14 DAY TRIAL // iPhone, iPad and iPod touch owners were greeted today by the arrival of a new software update which improves Touch ID fingerprint recognition and addresses various known bugs, including a number of security holes.
According to Apple’s Support site, iOS 7.1 “contains improvements, bug fixes and security updates,” including improvements to Touch ID fingerprint recognition, and fixes for bugs that could impact keyboard responsiveness.
An issue when using Bluetooth keyboards with VoiceOver enabled is also addressed, and there are several security vulnerabilities that iOS 7.1.1 deals with, including a fix for the CFNetwork HTTPProtocol where “An attacker in a privileged network position can obtain web site credentials,” according to Apple’s documentation.
The bug’s description states that, “Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie. This issue was addressed by ignoring incomplete HTTP header lines.”
Another issue affects IOKit Kernel, and would allow a local user to read kernel pointers, and subsequently bypass kernel address space layout randomization.
“A set of kernel pointers stored in an IOKit object could be retrieved from userland. This issue was addressed through removing the pointers from the object,” reads the advisory.
Another flaw would allow an attacker with a privileged network position to capture data or change the operations performed in sessions protected by SSL, a vulnerability reminiscent of the widely-reported Heartbleed bug.
The Cupertino computer companion describes a scenario where “a 'triple handshake' attack [would enable] an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other.”
A WebKit vulnerability where “visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution,” is also patched.
iOS 7.1.1 is available via iTunes or over-the-air (OTA) for iPhone 4 or later, iPad 2 or later, iPad mini or later, and iPod touch (5th generation).
Supported languages include Deutsch, English, Français, Español, Italiano, Nederlands, Dansk, Norsk Bokmål, Polski, Português, Português (Brasil), Pусский, Suomi, Svensk, Bahasa Indonesia, British English, Crna Gora, Eesti, Hrvatski, Latviešu, Lietuvių, Magyar, Melayu (Malaysia), Română, Shqip, Slovenčina, Slovenščina (Slovenija), Tiếng Việt, Türkçe, Íslenska, Čeština, Македонија, Українська, and more.
Apple has also released Security Update 2014-002 addressing similar vulnerabilities on the desktop side.