https://support.apple.com/en-us/HT207482
This document describes the security content of iOS 10.2.1.
iOS 10.2.1
Released January 23, 2017
Auto Unlock 自動解鎖問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:當Apple watch離開你的手時仍然會自動解鎖
Impact: Auto Unlock may unlock when Apple Watch is off the user's wrist
Description: A logic issue was addressed through improved state management.
CVE-2017-2352: Ashley Fernandez of raptAware Pty Ltd
Contacts 聯絡人問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:惡意的聯絡人資料卡可能造成程式中止
Impact: Processing a maliciously crafted contact card may lead to unexpected
application termination
Description: An input validation issue existed in the parsing of contact
cards. This issue was addressed through improved input validation.
CVE-2017-2368: Vincent Desmurs (vincedes3)
Kernel 內核
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:程式利用內核的特殊權限任意執行程式碼
Impact: An application may be able to execute arbitrary code with kernel
privileges
Description: A buffer overflow issue was addressed through improved memory
handling.
CVE-2017-2370: Ian Beer of Google Project Zero
Kernel 內核
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:程式利用內核的特殊權限任意執行程式碼
Impact: An application may be able to execute arbitrary code with kernel
privileges
Description: A use after free issue was addressed through improved memory
management.
CVE-2017-2360: Ian Beer of Google Project Zero
libarchive 資料庫封存問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:打開惡意產生的封包可能導致程式碼任意執行
Impact: Unpacking a maliciously crafted archive may lead to arbitrary code
execution
Description: A buffer overflow issue was addressed through improved memory
handling.
CVE-2016-8687: Agostino Sarubbo of Gentoo
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:處理惡意網站內容可能導致別的來源的資料流出
Impact: Processing maliciously crafted web content may exfiltrate data
cross-origin
Description: A prototype access issue was addressed through improved
exception handling.
CVE-2017-2350: Gareth Heyes of Portswigger Web Security
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:處理惡意網站內容可能導致執行任何程式碼
Impact: Processing maliciously crafted web content may lead to arbitrary code
execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2017-2354: Neymar of Tencent's Xuanwu Lab (tencent.com) working with
Trend Micro's Zero Day Initiative
CVE-2017-2362: Ivan Fratric of Google Project Zero
CVE-2017-2373: Ivan Fratric of Google Project Zero
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:處理惡意網站內容可能導致執行任何程式碼
Impact: Processing maliciously crafted web content may lead to arbitrary code
execution
Description: A memory initialization issue was addressed through improved
memory handling.
CVE-2017-2355: Team Pangu and lokihardt at PwnFest 2016
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:處理惡意網站內容可能導致執行任何程式碼
Impact: Processing maliciously crafted web content may lead to arbitrary code
execution
Description: Multiple memory corruption issues were addressed through
improved input validation.
CVE-2017-2356: Team Pangu and lokihardt at PwnFest 2016
CVE-2017-2369: Ivan Fratric of Google Project Zero
CVE-2017-2366: Kai Kang of Tencent's Xuanwu Lab (tencent.com)
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:處理惡意網站內容可能導致別的來源的資料流出
Impact: Processing maliciously crafted web content may exfiltrate data
cross-origin
Description: A validation issue existed in the handling of page loading. This
issue was addressed through improved logic.
CVE-2017-2363: lokihardt of Google Project Zero
CVE-2017-2364: lokihardt of Google Project Zero
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:惡意網站可以打開彈出式視窗
Impact: A malicious website can open popups
Description: An issue existed in the handling of blocking popups. This was
addressed through improved input validation.
CVE-2017-2371: lokihardt of Google Project Zero
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:處理惡意網站內容可能導致別的來源的資料流出
Impact: Processing maliciously crafted web content may exfiltrate data
cross-origin
Description: A validation issue existed in the handling of variable handling.
This issue was addressed through improved validation.
CVE-2017-2365: lokihardt of Google Project Zero
WiFi 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:有啟動鎖定的裝置可以在操作下短暫的顯示首頁
Impact: An activation-locked device can be manipulated to briefly present the
home screen
Description: An issue existed with handling user input that caused a device
to present the home screen even when activation locked. This was addressed
through improved input validation.
CVE-2017-2351: Sriram (@Sri_Hxor) of Primefort Pvt. Ltd., Hemanth Joseph
--
This document describes the security content of iOS 10.2.1.
iOS 10.2.1
Released January 23, 2017
Auto Unlock 自動解鎖問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:當Apple watch離開你的手時仍然會自動解鎖
Impact: Auto Unlock may unlock when Apple Watch is off the user's wrist
Description: A logic issue was addressed through improved state management.
CVE-2017-2352: Ashley Fernandez of raptAware Pty Ltd
Contacts 聯絡人問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:惡意的聯絡人資料卡可能造成程式中止
Impact: Processing a maliciously crafted contact card may lead to unexpected
application termination
Description: An input validation issue existed in the parsing of contact
cards. This issue was addressed through improved input validation.
CVE-2017-2368: Vincent Desmurs (vincedes3)
Kernel 內核
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:程式利用內核的特殊權限任意執行程式碼
Impact: An application may be able to execute arbitrary code with kernel
privileges
Description: A buffer overflow issue was addressed through improved memory
handling.
CVE-2017-2370: Ian Beer of Google Project Zero
Kernel 內核
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:程式利用內核的特殊權限任意執行程式碼
Impact: An application may be able to execute arbitrary code with kernel
privileges
Description: A use after free issue was addressed through improved memory
management.
CVE-2017-2360: Ian Beer of Google Project Zero
libarchive 資料庫封存問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:打開惡意產生的封包可能導致程式碼任意執行
Impact: Unpacking a maliciously crafted archive may lead to arbitrary code
execution
Description: A buffer overflow issue was addressed through improved memory
handling.
CVE-2016-8687: Agostino Sarubbo of Gentoo
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:處理惡意網站內容可能導致別的來源的資料流出
Impact: Processing maliciously crafted web content may exfiltrate data
cross-origin
Description: A prototype access issue was addressed through improved
exception handling.
CVE-2017-2350: Gareth Heyes of Portswigger Web Security
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:處理惡意網站內容可能導致執行任何程式碼
Impact: Processing maliciously crafted web content may lead to arbitrary code
execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2017-2354: Neymar of Tencent's Xuanwu Lab (tencent.com) working with
Trend Micro's Zero Day Initiative
CVE-2017-2362: Ivan Fratric of Google Project Zero
CVE-2017-2373: Ivan Fratric of Google Project Zero
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:處理惡意網站內容可能導致執行任何程式碼
Impact: Processing maliciously crafted web content may lead to arbitrary code
execution
Description: A memory initialization issue was addressed through improved
memory handling.
CVE-2017-2355: Team Pangu and lokihardt at PwnFest 2016
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:處理惡意網站內容可能導致執行任何程式碼
Impact: Processing maliciously crafted web content may lead to arbitrary code
execution
Description: Multiple memory corruption issues were addressed through
improved input validation.
CVE-2017-2356: Team Pangu and lokihardt at PwnFest 2016
CVE-2017-2369: Ivan Fratric of Google Project Zero
CVE-2017-2366: Kai Kang of Tencent's Xuanwu Lab (tencent.com)
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:處理惡意網站內容可能導致別的來源的資料流出
Impact: Processing maliciously crafted web content may exfiltrate data
cross-origin
Description: A validation issue existed in the handling of page loading. This
issue was addressed through improved logic.
CVE-2017-2363: lokihardt of Google Project Zero
CVE-2017-2364: lokihardt of Google Project Zero
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:惡意網站可以打開彈出式視窗
Impact: A malicious website can open popups
Description: An issue existed in the handling of blocking popups. This was
addressed through improved input validation.
CVE-2017-2371: lokihardt of Google Project Zero
WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:處理惡意網站內容可能導致別的來源的資料流出
Impact: Processing maliciously crafted web content may exfiltrate data
cross-origin
Description: A validation issue existed in the handling of variable handling.
This issue was addressed through improved validation.
CVE-2017-2365: lokihardt of Google Project Zero
WiFi 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響:有啟動鎖定的裝置可以在操作下短暫的顯示首頁
Impact: An activation-locked device can be manipulated to briefly present the
home screen
Description: An issue existed with handling user input that caused a device
to present the home screen even when activation locked. This was addressed
through improved input validation.
CVE-2017-2351: Sriram (@Sri_Hxor) of Primefort Pvt. Ltd., Hemanth Joseph
--
All Comments