
The security content of iOS 10.3.3 - codezero
https://support.apple.com/en-us/HT207923
======
0x0
Interestingly, the changelogs are silent about a fairly major change to the
filesystem when going from 10.3.x to 10.3.3. It seems like APFS was originally
intended to use a different unicode normalization setup than HFS, but it
turned out to be very problematic. After iOS 10.3.0 silently converted all iOS
devices from HFS to APFS (!) (and not only was this not specified in the user-
visible changelogs, earlier iOS 10.x.x releases did the same dry-run
conversion without notice - only stopping short of committing the final type
flip - which may explain why iOS OTA upgrades have been somewhat slow to
execute - [https://www.macobserver.com/analysis/apple-dry-run-apfs-
prio...](https://www.macobserver.com/analysis/apple-dry-run-apfs-prior-
ios-10-3/) ), iOS 10.3.3 adds runtime normalization to the file system. It's
unclear what kind of performance hit this has (but I seem to remember reading
something about how samba on UNIX taking a hit on file opens in order to
support clients specifying incorrect casing, which sounds similar). Apparently
an unspecified later version of iOS will perform yet another conversion, from
APFS-normalization-preserving to APFS-native-normalization.

More details: [https://mjtsai.com/blog/2017/06/27/apfs-native-
normalization...](https://mjtsai.com/blog/2017/06/27/apfs-native-
normalization/)

By the way, if you ever rsync between macOS and Linux you may have noticed (or
not) how this unicode normalization messes up filenames and cause duplicates
and stale copies when roundtripping, see
[https://serverfault.com/questions/397420/converting-
utf-8-nf...](https://serverfault.com/questions/397420/converting-utf-8-nfd-
filenames-to-utf-8-nfc-in-either-rsync-or-afpd)

..

Also, unrelated, it seems this version of iOS fixes the Broadpwn wifi chip
vulnerability (which perhaps could also continue on to compromise the main OS
kernel via a DMA attack after compromising the wifi chip) (
[http://boosterok.com/blog/broadpwn2/](http://boosterok.com/blog/broadpwn2/) ,
[https://nvd.nist.gov/vuln/detail/CVE-2017-9417](https://nvd.nist.gov/vuln/detail/CVE-2017-9417)
)

~~~
timcederman
> After iOS 10.3.0 silently converted all iOS devices from HFS to APFS (!)
> (and not only was this not specified in the user-visible changelogs

Are you suggesting Apple didn't disclose APFS was coming to 10.3? There was
plenty of media coverage ahead of time (e.g.
[https://9to5mac.com/2017/03/21/what-is-apples-upcoming-
apfs-...](https://9to5mac.com/2017/03/21/what-is-apples-upcoming-apfs-apple-
file-system-and-what-it-means-to-you/)), and it's specifically mentioned in
the 10.3 release notes.

~~~
urda
It was absolutely disclosed all over, so I'm not sure if this is simply the
commentor being wrong (most likely) or a weak jab at Apple.

[https://developer.apple.com/library/content/releasenotes/Gen...](https://developer.apple.com/library/content/releasenotes/General/RN-
iOSSDK-10.3/index.html)

~~~
sixstringtheory
Those release notes are intended for their developer audience, not the general
end user base. Parent was pointing out that the actual release notes Apple
shows you on the device you're about to upgrade did not mention APFS.

~~~
reaperducer
The general audience doesn't even know that its phone has a file system, let
alone care whether it's HFS, HPFS, APFS, or CP/M. You're complaining that
Apple didn't disclose something that only developers care about to the masses.

~~~
0x0
Then at least we can agree that a fairly major operation such as converting
the entire disk between file systems in a "minor" update wasn't disclosed to
the masses, and I think that fact (and that it worked out quite well,
apparently, besides the normalization shenanigans) is interesting it its own
right.

~~~
otterley
I think it's important to distinguish a major change from an impactful one.
The APFS change is major, but not necessarily impactful in any meaningful
sense to users. Apple's not the kind of company that's going to emphasize non-
impactful changes to its customer base.

~~~
Sidnicious
0x0 (since this thread has hit the reply depth limit): The filesystem on iOS
isn’t exposed to users, so I would guess that Apple considers it a strictly
developer-facing change.

~~~
dkonofalski
What do you mean by reply depth limit? I'm able to reply to your comment...
:-/

~~~
Jtsummers
To stop flame wars (or slow them down) the deeper you get in a thread the
longer it takes the reply link to show on the deepest comment. So if we get 20
levels deep in 30 minutes, the reply link may take tens of minutes to show up.

Sometimes this catches other discussion types.

~~~
thaumasiotes
It's worth pointing out that you can always reply to a comment on its own
page, regardless of whether the reply link exists in the main thread.

~~~
softawre
Indeed, just click the "1 hour ago" link.

~~~
dkonofalski
That's what was confusing me as that's how I replied. Good info all around. :)

------
pjmlp
2 x "A buffer overflow issue was addressed through improved memory handling."

7 x "A memory corruption issue was addressed with improved bounds checking."

Oh well....

~~~
pqdbr
With 13x arbitrary code execution, being 5x with either kernel or system
privileges.

~~~
hellbanner
Yes, and previous decimal versions had similarly powerful exploits.

------
ProfessorLayton
They still haven't addressed the permanent website data bug in Safari.

Go to Settings> Safari> Advanced> Website Data and try and clear it. Some
websites won't delete arbitrarily, and if they do, others will stick. This
happens even in private browsing.

~~~
GeneticGenesis
Have you filed a radar bug?

~~~
nikanj
In my experience, those are about as useful as telling your dog about the bug.
Complaining on HN has a slight possibility someone from Apple might actually
see the bug, and fix it.

~~~
p49k
I'd disagree, I've filed probably 15 in the past 7 years for obscure bugs and
all of them were fixed. They don't respond and the fixes take a long time, but
I'm pretty sure they are listening.

~~~
lttlrck
I’ve used the built in Feedback app several times and received replies asking
for follow up so it’s fair to say they are listening

------
tarikozket
So pretty much anyone was able to execute anything on our phone remotely. Lol.

~~~
Piccollo
Haven't heard of anything public though

------
p0ppe
I'm still perplexed that Apple doesn't offer over the air updates, especially
for security updates. 137 MB shouldn't be that big a deal on a normal 4G
connection.

~~~
spike021
Not everybody has unlimited data plans.

4G can certainly handle 137 MB in speed, but that doesn't mean users want to
use their data plan for updates.

~~~
p0ppe
But that should be up to the users to decide. I'll be much happier to use up
137 MB for a critical security update than 354 MB for the latest Facebook app
update (version 132.0).

~~~
justinv
FYI even though it says 324mb, App Store updates are delta updates as of iOS 6

[https://developer.apple.com/library/content/qa/qa1779/_index...](https://developer.apple.com/library/content/qa/qa1779/_index.html)

~~~
tedmiston
Coming from 10.3.2, the 10.3.3 update was 84.4 MB for me.

------
CodeWriter23
Anyone know if the WiFi exploit opened the door to arbitrary code execution on
the main CPU?

~~~
inertial
If you are referring to broadpwn aka CVE-2017-9417 [1], it has been fixed
(last item in [2]).

[1]
[https://news.ycombinator.com/item?id=14727400](https://news.ycombinator.com/item?id=14727400)

[2] [https://support.apple.com/en-us/HT207923](https://support.apple.com/en-
us/HT207923)

Summary :

 _Impact: An attacker within range may be able to execute arbitrary code on
the Wi-Fi chip

Description: A memory corruption issue was addressed with improved memory
handling._

~~~
stock_toaster
Wasn't there another remote buffer overrun vuln in broadcom's wi-fi chips
reported back in april too? yikes...

EDIT: found it[1]

[1]:
[https://www.theregister.co.uk/2017/04/05/broadcom_wifi_chip_...](https://www.theregister.co.uk/2017/04/05/broadcom_wifi_chip_bugs/)

