Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Patches Vulnerabilities in iOS, OS X, iTunes, Xcode

Apple on Wednesday released a series of software updates meant to add new capabilities to its products and to address vulnerabilities in many of them, including iOS, Mac OS X, iTunes and Xcode. 

Apple on Wednesday released a series of software updates meant to add new capabilities to its products and to address vulnerabilities in many of them, including iOS, Mac OS X, iTunes and Xcode. 

Over 100 vulnerabilities have been resolved in the newly released iOS 9, affecting various components of the platform, core applications, and services related to the mobile platform, including App Store, CFNetwork, CoreAnimation, Kernel, Mail, Safari, Siri, SpringBoard, and WebKit, among others. 

33 of these vulnerabilities affect WebKit, while 9 are related to CFNetwork, making these the two most vulnerable components in iOS. Safari clocks in third, with patches for 8 security flaws, including one in safe browsing. 

These vulnerabilities affect all iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later devices and could lead to arbitrary code execution, data leak, user interface spoofing, denial of service, data transfer interception, and app crashes.

SecurityWeek previously reported on a variety of security improvements that come with iOS 9, including an upgraded sideloading process meant to keep devices better protected from malicious applications, as well as better two-factor authentication process (2FA) and stronger device passcode protection.

The latest version of iOS also resolves a security flaw in AirDrop that could allow an attacker to send a malicious file to an affected device when in Bluetooth range—even if the device owner did not accept the transfer. 

Mac OS X Yosemite 10.10.5 or later users will receive patches for 20 vulnerabilities as part of the newly released OS X Server v5.0.3 update. These security issues affect components such as apache, BIND, PostgreSQL, and Wiki Server.

On its support website, Apple, explains that the most severe of the Apache and BIND vulnerabilities could allow a remote attacker to cause a denial of service, and that the most serious of the PostgreSQL flaws could lead to arbitrary code execution. Apple said it also removed Twisted to eliminate multiple XML security issues in Wiki Server.

Advertisement. Scroll to continue reading.

iTunes 12.3 for Windows 7 and later was made available with patches for 66 vulnerabilities that could result in unexpected application termination, arbitrary code execution or could allow an attacker to obtain encrypted SMB credentials. One of the flaws exposed users to man-in-the-middle attacks while browsing the iTunes Store via iTunes.

10 vulnerabilities were patched in the new Xcode 7.0 release for all OS X Yosemite 10.10.4 or later devices. These flaws could be exploited to bypass access restrictions, access restricted parts of the filesystem, inspect traffic to Xcode Server, or send notifications to unintended recipients and were found in components such as DevTools, IDE Xcode Server, and subversion, Apple said.

Many of the vulnerabilities patched in this round of updates have been discovered by Apple’s employees, while other were reported by independent researchers and experts from security firms and other tech companies. Users should update their devices as soon as possible to ensure that they remain protected.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.