Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Patches Multiple Vulnerabilities in iOS, OS X

Apple has released a series of updates for the iOS and OS X platforms, aimed at resolving a series of security vulnerabilities in both products.

Apple has released a series of updates for the iOS and OS X platforms, aimed at resolving a series of security vulnerabilities in both products.

Published on Tuesday, the security advisory for the iOS update reveals a set of 13 patches included in the package, meant to resolve issues in Disk Images, IOHIDFamily, IOKit, Kernel, libxslt, syslog, WebKit, WebKit CSS, and WebSheet. The security fixes were included in the iOS 9.2.1 platform release, which is now available for download for compatible devices.

Of the resolved issues, 11 could result in arbitrary code execution, one would allow access to user’s cookies, while another would allow websites to know if the user has visited a given link. According to Apple, devices affected by these vulnerabilities include iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later.

WebKit was the most impacted component, with 5 vulnerabilities (CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727) patched in it as part of the new update, all of which were discovered by Apple’s employees. The team found multiple memory corruption issues in WebKit that could allow attackers to execute arbitrary code if the victim visited maliciously crafted website, and addressed them through improved memory handling.

A privacy issue (CVE-2016-1728) in WebKit CSS was also addressed in the new round of updates, one that could result in websites knowing if the user has visited a given link. The problem was found in the handling of the “a:visited button” CSS selector when evaluating the containing element’s height, and was addressed via improved validation.

The WebSheet flaw (CVE-2016-1730) could allow a malicious captive portal to access the user’s cookies, and was resolved through an isolated cookie store for all captive portals. The vulnerability in libxslt (CVE-2015-7995) could lead to arbitrary code execution when visiting a maliciously crafted website and improved memory handling resolved it.

The Disk Images (CVE-2016-1717), IOHIDFamily (CVE-2016-1719), IOKit (CVE-2016-1720), Kernel (CVE-2016-1721), and syslog (CVE-2016-1722) issues allow a local user to execute arbitrary code with kernel or root privileges, Apple reveals. All five security flaws were caused by memory corruption issues and were addressed through improved memory handling.

The advisory published for the new OS X El Capitan 10.11.3 release reveals that 9 flaws were patched in Apple’s desktop platform. However, six of them were vulnerabilities common with iOS, namely Disk Images (CVE-2016-1717), IOHIDFamily (CVE-2016-1719), IOKit (CVE-2016-1720), Kernel (CVE-2016-1721), libxslt (CVE-2015-7995) and syslog (CVE-2016-1722),

Advertisement. Scroll to continue reading.

The remaining three included a bug in AppleGraphicsPowerManagement (CVE-2016-1716) and a vulnerability in IOAcceleratorFamily (CVE-2016-1718) that could allow a local user to execute arbitrary code with kernel privileges, as well as a flaw in OSA Scripts (CVE-2016-1729) that could allow a quarantined application to override OSA script libraries installed by the user.

The arbitrary code execution issues were addressed through improved memory handling, while the bug in OSA Scripts, which existed when searching for scripting libraries, was addressed through improved search order and quarantine checks. All bugs affect OS X El Capitan v10.11 to v10.11.2, except for the libxslt vulnerability, which was found in OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5 as well.

In addition to these iOS and OS X updates, Apple also announced the release of Safari 9.0.3, which included patches for the aforementioned WebKit (CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727) and WebKit CSS (CVE-2016-1728) flaws. They were found to affect OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.2.

The patched software products are already available for download, and users are advised to update as soon as possible to ensure they remain protected.

Last week, Synack’s Patrick Wardle discovered a new technique to bypass OS X’s Gatekeeper security feature, which was designed to protect users against malware downloaded from the Internet by blocking applications that come from unknown developers and the ones that have been tampered with. At the end of September, the same researcher warned about another Gatekeeper bypass issue.

Last month, Apple patched over 100 vulnerabilities in its platforms with the release of OS X El Capitan 10.11.2 and iOS 9.2, including 54 issues in the former and 50 flaws in the latter, including WebKit vulnerabilities that affected Safari, and which were addressed in version 9.0.2 of the browser. In late October, Apple patched 110 security bugs in OS X and iOS, one week after patching 4 flaws in Keynote, Numbers, and Pages productivity apps.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.