVE-2017-6983: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro’s Zero Day Initiative
CVE-2017-6991: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro’s Zero Day Initiative
TextInput
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Parsing maliciously crafted data may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-2524: Ian Beer of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-2496: Apple
CVE-2017-2505: lokihardt of Google Project Zero
CVE-2017-2506: Zheng Huang of the Baidu Security Lab working with Trend Micro’s Zero Day Initiative
CVE-2017-2514: lokihardt of Google Project Zero
CVE-2017-2515: lokihardt of Google Project Zero
CVE-2017-2521: lokihardt of Google Project Zero
CVE-2017-2525: Kai Kang (4B5F5F4B) of Tencent’s Xuanwu Lab (tencent.com) working with Trend Micro’s Zero Day Initiative
CVE-2017-2526: Kai Kang (4B5F5F4B) of Tencent’s Xuanwu Lab (tencent.com) working with Trend Micro’s Zero Day Initiative
CVE-2017-2530: an anonymous researcher
CVE-2017-2531: lokihardt of Google Project Zero
CVE-2017-2538: Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative
CVE-2017-2539: Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative
CVE-2017-2544: 360 Security (@mj0011sec) working with Trend Micro’s Zero Day Initiative
CVE-2017-2547: lokihardt of Google Project Zero, Team Sniper (Keen Lab and PC Mgr) working with Trend Micro’s Zero Day Initiative
CVE-2017-6980: lokihardt of Google Project Zero
CVE-2017-6984: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in the handling of WebKit Editor commands. This issue was addressed with improved state management.
CVE-2017-2504: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in the handling of WebKit container nodes. This issue was addressed with improved state management.
CVE-2017-2508: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in the handling of pageshow events. This issue was addressed with improved state management.
CVE-2017-2510: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in the handling of WebKit cached frames. This issue was addressed with improved state management.
CVE-2017-2528: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues with addressed through improved memory handling.
CVE-2017-2536: Samuel Groß and Niklas Baumstark working with Trend Micro’s Zero Day Initiative
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in frame loading. This issue was addressed with improved state management.
CVE-2017-2549: lokihardt of Google Project Zero
WebKit Web Inspector
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to execute unsigned code
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-2499: George Dan (@theninjaprawn)
尚、iOSデバイスでアップデートを行う場合には、[設定]アプリを立ち上げ、[設定]→[一般]→[ソフトウェアアップデート]よりOTA(Over The Air)で行うことが出来ます。
