Updates released by Apple on Wednesday address numerous vulnerabilities in Mac OS X, iOS, Safari and other products developed by the company.
The OS X updates fix a total of 80 security issues affecting components such as the admin framework, Apache, ATS, CFNetwork, CoreAnimation, FontParser, hypervisor, ImageIO, IOHIDFamily, the kernel, LaunchServices, libnetcore, NTP, OpenSSL, PHP, QuickLook, SceneKit, UniformTypeIdentifiers, and WebKit.
The patched vulnerabilities can be exploited for remote code execution, denial-of-service (DoS) attacks, data leakage, and bypassing security mechanisms.
Three of the vulnerabilities were reported by the researcher known as lokihardt through HP’s Zero Day Initiative (ZDI). One of them is the remote code execution bug leveraged by the expert at the Pwn2Own 2015 hacking competition to break Safari. ZDI has published advisories for each of the flaws.
One of the DoS bugs affecting the OS X kernel was detailed in a blog post on Wednesday by Kenton Varda of Sandstorm.io. The vulnerability allows an attacker to cause apps and network services, such as Chrome and Node.js, to go into infinite loops.
The details of a NULL pointer vulnerability in the NVidia GeForce kernel driver shipped with OS X Yosemite were also disclosed. Yahoo researchers John Villamil and Frank Graziano discovered the flaw that allows a local attacker to execute arbitrary code with system privileges.
With the release of iOS 8.3, Apple has addressed a total of 58 flaws, including ones that affect OS X as well. The list of impacted components includes AppleKeyStore, audio drivers, the backup system, iWork Viewer, Bluetooth keyboards, the lock screen, sandbox profiles, telephony, and Safari. The backup system bug, which allows an attacker to access restricted areas of the file system, has been leveraged by TaiG for its jailbreaks.
The Safari web browser has been updated to versions 8.0.5, 7.1.5, and 6.2.5. The latest releases address a total of ten issues, many of which impact users’ privacy.
Updates have also been released for Xcode and Apple TV. The vulnerabilities fixed by Apple with the release of Apple TV 7.2 can be exploited by malicious actors for arbitrary code execution, DoS attacks, privilege escalation, traffic redirection, security bypasses, and information leakage.
The Xcode integrated development environment has been updated to version 6.3. Two security flaws have been addressed in this release.
Some of the vulnerabilities fixed with the latest updates were identified by Apple’s own security team, but many of them were discovered and reported by independent researchers and experts working for companies such as Google, Alibaba, IBM, IOActive, Kaspersky, Zimperium, and FireEye.
