Security Patches for Multiple Apple Lines

Tuesday, January 24, 2017 @ 11:01 AM gHale


Apple released its latest batch of security patches for its product lines.

The updates that released Monday are for macOS, Safari, iOS, watchOS, tvOS, iTunes and iCloud for Windows.

RELATED STORIES
Apple Fixes MacBook Data Leak
Apple Patches Holes in Devices
Vulnerabilities Patched in Sierra
Mac App Keeps Recording

The iOS update fixes less severe issues plaguing the Auto Unlock and Contacts components, as well as a WiFi hole that could force the device to show the locked home screen. The rest of the fixed issues are critical kernel and WebKit arbitrary code execution bugs.

The Safari update kills WebKit bugs, and one state management issue in the address bar that could allow malicious website to show a spoofed URL to visitors.

The Safari update also rolls into the macOS update, which nixed several PHP issues by implementing a newer version of the package, fixed two kernel issues, and plugged a potential code execution vulnerability in the vim editor an attacker could trigger by opening a maliciously crafted modeline.

The iTunes and iCloud for Windows updates fix four vulnerabilities in WebKit, the open source layout engine software component used for pretty serious, as they could end up triggered by maliciously crafted web content and allow for arbitrary (malicious) code execution.

The tvOS update contains fixes for three of these, but also for other WebKit arbitrary code execution and data exfiltration bugs that can end up triggered through processing of maliciously crafted web content. It also plugs a buffer overflow issue and a use after free issue in the kernel an attacker could exploit by an app to execute arbitrary code with kernel privileges.

The watchOS update has fixes in a wide variety of components. Some of the fixed issues are critical, as they could lead to arbitrary code execution triggered by the processing of maliciously crafted files, strings, font files, .mp4 files, web content, or certificates. The update also fixes a bug that could lead to certificates unexpectedly evaluated as trusted, and makes the 3DES cryptographic algorithm no longer a default cipher.

None of the issues in the updates are suffering from attacks, officials said.



Leave a Reply

You must be logged in to post a comment.