Apple Patches Vulnerabilities in iOS, OS X, iTunes, Xcode

Apple on Wednesday released a series of software updates meant to add new capabilities to its products and to address vulnerabilities in many of them, including iOS, Mac OS X, iTunes and Xcode. 

Over 100 vulnerabilities have been resolved in the newly released iOS 9, affecting various components of the platform, core applications, and services related to the mobile platform, including App Store, CFNetwork, CoreAnimation, Kernel, Mail, Safari, Siri, SpringBoard, and WebKit, among others. 

33 of these vulnerabilities affect WebKit, while 9 are related to CFNetwork, making these the two most vulnerable components in iOS. Safari clocks in third, with patches for 8 security flaws, including one in safe browsing. 

These vulnerabilities affect all iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later devices and could lead to arbitrary code execution, data leak, user interface spoofing, denial of service, data transfer interception, and app crashes.

SecurityWeek previously reported on a variety of security improvements that come with iOS 9, including an upgraded sideloading process meant to keep devices better protected from malicious applications, as well as better two-factor authentication process (2FA) and stronger device passcode protection.

The latest version of iOS also resolves a security flaw in AirDrop that could allow an attacker to send a malicious file to an affected device when in Bluetooth range—even if the device owner did not accept the transfer. 

Mac OS X Yosemite 10.10.5 or later users will receive patches for 20 vulnerabilities as part of the newly released OS X Server v5.0.3 update. These security issues affect components such as apache, BIND, PostgreSQL, and Wiki Server.

On its support website, Apple, explains that the most severe of the Apache and BIND vulnerabilities could allow a remote attacker to cause a denial of service, and that the most serious of the PostgreSQL flaws could lead to arbitrary code execution. Apple said it also removed Twisted to eliminate multiple XML security issues in Wiki Server.

iTunes 12.3 for Windows 7 and later was made available with patches for 66 vulnerabilities that could result in unexpected application termination, arbitrary code execution or could allow an attacker to obtain encrypted SMB credentials. One of the flaws exposed users to man-in-the-middle attacks while browsing the iTunes Store via iTunes.

10 vulnerabilities were patched in the new Xcode 7.0 release for all OS X Yosemite 10.10.4 or later devices. These flaws could be exploited to bypass access restrictions, access restricted parts of the filesystem, inspect traffic to Xcode Server, or send notifications to unintended recipients and were found in components such as DevTools, IDE Xcode Server, and subversion, Apple said.

Many of the vulnerabilities patched in this round of updates have been discovered by Apple’s employees, while other were reported by independent researchers and experts from security firms and other tech companies. Users should update their devices as soon as possible to ensure that they remain protected.