iOS 10.2.1 - Fixes and Security Updates

[SoN1NjA]

iOS 10.2.1
Release Date: Monday, January 23, 2017
Build Version: 14D27
Darwin Kernel Version:

Please report bugs to Bug Reporter on the web (a developer account is not required to do this).

Bug Fixes
Auto Unlock

• A logic issue was addressed through improved state management.

Contacts

• An input validation issue existed in the parsing of contact cards. This issue was addressed through improved input validation.

Kernel

• A buffer overflow issue was addressed through improved memory handling.
• A use after free issue was addressed through improved memory management.

libarchive

• A buffer overflow issue was addressed through improved memory handling.

WebKit

• A prototype access issue was addressed through improved exception handling.
• Multiple memory corruption issues were addressed through improved memory handling.
• A memory initialization issue was addressed through improved memory handling.
• Multiple memory corruption issues were addressed through improved input validation.
• A validation issue existed in the handling of page loading. This issue was addressed through improved logic.
• An issue existed in the handling of blocking popups. This was addressed through improved input validation.
• A validation issue existed in the handling of variable handling. This issue was addressed through improved validation.

WiFi

• An issue existed with handling user input that caused a device to present the home screen even when activation locked. This was addressed through improved input validation.

Release Notes
(not yet attached)

 

[JetBlack7]

Curious to see how this release handles, especially regarding battery life.

 

[d5aqoëp]

Its the same as beta 4 of 10.2.1. No update found on my iPhone 7 Plus.

 

[Mlrollin91]

Beta 2 had the best battery life for me. This build is "okay". Beta 3 was pretty bad.

 

[Donga120]

Its the same as beta 4 of 10.2.1. No update found on my iPhone 7 Plus.

Bollocks

 

[SoN1NjA]

Beta 2 had the best battery life for me. This build is "okay". Beta 3 was pretty bad.

I can't tell between any of them
battery life is so inconsistent I have no idea

Although some days I get through school dead, and others I have 40%, and sometimes 60%

 

[Mlrollin91]

I can't tell between any of them
battery life is so inconsistent I have no idea

Although some days I get through school dead, and others I have 40%, and sometimes 60%

My usage is pretty much identical day after day. So I just keep little notes of what I end the day with and my usage/standby time when testing new builds so I can compare.

 

[Yun0]

Curious to see how this release handles, especially regarding battery life.

oh like every. single. release. since forever..?

every single beta/final: "great great battery", "horrible battery last beta better".


considering ive changed nothing on my device, my battery has been stable & normal since...a long time. how people claim the ios version at the time is at fault (especially those claiming every other beta is great/bad), beats me...

what happens when ur popular i guess..

 

[SSAJ]

Does it fix the internet slowing down bug?

 

[RobT]

Just tested the new Apple TV app on 10.2.1 on the iPad for playing synced movies and it now appears to be working! It used to be if you synced a local copy of a movie/video to the iPad and tried to play it in the TV app it didn't play like it used to in the Videos app. Seems to be OK now.

 

[LordQ]

Is it the placebo or is everything quite smooth and fast? Specially opening apps and the Switcher

 

[GeorgeVes]

I can't believe the animation for exiting apps is still stuttering :X Has been this way since iOS 10.0 !

 

[miragebg]

Is the battery problems of 6S already fixed with this release??

 

[Xenomorph]

So my iPad Air 2 got stuck in the wrong orientation and my iPhone 6S resprings when I touch the search bar after pulling down notifications and sliding over to widgets. Obviously these issues were not fixed in 10.2.1.

 

[victorak]

FYI:

APPLE-SA-2017-01-23-1 iOS 10.2.1

iOS 10.2.1 is now available and addresses the following:

Auto Unlock
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Auto Unlock may unlock when Apple Watch is off the user's
wrist
Description: A logic issue was addressed through improved state
management.
CVE-2017-2352: Ashley Fernandez of raptAware Pty Ltd

Contacts
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted contact card may lead to
unexpected application termination
Description: An input validation issue existed in the parsing of
contact cards. This issue was addressed through improved input
validation.
CVE-2017-2368: Vincent Desmurs (vincedes3)

Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow issue was addressed through improved
memory handling.
CVE-2017-2370: Ian Beer of Google Project Zero

Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed through improved
memory management.
CVE-2017-2360: Ian Beer of Google Project Zero

libarchive
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Unpacking a maliciously crafted archive may lead to arbitrary
code execution
Description: A buffer overflow issue was addressed through improved
memory handling.
CVE-2016-8687: Agostino Sarubbo of Gentoo

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: A prototype access issue was addressed through improved
exception handling.
CVE-2017-2350: Gareth Heyes of Portswigger Web Security

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2017-2354: Neymar of Tencent's Xuanwu Lab (tencent.com) working
with Trend Micro's Zero Day Initiative
CVE-2017-2362: Ivan Fratric of Google Project Zero
CVE-2017-2373: Ivan Fratric of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory initialization issue was addressed through
improved memory handling.
CVE-2017-2355: Team Pangu and lokihardt at PwnFest 2016

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved input validation.
CVE-2017-2356: Team Pangu and lokihardt at PwnFest 2016
CVE-2017-2366: Kai Kang of Tencent's Xuanwu Lab (tencent.com)
CVE-2017-2369: Ivan Fratric of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: Multiple validation issues existed in the handling of
page loading. This issue was addressed through improved logic.
CVE-2017-2363: lokihardt of Google Project Zero
CVE-2017-2364: lokihardt of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A malicious website can open popups
Description: An issue existed in the handling of blocking popups.
This was addressed through improved input validation.
CVE-2017-2371: lokihardt of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: A validation issue existed in variable handling. This
issue was addressed through improved validation.
CVE-2017-2365: lokihardt of Google Project Zero

WiFi
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An activation-locked device can be manipulated to briefly
present the home screen
Description: An issue existed with handling user input that caused a
device to present the home screen even when activation locked. This
was addressed through improved input validation.
CVE-2017-2351: Sriram (@Sri_Hxor) of Primefort Pvt. Ltd., Hemanth
Joseph

Additional recognition

WebKit hardening
We would like to acknowledge Ben Gras, Kaveh Razavi, Erik Bosman,
Herbert Bos, and Cristiano Giuffrida of the vusec group at
Vrije Universiteit Amsterdam for their assistance.

Installation note:

This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/

iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.

The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "10.2.1".

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

 

[GrievingFob606]

FYI:

Spoiler: Security

APPLE-SA-2017-01-23-1 iOS 10.2.1

iOS 10.2.1 is now available and addresses the following:

Auto Unlock
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Auto Unlock may unlock when Apple Watch is off the user's
wrist
Description: A logic issue was addressed through improved state
management.
CVE-2017-2352: Ashley Fernandez of raptAware Pty Ltd

Contacts
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing a maliciously crafted contact card may lead to
unexpected application termination
Description: An input validation issue existed in the parsing of
contact cards. This issue was addressed through improved input
validation.
CVE-2017-2368: Vincent Desmurs (vincedes3)

Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow issue was addressed through improved
memory handling.
CVE-2017-2370: Ian Beer of Google Project Zero

Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed through improved
memory management.
CVE-2017-2360: Ian Beer of Google Project Zero

libarchive
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Unpacking a maliciously crafted archive may lead to arbitrary
code execution
Description: A buffer overflow issue was addressed through improved
memory handling.
CVE-2016-8687: Agostino Sarubbo of Gentoo

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: A prototype access issue was addressed through improved
exception handling.
CVE-2017-2350: Gareth Heyes of Portswigger Web Security

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2017-2354: Neymar of Tencent's Xuanwu Lab (tencent.com) working
with Trend Micro's Zero Day Initiative
CVE-2017-2362: Ivan Fratric of Google Project Zero
CVE-2017-2373: Ivan Fratric of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory initialization issue was addressed through
improved memory handling.
CVE-2017-2355: Team Pangu and lokihardt at PwnFest 2016

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved input validation.
CVE-2017-2356: Team Pangu and lokihardt at PwnFest 2016
CVE-2017-2366: Kai Kang of Tencent's Xuanwu Lab (tencent.com)
CVE-2017-2369: Ivan Fratric of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: Multiple validation issues existed in the handling of
page loading. This issue was addressed through improved logic.
CVE-2017-2363: lokihardt of Google Project Zero
CVE-2017-2364: lokihardt of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A malicious website can open popups
Description: An issue existed in the handling of blocking popups.
This was addressed through improved input validation.
CVE-2017-2371: lokihardt of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: A validation issue existed in variable handling. This
issue was addressed through improved validation.
CVE-2017-2365: lokihardt of Google Project Zero

WiFi
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An activation-locked device can be manipulated to briefly
present the home screen
Description: An issue existed with handling user input that caused a
device to present the home screen even when activation locked. This
was addressed through improved input validation.
CVE-2017-2351: Sriram (@Sri_Hxor) of Primefort Pvt. Ltd., Hemanth
Joseph

Additional recognition

WebKit hardening
We would like to acknowledge Ben Gras, Kaveh Razavi, Erik Bosman,
Herbert Bos, and Cristiano Giuffrida of the vusec group at
Vrije Universiteit Amsterdam for their assistance.

Installation note:

This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/

iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.

The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "10.2.1".

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

Okay? We all read the same thing on the Apple website.

 

[victorak]

Okay? We all read the same thing on the Apple website.

WE do indeed...

 

[GrievingFob606]

WE do indeed...

Yes, we the people. You think we didn't read that? Lmao.

 

[Danilo - Italy]

So my iPad Air 2 got stuck in the wrong orientation and my iPhone 6S resprings when I touch the search bar after pulling down notifications and sliding over to widgets. Obviously these issues were not fixed in 10.2.1.

This is a real shame.

 

[deano1972]

Beta 2 had the best battery life for me. This build is "okay". Beta 3 was pretty bad.

Agree about beta 2

 

[I7guy]

So my iPad Air 2 got stuck in the wrong orientation and my iPhone 6S resprings when I touch the search bar after pulling down notifications and sliding over to widgets. Obviously these issues were not fixed in 10.2.1.

Interesting, I tried to replicate on my 6s and don't experience any resprings...fwiw.

 

[Shirasaki]

Then the last beta must be the same build as this "official" build. Too bad that I have no idea how to improve my battery life.

 

[VSG]

The News-widget for the control center is gone now in Germany. Pity.

Edit: The widget seems to be missing on some iPhones. iPads are not affected. Strange.

 

[gk712]

The News-widget for the control center is gone now in Germany. Pity.

Edit: The widget seems to be missing on some iPhones. iPads are not affected. Strange.

same here... NEWS-widget gone on my iPhone 7+ and iOS 10.2.1 14D27 , why? was it the same with beta3 / 4?

EDIT:
changed REGION settings to US and back to GERMANY and the NEWS-widget reappeared!

 

[VSG]

EDIT:
changed REGION settings to US and back to GERMANY and the NEWS-widget reappeared!

Thanks, that worked!