Yesterday, Apple treated its customers to a number of updates across several products, including an update to iOS – bringing it to version 11.1 – that has a number of security fixes for bugs in Siri andMessenger, as well as fixes for arbitrary code execution vulnerabilities in the WebKit web browser engine, and in the kernel.
Anyone with an iPhone 5s, iPad Air or later can apply this update, so if your Wi-Fi-enabled iDevice can update, I encourage you to do so right away.
The big news though, is that also included in this iOS 11.1 update is a fix for the Wi-Fi-related vulnerability known as KRACK, which is available for some – but not all – iOS devices. The CVE that Apple addresses with its fix for KRACK is CVE-2017-13080, one of the several KRACK-related CVEs.
The even bigger news is what Apple didn’t address: an iOS Wi-Fi 0-day (yes, another one) that emerged yesterday from the annual Mobile Pwn2Own hacking competition. Details are scarce but Zero Day Initiative reports that:
Tencent Keen Security Lab gets code execution through a Wi-Fi bug and escalates privileges to persist through a reboot.
Tencent Keen Security Lab earned a cool $110,000 for their trouble while Apple now has just 90 days to fix the problem festering on our iPhones before details are made public.
According to Apple’s official support documentation, the KRACK fix only applies for iPhone 7s, iPad Pro 9.7 (early 2016) and later.
We don’t know why the KRACK patch is only being made available for newer iDevices only – it’s possible a fix for earlier devices is still in the works, or perhaps Apple has determined that these older versions aren’t vulnerable to KRACK at all.
Either way, if you’re a pre-7 iPhone user, keep your eyes peeled for an update from Apple just in case.
Several MacOS security updates came out at the same time as the iOS update, including patches for the KRACK Wi-Fi-related vulnerability, a TLS 1.0 vulnerability, several memory access and arbitrary code execution vulnerabilities, kernel-level vulnerabilities, as well as fixes related to at least 90 (yes, ninety) CVEs for tcpdump issues.
Users of El Capitan (macOS 10.11.6) and Sierra (10.12.6) should install the latest operating system security updates – 2017-004 for El Capitan, 2017-001 for Sierra. High Sierra (10.13) users should update to version 10.13.1 to receive these fixes. (Sorry, Yosemite users: the latest security update for you, 2017-003, was back in July!)
DaB
Oh just peachy! Force users to update to latest iOS to get any security updates, which in the case of iOS 10 to 11 means I lose dozens of useful apps that aren’t updated too. Oh but wait! I can replace those apps I already have with other ones – which have moved to in-app purchases to replace the functionality I currently have. And those apps are bloated so I’ll need a new device w/more memory to hold them all & run them as fast as the apps I already have. And if I don’t like where that lands me, it’s a 1-way street, I can’t reinstall the older iOS or apps or older apps versions I have now. This is a much worse situation than for OSX!!! At least with OS X we can reinstall software backwards & Apple supplies security updates a _few_ versions back. But if I have a perfectly satisfactory Yosemite Mac I’ll have to trash it & buy app updates if I want security. And some of them now turn me into a RMR/RYR serf! To replace the functionality I already had. Sorry about that!
It’s the same old circular merry go round – update OS requires $ software updates which eventually requires $ hardware replacement which brings the latest OS …. ad nauseam, requiring $$ & time with each annual or narrowly focused security update turn.
For what exactly??? We’re using only a small fraction of the software’s or hardware’s capability at any point, yet we’re coerced by insecurity & a few new flashy bobbles we might actually use onto the odious sales generating merry go round…..
Paul Ducklin
Apple has removed dozens of useful apps in iOS 11? I haven’t noticed anything missing, let alone many.
Care to tell us which apps have been discontinued and turned into pay-to-play by Apple?
Anonymous
…so….you’re NOT getting an iPhoneX?
Maria Varmazis
I recently got the iPhone 7 and am still incredibly annoyed about the lack of headphone jack. I think my next phone will have me going back to Android.
Mary
I’m a little annoyed here. I contacted Apple and their customer service and senior level techs assured me that my older iPhone was being patched for the WPA-2 in the latest update. Now you’re reporting this isn’t true? Who to believe? I’d also like to know when Apple will update their Time Capsule and Airport Extreme.
Also, I have updated iOS 11.1 and have not lost any apps.
Paul Ducklin
You don’t say exactly which iPhone model you’ve got, so it’s hard to figure out the facts here – but we went by the specifics listed in Apple’s official Security Advisory, which says that the KRACK fix ‘is for iPhone 7 and later’. From that we inferred that the fix either is not needed or is not yet available for iPhones below 7 – but we haven’t been able to find out which explanation applies. So we’ll stick with our advice to ‘watch this space.’
Unfortunately, Apple’s official policy is not to comment on security holes until after the fix is out – a sort of ‘no news is good news’ attitude. So if there is nothing to say then Apple won’t say it, and if there is it can’t. Catch 22…
Jeff
Paul, thanks for continuing to try to find out just what the explanation is for 6s and older devices (and the other older devices). The whole question of whether older devices are vulnerable to KRACK was ignored by most articles on iOS 11.1, and those that did note it, don’t seem to have done any follow-up attempts.