Security Experts:

Apple Patches Vulnerabilities in macOS, watchOS, and tvOS

Apple this week released security updates for macOS, watchOS, and tvOS, as well as updated versions of the Safari browser and the iTunes for Windows application.

The company addressed a total of 22 vulnerabilities with the release of macOS High Sierra 10.13.2 this week (some of the patches were also included in Security Update 2017-002 Sierra and Security Update 2017-005 El Capitan).

Affected components included apache, curl, Directory Utility, Intel Graphics Driver, IOAcceleratorFamily, IOKit, Kernel, Mail, Mail Drafts, OpenSSL, and Screen Sharing Server. Kernel was impacted the most, with 8 bugs addressed in it.

Many of these flaws could result in attackers or malicious applications executing arbitrary code with either kernel or system privileges. Other vulnerabilities, however, could result in disclosure of process memory, administrator authentication bypass, and system termination, or could allow applications to read restricted memory.

Impacting macOS High Sierra 10.13.1, the flaw in Mail could result in an S/MIME encrypted email being inadvertently sent unencrypted if the receiver's S/MIME certificate was not installed, Apple notes in an advisory.

A total of 9 vulnerabilities were addressed with the release of watchOS 4.2. One of the bugs impacts IOSurface, another affects Wi-Fi, while the remaining 7 were resolved in Kernel. Most of the bugs could result in an application executing arbitrary code with kernel privileges or reading restricted memory.

Affecting Apple Watch (1st Generation) and Apple Watch Series 3, the Wi-Fi bug allowed an attacker in Wi-Fi range to force nonce reuse in WPA multicast/GTK clients.

The issue, known as Key Reinstallation Attacks or KRACK, was discovered earlier this year in the Wi-Fi standard itself, thus impacting all implementations, industrial networking devices included. Apple addressed the bug in most of its products in late October.

Released on Monday, tvOS 11.2 resolves 10 vulnerabilities: one in IOSurface, another in Wi-Fi, and 8 in Kernel. Essentially, it fixes the 9 bugs addressed with watchOS 4.2, along with one other issue in Kernel.

These 10 security vulnerabilities, along with 4 others (one in IOKit, one in IOMobileFrameBuffer, one in Mail, and another in Mail Drafts), were also addressed in iOS with the release of iOS 11.2 on December 2.

On Wednesday, December 6, Apple also released Safari 11.0.2 and iTunes 12.7.2 for Windows, but hasn’t provided information on the security content of these updates.

In late November, Apple released a security update for macOS High Sierra in an effort to patch a critical authentication bypass vulnerability that can be easily exploited to gain root access to a system.

Related: Apple Patches Dangerous KRACK Wi-Fi Vulnerabilities

Related: Apple Silently Patched macOS Security Bypass Flaw

Related: Apple Patches Critical Root Access Flaw in macOS

view counter