Security Experts:

Apple Patches Tens of Vulnerabilities in iOS, OS X

Apple released on Monday security updates for OS X, iOS, watchOS, tvOS, Safari, iTunes and iCloud to address tens of vulnerabilities identified by the company’s employees and external researchers.

OS X El Capitan 10.11.6 fixes a total of 60 security bugs affecting components such as audio, CFNetwork, CoreGraphics, FaceTime, graphics drivers, ImageIO, the kernel, the login window, OpenSSL, QuickTime, sandbox profiles, and the libxml2 and libxslt libraries.

The CFNetwork vulnerability, tracked as CVE-2016-4645, was reported to Apple by Abhinav Bansal of Zscaler. The security firm published a blog post on Monday to describe the flaw that allows unprivileged applications to access cookies stored in the Safari browser.

“This access could result in a malicious application lifting all the persistent cookies for a given user and accessing sites posing as that user,” Zscaler said. “In the case of email, it could result in a malicious application getting access to all your email. Worse, it could gain access to a site that stores more personal and confidential information about you.”

In the case of iOS, version 9.3.3 resolves a total of 43 vulnerabilities, including many that also affect OS X. One of the flaws specific to iOS allows an attacker with physical access to a device to abuse Siri to view private contact information.

Since watchOS and tvOS are heavily based on iOS, many of the vulnerabilities patched in iOS have also been fixed in the Apple Watch and Apple TV operating systems. Safari 9.1.2 patches a dozen security holes in the WebKit engine.

iCloud for Windows 5.2.1 and iTunes 12.4.2 for Windows address 15 memory corruption and information disclosure vulnerabilities affecting the libxml2 and libxslt libraries.

It’s worth pointing out that these flaws also affect iOS, OS X, tvOS and watchOS. The libxml2 and libxslt issues have been identified by Wei Lei and Liu Yang of Nanyang Technological University, Gustavo Grieco, Nick Wellnhofer, Nicolas Grégoire, Kostya Serebryany, Hanno Boeck and Michael Paddon. libxml2 is a library used for parsing XML documents and it’s the basis for libxslt, which processes XSLT-1.0 stylesheets.

Related Reading: Apple Wants All iOS Apps to Use HTTPS by 2017

Related Reading: Apple Patches RCE Flaw in AirPort Routers

Related Reading: Apple Pulls Jailbreak Detection App from App Store

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.