iOS 7.1.1 Update Available for Download Brings Touch ID Improvements, Bug Fixes

Apple today released iOS 7.1.1 (build 11D201) for all compatible iPhone,iPad and iPod touch devices. Compared to the major update iOS 7.1, which we saw about a month and a half ago, iOS 7.1.1 is basically a minor update. The latest iOS software update focuses mainly on fixing bugs, Touch ID improvements and patching a number of security vulnerabilities. The last major update iOS 7.1 which Apple released for iOS 7.0 included a number of visual tweaks along with Siri improvements, Touch ID enhancement and added CarPlay support.

iOS 7.1.1 Official Security Content

iOS 7.1.1 offers improvements to Apple’s Touch ID, fixes a bug that impacts keyboard responsiveness, and fixes a bug involving Bluetooth keyboards with VoiceOver enabled. The update also includes Safari support for new top-level domains like .photo and .camera.

The update deals with several security vulnerabilities, including a fix for CFNetwork HTTPProtocol (CVE-2014-1296) where an attacker in a privileged network position can get website credentials. The description of the vulnerability states that, “Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then get the value of the unprotected cookie. This issue was addressed by ignoring incomplete HTTP header lines.”

Next, IOKit Kernel (CVE-2014-1320) vulnerability is fixed which allows a local user to read kernel pointers, and then bypass kernel address space layout randomization. According to Apple is, “a set of kernel pointers stored in an IOKit object could be retrieved from userland. This issue was addressed through removing the pointers from the object.”

A security flaw in Secure Transport (CVE-2014-1295) allows an attacker with a privileged network position to capture data or change the operations performed in sessions protected by SSL, a security vulnerability reminiscent of the widely reported Heartbleed bug. According to Apple, “in a ‘triple handshake’ attack, it was possible for an attacker to set up two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other. To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection.”

Apple also fixed a WebKit vulnerability (CVE-2013-2871, CVE-2014-1298, CVE-2014-1299, CVE-2014-1300, CVE-2014-1302, CVE-2014-1303, CVE-2014-1304, CVE-2014-1305, CVE-2014-1307, CVE-2014-1308, CVE-2014-1309, CVE-2014-1310, CVE-2014-1311, CVE-2014-1312, CVE-2014-1313, CVE-2014-1713) where “visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.”

Download and Install iOS 7.1.1 Update

iOS 7.1.1 update is available for download via iTunes or over-the-air (OTA) for iPhone 4 or later, iPad 2 or later, iPad mini or later, iPod touch (5th generation).

More on security for Apple products

In addition to the update for iOS, Apple has also released Security Update 2014-002 for OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2. Apple also released Apple TV 6.1.1 update for Apple TV 2nd generation and later. An update, AirPort Base Station Firmware Update 7.7.3, for AirPort Extreme and AirPort Time Capsule base stations with 802.11ac is also released by Apple.