Apple Patches Hundreds of Vulnerabilities Across Product Lines

Apple Patches Desktop, Mobile, Wearable Platforms to Fix More than 200 Security Vulnerabilities

Apple on Monday released security patches for its macOS and macOS Server, iOS, watchOS, tvOS, Safari, and Pages, to address over 200 vulnerabilities.

No less than 127 vulnerabilities were addressed with the release of macOS Sierra 10.12.4 (and Security Update 2017-001 El Capitan and Security Update 2017-001 Yosemite). These affected components such as apache, Audio, Bluetooth, FontParser, ImageIO, IOFireWireAVC, Kernel, OpenSSH, OpenSSL, QuickTime, Security, tcpdump, tiffutil, and WebKit.

tcpdump was affected the most, as the tech giant resolved 41 vulnerabilities in this component alone. By leveraging these flaws, an attacker in a privileged network position could be able to execute arbitrary code with user assistance, Apple notes in its advisory. The company also resolved 11 bugs in Kernel and 8 flaws in tiffutil.

Some of the flaws resolved in macOS Sierra 10.12.4 include memory corruption, inconsistent user interface issues, out-of-bound read, access and validation issues, buffer overflow, uncontrolled format string, timing side channel bug, profile uninstallation issue, use after free, and race condition. Many were addressed by improved input validation or improved memory handling.

Tracked as CVE-2017-2485 and discovered by Cisco Talos, a memory corruption issue was found in the parsing of certificates and was addressed through improved input validation. According to Apple, the issue could lead to arbitrary code execution when processing a maliciously crafted x509 certificate. Talos reveals that this use-after-free vulnerability (which affects iOS as well) manifests due to improper handling of X.509v3 certificate extensions fields.

“An application that passes a malicious certificate to the certificate validation agent could trigger this vulnerability. Possible scenarios where this could be exploited include users connecting to a website which serves a malicious certificate to the client, Mail.app connecting to a mail server that provides a malicious certificate, or opening a malicious certificate file to import into the keychain,” the researchers say.

The macOS Sierra 10.12.4 update also includes the security content of Safari 10.1, Apple says. In a separate advisory, the company explains that 38 bugs were squashed in the browser, 33 of which affect WebKit (three were found in WebKit JavaScript Bindings and WebKit Web Inspector). The security update addresses memory corruption, prototype access, keychain handling, information disclosure, and validation issues.

iOS 10.3 was released on Monday with fixes for 84 flaws affecting Accounts, Audio, CoreGraphics, CoreText, FontParser, ImageIO, Kernel, libarchive, Profiles, Safari, Security, and WebKit, among other components (many of the fixed issues were impacting macOS, Safari).

Some of the addressed flaws include a buffer overflow in the handling of font files, an infinite recursion, multiple memory corruption issues, out-of-bounds read bugs, or the sending of requests to iTunes sandbox web services in cleartext. Affecting how Safari handles JavaScript pop-ups, one of the flaws was abused by attackers to lock victims from using the browser and scare them into paying a ransom in the form of an iTunes Gift Card.

Also released on Monday, tvOS 10.2 addresses 56 bugs, while watchOS 3.2 resolves 34 of them. Additionally, Apple pushed out macOS Server 5.3 to resolve 3 vulnerabilities (in Profile Manager, Web Server, and Wiki Server), and Pages 6.1, Numbers 4.1, and Keynote 7.1 for Mac and Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS, to address one issue in Export.

Related: Apple, Google Say Users Protected Against CIA Exploits

Related: Apple Patches Code Execution Flaw in GarageBand

Related: Apple Patches Dozens of Vulnerabilities Across Product Lines