Apple Releases Security Updates

Thursday, May 18, 2017 @ 11:05 AM gHale

Apple sent out a patch for MacOS, iOS, watchOS, tvOS, iTunes, iCloud for Windows, and Safari.

The macOS update addresses 37 vulnerabilities, including a certificate validation issue that could allow a malicious network to capture user network credentials, an iBooks flaw that could allow attackers to open arbitrary websites without user permission just by tricking users into opening a maliciously crafted book, and flaws in various components that would allow an app to escape its sandbox or to gain kernel privileges.

OSX Malware Pilfers Data
Intel Fixes Remote Code-Execution Hole
Hackers Jump on Patched Zero Day
Exploit Attacks Growing, More Effective

The iOS update fixes a combination of flaws in WebKit, SQLite, iBooks, and other components. It also contains a certificate validation issue that cropped up when untrusted certificates were handled.

Apple advises users to update all their software as soon as possible.

Updates for iTunes and iCloud for Windows take care of one vulnerability in WebKit each. The catch is, however, they are both critical vulnerabilities. It seems they can end up triggered by maliciously crafted web content and could lead to arbitrary code execution.

One of these flaws also affects Safari, but the Apple security team fixed other WebKit memory corruption vulnerabilities an attacker could leverage for arbitrary code execution or universal cross site scripting.

Likewise, watchOS and tvOS updates fix the same vulnerabilities, but Apple Watch users also have additional fixes for WebKit flaws, and a WebKit Web Inspector that could allow an application to execute unsigned code.

Among the flaws fixed in these two updates are also four code execution flaws in the open source SQLite component along with vulnerabilities that could allow an application to either read restricted memory, or execute arbitrary code with kernel privileges.

Leave a Reply

You must be logged in to post a comment.