Appleは7月20日(現地時間7月19日)、iPhone、iPadおよびiPod touch向けiOS 10.3バージョン3度目となる修正版「iOS 10.3.3」をリリースしました。互換性のあるiPhone、iPad、およびiPod touchを搭載したiOSデバイス ユーザーは、改善、機能追加、または安定性を強化したこの最新のファームウェアをダウンロード&インストールできるようになりました。
今回の「iOS 10.3.3」アップデートは、「iOS 10.3.1」のような緊急性はなく、5月16日にリリースされた前回バージョン「iOS 10.3.2」同様に,
初回のベータ版リリース(5月17日)より2ヶ月以上のベータプロセスを経てブラッシュアップされてのリリースとなりました。
リリースノートには、「バグの修正およびiPhoneまたはiPadのセキュリティの問題の改善」とのみ明記されており、いくつかの小さくて目立たない改善が行われ、互換性のあるハードウェアに対してより安定した環境を提供するものと思われます。
ただ、Apple Supportの「About the security content of iOS 10.3.3」によると、Wi-Fiチップ上で任意のコードを実行できる脆弱性の問題について修正が行われているようです。
iOS 10.3.3のセキュリティコンテンツ
Contacts
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: A buffer overflow issue was addressed through improved memory handling.
CVE-2017-7062: Shashank (@cyberboyIndia)
CoreAudio
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing a maliciously crafted movie file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved bounds checking.
CVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team
EventKitUI
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: A remote attacker may cause an unexpected application termination
Description: A resource exhaustion issue was addressed through improved input validation.
CVE-2017-7007: José Antonio Esteban (@Erratum_) of Sapsi Consultores
IOUSBFamily
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7009: shrek_wzw of Qihoo 360 Nirvan Team
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7022: an anonymous researcher
CVE-2017-7024: an anonymous researcher
CVE-2017-7026: an anonymous researcher
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7023: an anonymous researcher
CVE-2017-7025: an anonymous researcher
CVE-2017-7027: an anonymous researcher
CVE-2017-7069: Proteas of Qihoo 360 Nirvan Team
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-7028: an anonymous researcher
CVE-2017-7029: an anonymous researcher
libarchive
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution
Description: A buffer overflow was addressed through improved bounds checking.
CVE-2017-7068: found by OSS-Fuzz
libxml2
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information
Description: An out-of-bounds read was addressed through improved bounds checking.
CVE-2017-7010: Apple
CVE-2017-7013: found by OSS-Fuzz
libxpc
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7047: Ian Beer of Google Project Zero
Messages
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: A remote attacker may cause an unexpected application termination
Description: A memory consumption issue was addressed through improved memory handling.
CVE-2017-7063: Shashank (@cyberboyIndia)
Notifications
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Notifications may appear on the lock screen when disabled
Description: A lock screen issue was addressed with improved state management.
CVE-2017-7058: an anonymous researcher
Safari
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2017-2517: xisigr of Tencent’s Xuanwu Lab (tencent.com)
Safari Printing
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to an infinite number of print dialogs
Description: An issue existed where a malicious or compromised website could show infinite print dialogs and make users believe their browser was locked. The issue was addressed through throttling of print dialogs.
CVE-2017-7060: Travis Kelley of City of Mishawaka, Indiana
Telephony
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An attacker in a privileged network position may be able to execute arbitrary code
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-8248
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: A malicious website may exfiltrate data cross-origin
Description: Processing maliciously crafted web content may allow cross-origin data to be exfiltrated by using SVG filters to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.
CVE-2017-7006: an anonymous researcher, David Kohlbrenner of UC San Diego
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A state management issue was addressed with improved frame handling.
CVE-2017-7011: xisigr of Tencent’s Xuanwu Lab (tencent.com)
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7018: lokihardt of Google Project Zero
CVE-2017-7020: likemeng of Baidu Security Lab
CVE-2017-7030: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)
CVE-2017-7034: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)
CVE-2017-7037: lokihardt of Google Project Zero
CVE-2017-7039: Ivan Fratric of Google Project Zero
CVE-2017-7040: Ivan Fratric of Google Project Zero
CVE-2017-7041: Ivan Fratric of Google Project Zero
CVE-2017-7042: Ivan Fratric of Google Project Zero
CVE-2017-7043: Ivan Fratric of Google Project Zero
CVE-2017-7046: Ivan Fratric of Google Project Zero
CVE-2017-7048: Ivan Fratric of Google Project Zero
CVE-2017-7052: cc working with Trend Micro’s Zero Day Initiative
CVE-2017-7055: The UK’s National Cyber Security Centre (NCSC)
CVE-2017-7056: lokihardt of Google Project Zero
CVE-2017-7061: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content with DOMParser may lead to cross site scripting
Description: A logic issue existed in the handling of DOMParser. This issue was addressed with improved state management.
CVE-2017-7038: Egor Karbutov (@ShikariSenpai) of Digital Security and Egor Saltykov (@ansjdnakjdnajkd) of Digital Security, Neil Jenkins of FastMail Pty Ltd
CVE-2017-7059: an anonymous researcher
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2017-7049: Ivan Fratric of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An application may be able to read restricted memory
Description: A memory initialization issue was addressed through improved memory handling.
CVE-2017-7064: lokihardt of Google Project Zero
WebKit Page Loading
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7019: Zhiyang Zeng of Tencent Security Platform Department
WebKit Web Inspector
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7012: Apple
Wi-Fi
Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-9417: Nitay Artenstein of Exodus Intelligence
尚、iOSデバイスでアップデートを行う場合には、[設定]アプリを立ち上げ、[設定]→[一般]→[ソフトウェアアップデート]よりOTA(Over The Air)で行うことが出来ます。
