Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Patches Tens of Vulnerabilities in iOS, OS X

Apple released on Monday security updates for OS X, iOS, watchOS, tvOS, Safari, iTunes and iCloud to address tens of vulnerabilities identified by the company’s employees and external researchers.

Apple released on Monday security updates for OS X, iOS, watchOS, tvOS, Safari, iTunes and iCloud to address tens of vulnerabilities identified by the company’s employees and external researchers.

OS X El Capitan 10.11.6 fixes a total of 60 security bugs affecting components such as audio, CFNetwork, CoreGraphics, FaceTime, graphics drivers, ImageIO, the kernel, the login window, OpenSSL, QuickTime, sandbox profiles, and the libxml2 and libxslt libraries.

The CFNetwork vulnerability, tracked as CVE-2016-4645, was reported to Apple by Abhinav Bansal of Zscaler. The security firm published a blog post on Monday to describe the flaw that allows unprivileged applications to access cookies stored in the Safari browser.

“This access could result in a malicious application lifting all the persistent cookies for a given user and accessing sites posing as that user,” Zscaler said. “In the case of email, it could result in a malicious application getting access to all your email. Worse, it could gain access to a site that stores more personal and confidential information about you.”

In the case of iOS, version 9.3.3 resolves a total of 43 vulnerabilities, including many that also affect OS X. One of the flaws specific to iOS allows an attacker with physical access to a device to abuse Siri to view private contact information.

Since watchOS and tvOS are heavily based on iOS, many of the vulnerabilities patched in iOS have also been fixed in the Apple Watch and Apple TV operating systems. Safari 9.1.2 patches a dozen security holes in the WebKit engine.

iCloud for Windows 5.2.1 and iTunes 12.4.2 for Windows address 15 memory corruption and information disclosure vulnerabilities affecting the libxml2 and libxslt libraries.

It’s worth pointing out that these flaws also affect iOS, OS X, tvOS and watchOS. The libxml2 and libxslt issues have been identified by Wei Lei and Liu Yang of Nanyang Technological University, Gustavo Grieco, Nick Wellnhofer, Nicolas Grégoire, Kostya Serebryany, Hanno Boeck and Michael Paddon. libxml2 is a library used for parsing XML documents and it’s the basis for libxslt, which processes XSLT-1.0 stylesheets.

Related Reading: Apple Wants All iOS Apps to Use HTTPS by 2017

Related Reading: Apple Patches RCE Flaw in AirPort Routers

Related Reading: Apple Pulls Jailbreak Detection App from App Store

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.