Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Patches Vulnerabilities in OS X, iOS, Safari

Updates released by Apple on Wednesday address numerous vulnerabilities in Mac OS X, iOS, Safari and other products developed by the company.

Updates released by Apple on Wednesday address numerous vulnerabilities in Mac OS X, iOS, Safari and other products developed by the company.

The OS X updates fix a total of 80 security issues affecting components such as the admin framework, Apache, ATS, CFNetwork, CoreAnimation, FontParser, hypervisor, ImageIO, IOHIDFamily, the kernel, LaunchServices, libnetcore, NTP, OpenSSL, PHP, QuickLook, SceneKit, UniformTypeIdentifiers, and WebKit.

The patched vulnerabilities can be exploited for remote code execution, denial-of-service (DoS) attacks, data leakage, and bypassing security mechanisms.

Three of the vulnerabilities were reported by the researcher known as lokihardt through HP’s Zero Day Initiative (ZDI). One of them is the remote code execution bug leveraged by the expert at the Pwn2Own 2015 hacking competition to break Safari. ZDI has published advisories for each of the flaws.

One of the DoS bugs affecting the OS X kernel was detailed in a blog post on Wednesday by Kenton Varda of Sandstorm.io. The vulnerability allows an attacker to cause apps and network services, such as Chrome and Node.js, to go into infinite loops.

The details of a NULL pointer vulnerability in the NVidia GeForce kernel driver shipped with OS X Yosemite were also disclosed. Yahoo researchers John Villamil and Frank Graziano discovered the flaw that allows a local attacker to execute arbitrary code with system privileges.

Advertisement. Scroll to continue reading.

With the release of iOS 8.3, Apple has addressed a total of 58 flaws, including ones that affect OS X as well. The list of impacted components includes AppleKeyStore, audio drivers, the backup system, iWork Viewer, Bluetooth keyboards, the lock screen, sandbox profiles, telephony, and Safari. The backup system bug, which allows an attacker to access restricted areas of the file system, has been leveraged by TaiG for its jailbreaks.

The Safari web browser has been updated to versions 8.0.5, 7.1.5, and 6.2.5. The latest releases address a total of ten issues, many of which impact users’ privacy.

Updates have also been released for Xcode and Apple TV. The vulnerabilities fixed by Apple with the release of Apple TV 7.2 can be exploited by malicious actors for arbitrary code execution, DoS attacks, privilege escalation, traffic redirection, security bypasses, and information leakage.

The Xcode integrated development environment has been updated to version 6.3. Two security flaws have been addressed in this release.

Some of the vulnerabilities fixed with the latest updates were identified by Apple’s own security team, but many of them were discovered and reported by independent researchers and experts working for companies such as Google, Alibaba, IBM, IOActive, Kaspersky, Zimperium, and FireEye.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.