Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Issues Slew of Security Updates for OS X, iOS

Apple customers may find themselves busy this week applying patches issued by the company across a number of products.

Apple customers may find themselves busy this week applying patches issued by the company across a number of products.

In a series of updates, Apple released patches for iOS, OS X and the AirPort Base Station. With Security Update 2014-002, Apple fixes several issues for Mavericks (its latest OS X version), as well as vulnerabilities in Lion and Mountain Lion. Tucked in among the fixes is a critical vulnerability (CVE-2014-1295) that allows what Apple calls a “triple handshake attack.”

“In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other,” according to the advisory. “To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection.”

This issue does not affect Mac OS X 10.7 systems and earlier. However, it is present on iPhone 4 and later, iPod touch (5th generation) and later and iPad 2 and later. According to Apple, an attacker with a privileged network position who exploited this issue could capture data or change the operations performed in the sessions protected by SSL.

Other important fixes include an issue affecting the CoreServicesUIAgent in OS X Mavericks 10.9.2. According to Apple, visiting a maliciously crafted website that exploits the issue may allow an attacker to execute malicious code.

“A format string issue existed in the handling of URLs,” the advisory explained. “This issue was addressed through additional validation of URLs. This issue does not affect systems prior to OS X Mavericks.”

Apple also issued fixes for several other vulnerabilities in iOS that affect WebKit, the IOKit kernel and the CFNetwork HTTPProtocol. The company also issued a fix for AirPort Extreme and AirPort Time Capsule base stations with 802.11ac related to the Heartbleed vulnerability.

“An out-of-bounds read issue existed in the OpenSSL library when handling TLS heartbeat extension packets,” according to Apple. “An attacker in a privileged network position could obtain information from process memory. This issue was addressed through additional bounds checking. Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue.”

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.