[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

APPLE-SA-2014-10-20-1 iOS 8.1

Hash: SHA1

APPLE-SA-2014-10-20-1 iOS 8.1

iOS 8.1 is now available and addresses the following:

Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious Bluetooth input device may bypass pairing
Description:  Unencrypted connections were permitted from Human
Interface Device-class Bluetooth Low Energy accessories. If an iOS
device had paired with such an accessory, an attacker could spoof the
legitimate accessory to establish a connection. The issue was
addressed by denying unencrypted HID connections.
CVE-2014-4428 : Mike Ryan of iSEC Partners

House Arrest
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Files transferred to the device may be written with
insufficient cryptographic protection
Description:  Files could be transferred to an app's Documents
directory and encrypted with a key protected only by the hardware
UID. This issue was addressed by encrypting the transferred files
with a key protected by the hardware UID and the user's passcode.
CVE-2014-4448 : Jonathan Zdziarski and Kevin DeLong

iCloud Data Access
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  An attacker in a privileged network position may force
iCloud data access clients to leak sensitive information
Description:  A TLS certificate validation vulnerability existed in
iCloud data access clients. This issue was addressed by improved
certificate validation.
CVE-2014-4449 : Carl Mehner of USAA

Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  QuickType could learn users' credentials
Description:  QuickType could learn users' credentials when switching
between elements. This issue was addressed by QuickType not learning
from fields where autocomplete is disabled and reapplying the
criteria when switching between DOM input elements in legacy WebKit.

Secure Transport
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  An attacker may be able to decrypt data protected by SSL
Description:  There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling CBC cipher suites
when TLS connection attempts fail.
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team

Installation note:

This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/

iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.

The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.1".

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:

Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org


Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail