Yesterday, Apple treated its customers to a number of updates across several products, including an update to iOS – bringing it to version 11.1 – that has a number of security fixes for bugs in Siri andMessenger, as well as fixes for arbitrary code execution vulnerabilities in the WebKit web browser engine, and in the kernel.
Anyone with an iPhone 5s, iPad Air or later can apply this update, so if your Wi-Fi-enabled iDevice can update, I encourage you to do so right away.
The big news though, is that also included in this iOS 11.1 update is a fix for the Wi-Fi-related vulnerability known as KRACK, which is available for some – but not all – iOS devices. The CVE that Apple addresses with its fix for KRACK is CVE-2017-13080, one of the several KRACK-related CVEs.
The even bigger news is what Apple didn’t address: an iOS Wi-Fi 0-day (yes, another one) that emerged yesterday from the annual Mobile Pwn2Own hacking competition. Details are scarce but Zero Day Initiative reports that:
Tencent Keen Security Lab gets code execution through a Wi-Fi bug and escalates privileges to persist through a reboot.
Tencent Keen Security Lab earned a cool $110,000 for their trouble while Apple now has just 90 days to fix the problem festering on our iPhones before details are made public.
According to Apple’s official support documentation, the KRACK fix only applies for iPhone 7s, iPad Pro 9.7 (early 2016) and later.
We don’t know why the KRACK patch is only being made available for newer iDevices only – it’s possible a fix for earlier devices is still in the works, or perhaps Apple has determined that these older versions aren’t vulnerable to KRACK at all.
Either way, if you’re a pre-7 iPhone user, keep your eyes peeled for an update from Apple just in case.
Several MacOS security updates came out at the same time as the iOS update, including patches for the KRACK Wi-Fi-related vulnerability, a TLS 1.0 vulnerability, several memory access and arbitrary code execution vulnerabilities, kernel-level vulnerabilities, as well as fixes related to at least 90 (yes, ninety) CVEs for tcpdump issues.
Users of El Capitan (macOS 10.11.6) and Sierra (10.12.6) should install the latest operating system security updates – 2017-004 for El Capitan, 2017-001 for Sierra. High Sierra (10.13) users should update to version 10.13.1 to receive these fixes. (Sorry, Yosemite users: the latest security update for you, 2017-003, was back in July!)