Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Apple Patches Dangerous KRACK Wi-Fi Vulnerabilities

Apple on Tuesday released a new set of security patches for its products, including fixes for Wi-Fi vulnerabilities disclosed in mid October.

Apple on Tuesday released a new set of security patches for its products, including fixes for Wi-Fi vulnerabilities disclosed in mid October.

The security flaws can be exploited as part of a novel attack technique called KRACK, short for Key Reinstallation Attack, which could allow an actor within wireless range of a victim to access information assumed to be safely encrypted. The attacker could exfiltrate sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and more.

The issues were found in the Wi-Fi standard itself, and all correct implementations of WPA2 were assumed to be affected. Industrial networking devices are impacted too, including products from Cisco, Rockwell Automation and Sierra Wireless. Vendors rushed to release patches after being informed on the bugs several months ago.

The KRACK-related vulnerability impacting iOS devices is tracked as CVE-2017-13080 and was addressed in iOS 11.1, for iPhone 7 and later, and iPad Pro 9.7-inch (early 2016) and later, Apple notes in an advisory.

iOS 11.1 resolves an additional 19 vulnerabilities impacting components such as CoreText, Kernel, Messages, Siri, StreamingZip, UIKit, and WebKit. These bugs could lead to arbitrary code execution, information disclosure, or to the modification of restricted areas of the file system.

WebKit was the most affected component, with 13 vulnerabilities addressed in it (10 of the issues were reported by Ivan Fratric of Google Project Zero). The bugs could lead to arbitrary code execution when processing maliciously crafted web content and were addressed through improved memory handling.

The same KRACK-related vulnerability was addressed in tvOS 11.1 and watchOS 4.1 as well. The former resolves 17 flaws in the platform, while the latter patches only 4 issues.

Advertisement. Scroll to continue reading.

macOS High Sierra 10.13.1 includes patches for three KRACK-related flaws, namely CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080.

The new platform iteration resolves an additional 145 vulnerabilities impacting components such as apache, APFS, AppleScript, Audio, CoreText, curl, Fonts, HFS, ImageIO, Kernel, libarchive, Open Scripting Architecture, Quick Look, QuickTime, Sandbox, and tcpdump.

An attacker exploiting these flaws could execute arbitrary code on the system, modify restricted areas of the file system, read kernel memory, leak sensitive user information, or cause denial of service. Some of the flaws could allow malicious apps to read restricted memory.

The most affected component was tcpdump, with 90 vulnerabilities addressed in it. Other components that saw a large number of issues addressed in them include apache, with 12 bugs, and Kernel, with 11 flaws.

Apple also released Safari 11.1 this week with patches for 14 issues, along with iTunes 12.7.1 for Windows and iCloud for Windows 7.1, each meant to address 13 issues. All three application releases resolve the aforementioned 13 vulnerabilities in WebKit.

Related: Vendors Race to Fight KRACK Wi-Fi Attacks

Related: Apple Silently Patched macOS Security Bypass Flaw

RelatedApple Brings FaceID to New iPhone X

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...