Apple iOS 7.1.2 Released: Update Patches Mail Encryption Bug And Activation Lock Flaw

Update Tuesday, 8:24 a.m.: Jailbreak developer, Steven De Franco (@iH8sn0w), confirmed with the International Business Times that iOS 7.1.2 closes the Activation Lock vulnerability used by Doluci.

"[Doulci] relied on both a server side factor (certifyMe service from Apple) and a client side (lockdownd) one (CVE-2014-1360)," De Franco said. "Apple fixed the server side bug (certifyMe service) weeks ago and also added a flood protection to ensure a limited number of activation requests can be done within for example: 10 seconds."

But there is a caveat to the patch according to De Franco. Should another server side security flaw occur on Apple's end, non-updated devices would still be vulnerable to the Activation Lock flaw.

"With the addition of the lockdownd bug fix, its only ensuring that if another attack were done on certifyMe, devices updated would not be affected," De Franco added.

Original story below:

The previously rumored rollout of Apple Inc. (NASDAQ:AAPL) iOS 7.1.2 software update was finally confirmed with its official release on Monday.

The iOS 7.1.2 software update comes with several bug fixes and security updates for iPhone, iPad and iPod Touch devices running Apple’s flagship mobile operating system.

Apple iOS users looking to install the update can do so by connecting their device to their computer and updating through iTunes or using the Over-The-Air, or OTA, software update method located in the Settings > General > Software Update menu.

According to notes provided by the update, iOS 7.1.2 patches a bug that caused certain data transfer issues with third-party accessories and fixes a Mail bug where e-mail attachments wouldn’t be properly encrypted.

At first glance this update looks relatively minor as far as iOS updates go. But the security vulnerability log for iOS 7.1.2 shows that the software update also patches an additional bug that would allow an attacker to “potentially bypass Activation Lock.”

Lockdown

Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker possessing an iOS device could potentially bypass Activation Lock

Description: Devices were performing incomplete checks during device activation, which made it possible for malicious individuals to partially bypass Activation Lock. This issue was addressed through additional client-side verification of data received from activation servers.

CVE-ID

CVE-2014-1360

At this time, it’s currently unknown if this fix patches the vulnerability used by the Doulci team’s Activation Lock bypass tool, which was unveiled in May.

The iOS 7.1.2 update also addresses another bug that would allow an attacker to gain access to a phone’s full list of contacts through Siri, if they possessed physical access to the phone. Apple addressed this issue by adding a passcode check in order to open a full contact list through the Siri voice assistant.

Siri

Available for: iPhone 4S and later, iPod touch (5th generation) and later, iPad (3rd generation) and later

Impact: A person with physical access to the phone may be able to view all contacts

Description: If a Siri request might refer to one of several contacts, Siri displays a list of possible choices and the option 'More...' for a complete contact list. When used at the lock screen, Siri did not require the passcode before viewing the complete contact list. This issue was addressed by requiring the passcode.

CVE-ID

CVE-2014-1351 : Sherif Hashim

Apple iOS 7.1.2 is compatible with the iPhone 5S, 5C, 4S, 4, iPad Air, iPad Mini, iPad, iPad 2 and iPod Touch.