Appleは1月24日(現地時間1月23日)、iPhone、iPadおよびiPod touch向けiOS 10最新バージョン「iOS 10.2.1」をリリースしました。iOS10.2.1の主なアップデート内容は、バグ修正およびセキュリティ問題の改善となっており、マイナーアップデートに留まっています。
ユーザーにとって気になるのは、突然iPhoneのバッテリーの激減、シャットダウンする問題がどうなったのか。
残念ながら、iOS 10.2.1修正版アップデートのソフトウェア・アップデート情報には以下のように、バグの修正およびセキュリティ問題の改善にしか触れられていません。
iOS 10.2.1のソフトウェア・アップデート情報
iOS 10.2.1にはバグの修正およびiPhoneまたはiPadのセキュリティの問題の改善が含まれます。ただ、セキュリテコンテンツには、Safari搭載のレンダリングエンジンWebkitの脆弱性についての7件の修正が行われています。
このアップデートのセキュリティコンテンツについては、次のWebサイトをご覧ください: https://support.apple.com/ja-jp/HT201222
iOS 10.2.1は、iOS 10.2のリリース以後6週間を経ており、登録されている開発者やテスター向けに4回にわたりベータ版が公開されています。それによると、やはりiOS 10.2.1はポイントの少ないマイナーアップデートであることがわかります。今月後半には、iOS10.3の最初のベータ版がリリースされると噂されているので、そちらのメジャーアップデートに期待でしょうか。
なお、Appleのサポートページ「About the security content of iOS 10.2.1では、iOS 10.2.1のセキュリティアップデートの詳細について以下のように記しています。
Auto Unlock
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Auto Unlock may unlock when Apple Watch is off the user’s wrist
Description: A logic issue was addressed through improved state management.
CVE-2017-2352: Ashley Fernandez of raptAware Pty Ltd
Contacts
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing a maliciously crafted contact card may lead to unexpected application termination
Description: An input validation issue existed in the parsing of contact cards. This issue was addressed through improved input validation.
CVE-2017-2368: Vincent Desmurs (vincedes3)
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow issue was addressed through improved memory handling.
CVE-2017-2370: Ian Beer of Google Project Zero
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed through improved memory management.
CVE-2017-2360: Ian Beer of Google Project Zero
libarchive
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution
Description: A buffer overflow issue was addressed through improved memory handling.
CVE-2016-8687: Agostino Sarubbo of Gentoo
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may exfiltrate data cross-origin
Description: A prototype access issue was addressed through improved exception handling.
CVE-2017-2350: Gareth Heyes of Portswigger Web Security
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2017-2354: Neymar of Tencent’s Xuanwu Lab (tencent.com) working with Trend Micro’s Zero Day Initiative
CVE-2017-2362: Ivan Fratric of Google Project Zero
CVE-2017-2373: Ivan Fratric of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory initialization issue was addressed through improved memory handling.
CVE-2017-2355: Team Pangu and lokihardt at PwnFest 2016
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved input validation.
CVE-2017-2356: Team Pangu and lokihardt at PwnFest 2016
CVE-2017-2369: Ivan Fratric of Google Project Zero
CVE-2017-2366: Kai Kang of Tencent’s Xuanwu Lab (tencent.com)
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may exfiltrate data cross-origin
Description: A validation issue existed in the handling of page loading. This issue was addressed through improved logic.
CVE-2017-2363: lokihardt of Google Project Zero
CVE-2017-2364: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: A malicious website can open popups
Description: An issue existed in the handling of blocking popups. This was addressed through improved input validation.
CVE-2017-2371: lokihardt of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may exfiltrate data cross-origin
Description: A validation issue existed in the handling of variable handling. This issue was addressed through improved validation.
CVE-2017-2365: lokihardt of Google Project Zero
WiFi
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An activation-locked device can be manipulated to briefly present the home screen
Description: An issue existed with handling user input that caused a device to present the home screen even when activation locked. This was addressed through improved input validation.
CVE-2017-2351: Sriram (@Sri_Hxor) of Primefort Pvt. Ltd., Hemanth Joseph
なお、互換性のあるiPhone、iPad、iPod touchのiOSデバイスでアップデートを行う場合には、[設定]アプリを立ち上げ、[設定]→[一般]→[ソフトウェアアップデート]よりiOS 10.2.1のファームウェアアップデートをOTA(Over-The-Air)アップデートとしてダウンロード&インストールすることができます。その際には、また、iTunesを使用してiOSデバイスを復元または更新したいユーザーは、IPSWダウンロードとしてインストールすることができます。