Apple Patches Hundreds of Vulnerabilities Across Product Lines
Apple on Monday released security patches for its macOS and macOS Server, iOS, watchOS, tvOS, Safari, and Pages, to address over 200 vulnerabilities.
No less than 127 vulnerabilities were addressed with the release of macOS Sierra 10.12.4 (and Security Update 2017-001 El Capitan and Security Update 2017-001 Yosemite). These affected components such as apache, Audio, Bluetooth, FontParser, ImageIO, IOFireWireAVC, Kernel, OpenSSH, OpenSSL, QuickTime, Security, tcpdump, tiffutil, and WebKit.
tcpdump was affected the most, as the tech giant resolved 41 vulnerabilities in this component alone. By leveraging these flaws, an attacker in a privileged network position could be able to execute arbitrary code with user assistance, Apple notes in its advisory. The company also resolved 11 bugs in Kernel and 8 flaws in tiffutil.
Some of the flaws resolved in macOS Sierra 10.12.4 include memory corruption, inconsistent user interface issues, out-of-bound read, access and validation issues, buffer overflow, uncontrolled format string, timing side channel bug, profile uninstallation issue, use after free, and race condition. Many were addressed by improved input validation or improved memory handling.
Tracked as CVE-2017-2485 and discovered by Cisco Talos, a memory corruption issue was found in the parsing of certificates and was addressed through improved input validation. According to Apple, the issue could lead to arbitrary code execution when processing a maliciously crafted x509 certificate. Talos reveals that this use-after-free vulnerability (which affects iOS as well) manifests due to improper handling of X.509v3 certificate extensions fields.
“An application that passes a malicious certificate to the certificate validation agent could trigger this vulnerability. Possible scenarios where this could be exploited include users connecting to a website which serves a malicious certificate to the client, Mail.app connecting to a mail server that provides a malicious certificate, or opening a malicious certificate file to import into the keychain,” the researchers say.
iOS 10.3 was released on Monday with fixes for 84 flaws affecting Accounts, Audio, CoreGraphics, CoreText, FontParser, ImageIO, Kernel, libarchive, Profiles, Safari, Security, and WebKit, among other components (many of the fixed issues were impacting macOS, Safari).
Also released on Monday, tvOS 10.2 addresses 56 bugs, while watchOS 3.2 resolves 34 of them. Additionally, Apple pushed out macOS Server 5.3 to resolve 3 vulnerabilities (in Profile Manager, Web Server, and Wiki Server), and Pages 6.1, Numbers 4.1, and Keynote 7.1 for Mac and Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS, to address one issue in Export.