Apple this week released a new set of important security updates for its products, to patch dozens of vulnerabilities in macOS, iOS, watchOS, tvOS, and Safari, as well as in the iCloud and iTunes for Windows applications.
The newly released macOS Sierra 10.12.3 resolves 11 vulnerabilities in components such as apache_mod_php, Bluetooth, Graphics Drivers, Help Viewer, IOAudioFamily, Kernel, libarchive, and Vim. Most of the plugged issues could allow applications to execute arbitrary code, while others could allow malicious archives or web content to execute code. One of the bugs could allow an application to determine kernel memory layout.
Released on Monday, iOS 10.2.1 resolves 18 vulnerabilities in multiple components, including Auto Unlock, Contacts, Kernel, libarchive, WebKit, and Wi-Fi. WebKit was the most affected component, with no less than 12 flaws resolved in it, most of which were discovered by Google Project Zero researches.
Affecting iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later, the patched security holes included one where Auto Unlock may unlock when Apple Watch is off the user's wrist, unexpected application termination when processing a maliciously crafted contact card, arbitrary code execution with kernel privileges, data exfiltration, popups being opened by malicious websites, and the possibility to manipulate an activation-locked device to briefly present the home screen.
A total of 33 vulnerabilities were addressed with the release of watchOS 3.1.3, affecting all Apple Watch models. The issues were found in components such as Accounts, Audio, Auto Unlock, CoreFoundation, CoreGraphics, CoreMedia Playback, CoreText, Disk Images, FontParser, ICU, ImageIO, IOHIDFamily, IOKit, Kernel, libarchive, Profiles, Security, syslog, and WebKit.
The resolved vulnerabilities could be exploited for arbitrary code execution, to gain root privileges, to automatically trust certificates, to cause a denial of service, to overwrite existing files, to cause an unexpected system termination, to read kernel memory, to leak memory remotely. There’s also the issue where Auto Unlock could unlock when Apple Watch is off the user's wrist.
The release of tvOS 10.1.1 was meant to resolve 12 vulnerabilities in Kernel, libarchive, and Webkit. Affecting Apple TV (4th generation). These could result in an application executing arbitrary code with kernel privileges, arbitrary code execution when unpacking a malicious archive, and data exfiltration and arbitrary code execution when processing maliciously crafted web content.
No less than 12 bugs were patched in Safari 10.0.3, which is now available for download for OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.3. While one of these was an address bar spoofing, 11 were found in Webkit and could result in data exfiltration and arbitrary code execution.
Some of the Webkit issues were found to affect iCloud and iTunes for Windows too, and were addressed with the release of iCloud for Windows 6.1.1 and iTunes 12.5.5. The same four bugs affected both applications, resulting in arbitrary code execution.