Security Experts:

Connect with us

Hi, what are you looking for?



Apple Patches Vulnerabilities in iOS, OS X, iTunes, Xcode

Apple on Wednesday released a series of software updates meant to add new capabilities to its products and to address vulnerabilities in many of them, including iOS, Mac OS X, iTunes and Xcode. 

Apple on Wednesday released a series of software updates meant to add new capabilities to its products and to address vulnerabilities in many of them, including iOS, Mac OS X, iTunes and Xcode. 

Over 100 vulnerabilities have been resolved in the newly released iOS 9, affecting various components of the platform, core applications, and services related to the mobile platform, including App Store, CFNetwork, CoreAnimation, Kernel, Mail, Safari, Siri, SpringBoard, and WebKit, among others. 

33 of these vulnerabilities affect WebKit, while 9 are related to CFNetwork, making these the two most vulnerable components in iOS. Safari clocks in third, with patches for 8 security flaws, including one in safe browsing. 

These vulnerabilities affect all iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later devices and could lead to arbitrary code execution, data leak, user interface spoofing, denial of service, data transfer interception, and app crashes.

SecurityWeek previously reported on a variety of security improvements that come with iOS 9, including an upgraded sideloading process meant to keep devices better protected from malicious applications, as well as better two-factor authentication process (2FA) and stronger device passcode protection.

The latest version of iOS also resolves a security flaw in AirDrop that could allow an attacker to send a malicious file to an affected device when in Bluetooth range—even if the device owner did not accept the transfer. 

Mac OS X Yosemite 10.10.5 or later users will receive patches for 20 vulnerabilities as part of the newly released OS X Server v5.0.3 update. These security issues affect components such as apache, BIND, PostgreSQL, and Wiki Server.

On its support website, Apple, explains that the most severe of the Apache and BIND vulnerabilities could allow a remote attacker to cause a denial of service, and that the most serious of the PostgreSQL flaws could lead to arbitrary code execution. Apple said it also removed Twisted to eliminate multiple XML security issues in Wiki Server.

iTunes 12.3 for Windows 7 and later was made available with patches for 66 vulnerabilities that could result in unexpected application termination, arbitrary code execution or could allow an attacker to obtain encrypted SMB credentials. One of the flaws exposed users to man-in-the-middle attacks while browsing the iTunes Store via iTunes.

10 vulnerabilities were patched in the new Xcode 7.0 release for all OS X Yosemite 10.10.4 or later devices. These flaws could be exploited to bypass access restrictions, access restricted parts of the filesystem, inspect traffic to Xcode Server, or send notifications to unintended recipients and were found in components such as DevTools, IDE Xcode Server, and subversion, Apple said.

Many of the vulnerabilities patched in this round of updates have been discovered by Apple’s employees, while other were reported by independent researchers and experts from security firms and other tech companies. Users should update their devices as soon as possible to ensure that they remain protected.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.