Apple released iOS 11.3.1 on Tuesday. Apple’s patch notes specify two things: security and an issue affecting iPhone 8 devices with unauthorized third party screen replacements.
Separately, Apple released macOS 10.13.4 Security Update 2018-001.
Interestingly, Apple’s patch notes specify that the release “improves the security” of iOS devices. This is different from the more general “performance and reliability” wording Apple usually uses, even when there are lots of security patches in an update. More on the specifics below.
iOS 11.3.1 is a 44.5MB download over-the-air (OTA) for iPhone X. On iPad Pro (9.7-inch), it’s 33.5MB.
Release Notes for iOS 11.3.1
iOS 11.3.1 improves the security of your iPhone or iPad and addresses an issue where touch input was unresponsive on some iPhone 8 devices because they were serviced with non-genuine replacement displays.
Note: Non-genuine replacement displays may have compromised visual quality and may fail to work correctly. Apple-certified screen repairs are performed by trusted experts who use genuine Apple parts. See support.apple.com for more information.
Security Release Notes for iOS 11.3.1
Apple’s security release notes for iOS 11.3.1 detail four security holes that were patched. Three of them allow the bad guys to take over your iOS device, while the third would allow UI spoofing, which could also lead to shenanigans. From Apple:
Crash Reporter
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A memory corruption issue was addressed with improved error handling.CVE-2018-4206: Ian Beer of Google Project Zero
LinkPresentation
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Processing a maliciously crafted text message may lead to UI spoofing
Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.CVE-2018-4187: Zhiyang Zeng (@Wester) of Tencent Security Platform Department, Roman Mueller (@faker_)
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved state management.CVE-2018-4200: Ivan Fratric of Google Project Zero
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.CVE-2018-4204: Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative, found by OSS-Fuzz