Connect with us

Hi, what are you looking for?



Apple Issues Slew of Security Updates for OS X, iOS

Apple customers may find themselves busy this week applying patches issued by the company across a number of products.

Apple customers may find themselves busy this week applying patches issued by the company across a number of products.

In a series of updates, Apple released patches for iOS, OS X and the AirPort Base Station. With Security Update 2014-002, Apple fixes several issues for Mavericks (its latest OS X version), as well as vulnerabilities in Lion and Mountain Lion. Tucked in among the fixes is a critical vulnerability (CVE-2014-1295) that allows what Apple calls a “triple handshake attack.”

“In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other,” according to the advisory. “To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection.”

This issue does not affect Mac OS X 10.7 systems and earlier. However, it is present on iPhone 4 and later, iPod touch (5th generation) and later and iPad 2 and later. According to Apple, an attacker with a privileged network position who exploited this issue could capture data or change the operations performed in the sessions protected by SSL.

Other important fixes include an issue affecting the CoreServicesUIAgent in OS X Mavericks 10.9.2. According to Apple, visiting a maliciously crafted website that exploits the issue may allow an attacker to execute malicious code.

“A format string issue existed in the handling of URLs,” the advisory explained. “This issue was addressed through additional validation of URLs. This issue does not affect systems prior to OS X Mavericks.”

Apple also issued fixes for several other vulnerabilities in iOS that affect WebKit, the IOKit kernel and the CFNetwork HTTPProtocol. The company also issued a fix for AirPort Extreme and AirPort Time Capsule base stations with 802.11ac related to the Heartbleed vulnerability.

Advertisement. Scroll to continue reading.

“An out-of-bounds read issue existed in the OpenSSL library when handling TLS heartbeat extension packets,” according to Apple. “An attacker in a privileged network position could obtain information from process memory. This issue was addressed through additional bounds checking. Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.