Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Patches Dozens of Vulnerabilities Across Product Lines

Apple this week released a new set of important security updates for its products, to patch dozens of vulnerabilities in macOS, iOS, watchOS, tvOS, and Safari, as well as in the iCloud and iTunes for Windows applications.

Apple this week released a new set of important security updates for its products, to patch dozens of vulnerabilities in macOS, iOS, watchOS, tvOS, and Safari, as well as in the iCloud and iTunes for Windows applications.

The newly released macOS Sierra 10.12.3 resolves 11 vulnerabilities in components such as apache_mod_php, Bluetooth, Graphics Drivers, Help Viewer, IOAudioFamily, Kernel, libarchive, and Vim. Most of the plugged issues could allow applications to execute arbitrary code, while others could allow malicious archives or web content to execute code. One of the bugs could allow an application to determine kernel memory layout.

Released on Monday, iOS 10.2.1 resolves 18 vulnerabilities in multiple components, including Auto Unlock, Contacts, Kernel, libarchive, WebKit, and Wi-Fi. WebKit was the most affected component, with no less than 12 flaws resolved in it, most of which were discovered by Google Project Zero researches.

Affecting iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later, the patched security holes included one where Auto Unlock may unlock when Apple Watch is off the user’s wrist, unexpected application termination when processing a maliciously crafted contact card, arbitrary code execution with kernel privileges, data exfiltration, popups being opened by malicious websites, and the possibility to manipulate an activation-locked device to briefly present the home screen.

A total of 33 vulnerabilities were addressed with the release of watchOS 3.1.3, affecting all Apple Watch models. The issues were found in components such as Accounts, Audio, Auto Unlock, CoreFoundation, CoreGraphics, CoreMedia Playback, CoreText, Disk Images, FontParser, ICU, ImageIO, IOHIDFamily, IOKit, Kernel, libarchive, Profiles, Security, syslog, and WebKit.

The resolved vulnerabilities could be exploited for arbitrary code execution, to gain root privileges, to automatically trust certificates, to cause a denial of service, to overwrite existing files, to cause an unexpected system termination, to read kernel memory, to leak memory remotely. There’s also the issue where Auto Unlock could unlock when Apple Watch is off the user’s wrist.

The release of tvOS 10.1.1 was meant to resolve 12 vulnerabilities in Kernel, libarchive, and Webkit. Affecting Apple TV (4th generation). These could result in an application executing arbitrary code with kernel privileges, arbitrary code execution when unpacking a malicious archive, and data exfiltration and arbitrary code execution when processing maliciously crafted web content.

No less than 12 bugs were patched in Safari 10.0.3, which is now available for download for OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.3. While one of these was an address bar spoofing, 11 were found in Webkit and could result in data exfiltration and arbitrary code execution.

Advertisement. Scroll to continue reading.

Some of the Webkit issues were found to affect iCloud and iTunes for Windows too, and were addressed with the release of iCloud for Windows 6.1.1 and iTunes 12.5.5. The same four bugs affected both applications, resulting in arbitrary code execution.

Related: Apple Patches 72 Vulnerabilities in macOS Sierra

Related: Apple Patches 12 Vulnerabilities in iOS, tvOS, and watchOS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

Bret Arsenault is retiring from his full-time role after 35 years at Microsoft.

Social engineering defense platform Doppel has appointed Bobby Ford as Chief Strategy and Experience Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.