Apple Releases Huge iOS 11.3 Update for iPhone and iPad
Apple released a major update for iPhone and iPad today. iOS 11.3 adds new features and improvements for AR, Battery Life and of course, a variety of security fixes.
A couple months ago, Apple gave a sneak peak of what’s coming in this Spring’s major iOS 11.3 update. But what users weren’t expecting was the unprecedented size of the update, which we will get into in a little bit. Version 11.3 touches on a vast quantity of the mobile OS, from the clock to the low leve elements such as the filesystem, kernel, iCloud, plugins, and security. This is definitely looking like an update where you might want to make a quick backup before you launch software update. Before you start the update chore, let’s take a quick look at what’s included.
What’s New in the iOS 11.3 Update and Should You Upgrade?
While version 11.2.6 fixed minor bugs related to crashes that could be triggered when viewing text in Indian characters, 11.3 introduces a laundry list of fixes, features, and improvements. A critical addition is a battery health feature, which lets users get a better understanding of how well their iOS device is performing.
This was partly attributed to the backlash Apple received when it was discovered the company was slowing down older devices to compensate for battery life when new versions of iOS were released. Many users didn’t take too kindly to this unknown change and took the Cupertino behemoth to task for keeping it a secret. The company is being more transparent with iOS 11.3 by adding this feature, which provides more information about maximum capacity and peak performance. Note, though, that the feature is still in beta, and it’s not yet available for iPad.
Apple is betting big on augmented reality, a new technology that immerses virtual content into the real world. iOS 11.3 introduces ARKit 1.5, which will let developers create more immersive content in their apps. The technology itself better understands environments, surfaces, and objects.
More down to earth features include new animoji exclusive to the iPhone X. Four new characters include a lion, brown bear, green dragon, and skull. I played with animoji a bit, and they are fun for the first couple minutes, but it’s not as much a must-have as it might seem in the ads and on social media. It’s a good implementation of AR and Apple is building on it, even if it costs $1000 dollars to use it.
Business Chat, a new messaging feature the company previewed but never released is now available in 11.3. Users will be able to seek customer support from popular businesses such as Hilton, Wells Fargo, and Lowes. There are also further improvements to the Health app so users can easily access their health records through a supported provider. The promised iCloud Messages never made it into the final release even though it was available in the betas. It seems Apple is sticking to its internal promise to only release features when they are solid (except for the iPhone Battery Health feature…).
There many more improvements to the system, which includes the App Store; users can now sort their reviews and there is better access to app details.
The iOS 11.3 update comes in at 712 MBs on the iPhone (630 MBs on my iPad) and is available for devices such as the iPhone 5s and later, iPad Air and later, and iPod Touch 6th generation. Users can download the update by connecting to a wireless network, launching Settings > General > Software Update then tapping Download and install.
Here is a list of additional bug fixes and security updates in iOS 11.3:
Clock
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A person with physical access to an iOS device may be able to see the email address used for iTunes
Description: An information disclosure issue existed in the handling of alarms and timers. This issue was addressed through improved access restrictions.
CVE-2018-4123: Zaheen Hafzar M M (@zaheenhafzer)
CoreFoundation
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.
CVE-2018-4155: Samuel GroĂź (@5aelo)
CVE-2018-4158: Samuel GroĂź (@5aelo)
CoreText
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Processing a maliciously crafted string may lead to a denial of service
Description: A denial of service issue was addressed through improved memory handling.
CVE-2018-4142: Robin Leroy of Google Switzerland GmbH
File System Events
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.
CVE-2018-4167: Samuel GroĂź (@5aelo)
Files Widget
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: File Widget may display contents on a locked device
Description: The File Widget was displaying cached data when in the locked state. This issue was addressed with improved state management.
CVE-2018-4168: Brandon Moore
Find My iPhone
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A person with physical access to the device may be able to disable Find My iPhone without entering an iCloud password
Description: A state management issue existed when restoring from a back up. This issue was addressed through improved state checking during restore.
CVE-2018-4172: Viljami Vastamäki
iCloud Drive
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.
CVE-2018-4151: Samuel GroĂź (@5aelo)
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4150: an anonymous researcher
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2018-4104: The UK’s National Cyber Security Centre (NCSC)
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4143: derrek (@derrekr6)
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2018-4174: an anonymous researcher, an anonymous researcher
NSURLSession
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.
CVE-2018-4166: Samuel GroĂź (@5aelo)
PluginKit
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.
CVE-2018-4156: Samuel GroĂź (@5aelo)
Quick Look
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.
CVE-2018-4157: Samuel GroĂź (@5aelo)
Safari
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Visiting a malicious website by clicking a link may lead to user interface spoofing
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2018-4134: xisigr of Tencent’s Xuanwu Lab (tencent.com), Zhiyang Zeng (@Wester) of Tencent Security Platform Department
Safari Login AutoFill
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A malicious website may be able to exfiltrate autofilled data in Safari without explicit user interaction.
Description: Safari autofill did not require explicit user interaction before taking place. The issue was addressed through improved autofill heuristics.
CVE-2018-4137
SafariViewController
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Visiting a malicious website may lead to user interface spoofing
Description: A state management issue was addressed by disabling text input until the destination page loads.
CVE-2018-4149: Abhinash Jain (@abhinashjain)
Security
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow was addressed with improved size validation.
CVE-2018-4144: Abraham Masri (@cheesecakeufo)
Storage
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.
CVE-2018-4154: Samuel GroĂź (@5aelo)
System Preferences
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A configuration profile may incorrectly remain in effect after removal
Description: An issue existed in CFPreferences. This issue was addressed through improved preferences cleanup.
CVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera
Telephony
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A remote attacker can cause a device to unexpectedly restart
Description: A null pointer dereference issue existed when handling Class 0 SMS messages. This issue was addressed through improved message validation.
CVE-2018-4140: @mjonsson, Arjan van der Oest of Voiceworks BV
Web App
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Cookies may unexpectedly persist in web app
Description: A cookie management issue was addressed through improved state management.
CVE-2018-4110: Ben Compton and Jason Colley of Cerner Corporation
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4101: Yuan Deng of Ant-financial Light-Year Security Lab
CVE-2018-4114: found by OSS-Fuzz
CVE-2018-4118: Jun Kokatsu (@shhnjk)
CVE-2018-4119: an anonymous researcher working with Trend Micro’s Zero Day Initiative
CVE-2018-4120: Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team
CVE-2018-4121: Natalie Silvanovich of Google Project Zero
CVE-2018-4122: WanderingGlitch of Trend Micro’s Zero Day Initiative
CVE-2018-4125: WanderingGlitch of Trend Micro’s Zero Day Initiative
CVE-2018-4127: an anonymous researcher working with Trend Micro’s Zero Day Initiative
CVE-2018-4128: Zach Markley
CVE-2018-4129: likemeng of Baidu Security Lab working with Trend Micro’s Zero Day Initiative
CVE-2018-4130: Omair working with Trend Micro’s Zero Day Initiative
CVE-2018-4161: WanderingGlitch of Trend Micro’s Zero Day Initiative
CVE-2018-4162: WanderingGlitch of Trend Micro’s Zero Day Initiative
CVE-2018-4163: WanderingGlitch of Trend Micro’s Zero Day Initiative
CVE-2018-4165: Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Unexpected interaction with indexing types causing an ASSERT failure
Description: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed through improved checks
CVE-2018-4113: found by OSS-Fuzz
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to a denial of service
Description: A memory corruption issue was addressed through improved input validation
CVE-2018-4146: found by OSS-Fuzz
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-origin issue existed with the fetch API. This was addressed through improved input validation.
CVE-2018-4117: an anonymous researcher, an anonymous researcher
WindowServer
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled
Description: By scanning key states, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by improved state management.
CVE-2018-4131: Andreas Hegenberg of folivora.AI GmbH
Should you update to the new release? I took the plunge this evening just for you and updated several devices. So far, so good. My iPad Pro breezed through it quite quickly, completing in around 10 minutes, but my iPhone 6s is beginning to show its age a bit. The 2015 iPhone took around 20 minutes complete and there were a couple restarts along with some initial grogginess that subsided shortly after. That said, for such a large update, I was risking it by not backing up. I would recommend you backup before updating right away.
I am using a new iPad Pro with a A10x Fusion processor, so updates like this are nothing for it to handle. Let us know how it works out for you, especially on the older iPads and iPhones.