Security News

Apple Releases iOS 11.2.1, tvOS 11.2.1 and More with Security Fixes

Posted on December 18th, 2017 by

Apple software security updates

Last week, Apple released security updates for iOS, tvOS, AirPort base stations and Time Capsules. Also released were previously undisclosed security release notes for iOS 11.2 (first released December 2) and tvOS 11.2 (released December 4). Security release notes for Safari 11.0.2, released on December 6, were also finally published today. In all, plenty of notes to go through! Here are the highlights:

iOS 11.2.1

iOS 11.2.1 "fixes bugs including an issue that could disable remote access to shared users of the Home app," and while this is a very small update, the security bug it fixes can have a big impact. Essentially the vulnerability discovered in Apple’s HomeKit Internet of Things (IoT) framework could allow an attacker to take control your IoT devices. Think of thermostats, lights and even smart locks. Apple's temporary solution with this update was to disable the shared remote users feature in iOS 11.2, which was re-enabled in this update.

This is typically where I provide a URL to the full list of security issues that were addressed, but iOS 11.2.1 only addressed the issue I just described. iOS 11.2.1 can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.

Previously undisclosed iOS 11.2 security fixes

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.

This issue was spread over 5 vulnerabilities.

tvOS 11.2.1

This update addressed the exact same issue that was covered in iOS 11.2.1. The previously undisclosed tvOS 11.2 security fixes are also identical to iOS 11.2. With tvOS and iOS being nearly identical operating systems, soon there may not be a need to separate the two in articles like these as almost all security fixes addressed are the same on both.

The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

Safari 11.0.2

Released on December 6, no security release notes were available until December 13.

WebKit
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.2
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.

The same 5 vulnerabilities addressed in iOS 11.2 and tvOS 11.2 affected Safari as well. Safari 11.0.2 fixes this for the current macOS and the previous two operating system versions.

In a surprise move few saw coming, Apple released firmware updates for several of their AirPort Base Stations and Time Capsules. With their wireless team disbanded some time ago, most expected these products to receive no further updates, but in this case I'm glad they did.

AirPort Base Station Firmware Update 7.6.9

AirPort Base Station Firmware
Available for: AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA unicast/PTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.

Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.

Firmware Update 7.6.9 patched the KRACK vulnerabilities in their older base stations.

AirPort Base Station Firmware Update 7.7.9

AirPort Base Station Firmware
Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA unicast/PTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.

Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.

As an added bonus, the Broadpwn bug that affected millions of devices earlier this year is now also patched for 802.11ac base stations.

Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.

Firmware Update 7.7.9 patched the KRACK vulnerabilities for newer base stations. Along with iOS 11.2, tvOS 11.2 and watchOS 4.2 that were recently released, most of Apple's devices running the latest OS are now properly protected.

To update your base station, open AirPort Utility which can be found in Applications > Utilities. Your base station will show a badge indicating an update is available or you'll see an "update" button next to the current firmware version once you go into your base station settings.

While small updates, they patch significant security vulnerabilities so it is recommended to install them sooner rather than later. As always, backup your device first before applying any updates just to be on the safe side.

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →