iOS 11.2.5 release notes & security fixes

On Tuesday, January 23, 2017, Apple released iOS 11.2.5 for iPhone, iPad and iPod touch.

The software update is compatible with any modern iPhone and iPad model model from iPhone 5s onward, iPad Air and later and the sixth-generation iPod touch.

HomePod & Siri News support

The free software update includes support for the company’s HomePod wireless speaker and Siri News, a new feature which permits users in the US, UK and Australia to ask Siri to play audible news, sports, business or music updates when interacting with the personal assistant hands-free (via the “Hey Siri” hot word or through CarPlay or wireless headphones).

Subscribe to iDownloadBlog on YouTube

As promised, iOS 11.2.5 also contains a number of security fixes, including one that patches an annoying bug which allowed nefarious users to send a maliciously crafted SMS, MMS or iMessage that could cause the Messages app to break or your device to freeze.

Upgrading to iOS 11.2.5

You can download iOS 11.2.5 directly from iDownloadBlog’s Download section.

To update your device to the latest available version of iOS over the air, go to Settings → General → Software Update and follow the onscreen instructions.

You can also apply the update using your computer: connect your device to a Mac or Windows PC, select it in iTunes, then select the Summary tab and click the Check for Update button.

Here’s what’s included in the update.

iOS 11.2.5 release notes

iOS 11.2.5 includes support for HomePod and introduces the ability for Siri to read the news (US, UK and Australia only). This update also includes bug fixes and improvements.

HomePod support

  • Setup and automatically transfer your Apple ID, Apple Music, Siri and Wi-Fi settings to HomePod.

Siri News

  • Siri can now read the news—just ask, “Hey Siri, play the news”. You can also ask for specific news categories including Sports, Business or Music.

Other improvements and fixes

  • Addresses an issue that could cause the Phone app to display incomplete information in the call list
  • Fixes an issue that caused Mail notifications from some Exchange accounts to disappear from the Lock screen when unlocking iPhone X with Face ID
  • Addresses an issue that could cause Messages conversations to temporarily be listed out of order
  • Fixes an issue in CarPlay where Now Playing controls become unresponsive after multiple track changes
  • Adds ability for VoiceOver to announce playback destinations and AirPod battery level

iOS 11.2.5 security fixes

iOS 11.2.5 also fixes the following vulnerabilities:

Audio

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed through improved input validation.
  • CVE-2018-4094: Mingi Cho, MinSik Shin, Seoyoung Kim, Yeongho Lee and Taekyoung Kwon of the Information Security Lab, Yonsei University

Core Bluetooth

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2018-4087: Rani Idan (@raniXCH) of Zimperium zLabs Team
  • CVE-2018-4095: Rani Idan (@raniXCH) of Zimperium zLabs Team

Kernel

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: An application may be able to read restricted memory
  • Description: A memory initialization issue was addressed through improved memory handling.
  • CVE-2018-4090: Jann Horn of Google Project Zero

Kernel

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: An application may be able to read restricted memory
  • Description: A race condition was addressed through improved locking.
  • CVE-2018-4092: an anonymous researcher

Kernel

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: A malicious application may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed through improved input validation.
  • CVE-2018-4082: Russ Cox of Google

Kernel

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: An application may be able to read restricted memory
  • Description: A validation issue was addressed with improved input sanitization.
  • CVE-2018-4093: Jann Horn of Google Project Zero

LinkPresentation

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Processing a maliciously crafted text message may lead to application denial of service
  • Description: A resource exhaustion issue was addressed through improved input validation.
  • CVE-2018-4100: Abraham Masri (@cheesecakeufo)

QuartzCore

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A memory corruption issue existed in the processing of web content. This issue was addressed through improved input validation.
  • CVE-2018-4085: Ret2 Systems Inc. working with Trend Micro’s Zero Day Initiative

Security

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: A certificate may have name constraints applied incorrectly
  • Description: A certificate evaluation issue existed in the handling of name constraints. This issue was addressed through improved trust evaluation of certificates.
  • CVE-2018-4086: Ian Haken of Netflix

WebKit

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2018-4088: Jeonghoon Shin of Theori
  • CVE-2018-4089: Ivan Fratric of Google Project Zero
  • CVE-2018-4096: found by OSS-Fuzz

For information on the security content of iOS 11.2.5, see Apple’s support document.