Created
October 20, 2014 17:40
-
-
Save FredericJacobs/ee986357dab37fa868e8 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| iOS 8.1 is now available and addresses the following: | |
| Bluetooth | |
| Available for: iPhone 4s and later, | |
| iPod touch (5th generation) and later, iPad 2 and later | |
| Impact: A malicious Bluetooth input device may bypass pairing | |
| Description: Unencrypted connections were permitted from Human | |
| Interface Device-class Bluetooth Low Energy accessories. If an iOS | |
| device had paired with such an accessory, an attacker could spoof the | |
| legitimate accessory to establish a connection. The issue was | |
| addressed by denying unencrypted HID connections. | |
| CVE-ID | |
| CVE-2014-4428 : Mike Ryan of iSEC Partners | |
| House Arrest | |
| Available for: iPhone 4s and later, | |
| iPod touch (5th generation) and later, iPad 2 and later | |
| Impact: Files transferred to the device may be written with | |
| insufficient cryptographic protection | |
| Description: Files could be transferred to an app's Documents | |
| directory and encrypted with a key protected only by the hardware | |
| UID. This issue was addressed by encrypting the transferred files | |
| with a key protected by the hardware UID and the user's passcode. | |
| CVE-ID | |
| CVE-2014-4448 : Jonathan Zdziarski and Kevin DeLong | |
| iCloud Data Access | |
| Available for: iPhone 4s and later, | |
| iPod touch (5th generation) and later, iPad 2 and later | |
| Impact: An attacker in a privileged network position may force | |
| iCloud data access clients to leak sensitive information | |
| Description: A TLS certificate validation vulnerability existed in | |
| iCloud data access clients. This issue was addressed by improved | |
| certificate validation. | |
| CVE-ID | |
| CVE-2014-4449 : Carl Mehner of USAA | |
| Keyboards | |
| Available for: iPhone 4s and later, | |
| iPod touch (5th generation) and later, iPad 2 and later | |
| Impact: QuickType could learn users' credentials | |
| Description: QuickType could learn users' credentials when switching | |
| between elements. This issue was addressed by QuickType not learning | |
| from fields where autocomplete is disabled and reapplying the | |
| criteria when switching between DOM input elements in legacy WebKit. | |
| CVE-ID | |
| CVE-2014-4450 | |
| Secure Transport | |
| Available for: iPhone 4s and later, | |
| iPod touch (5th generation) and later, iPad 2 and later | |
| Impact: An attacker may be able to decrypt data protected by SSL | |
| Description: There are known attacks on the confidentiality of SSL | |
| 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker | |
| could force the use of SSL 3.0, even when the server would support a | |
| better TLS version, by blocking TLS 1.0 and higher connection | |
| attempts. This issue was addressed by disabling CBC cipher suites | |
| when TLS connection attempts fail. | |
| CVE-ID | |
| CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of | |
| Google Security Team | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment