Apple hurls out patches for dozens of security holes in iOS, macOS

Project Zero, GCHQ, and city of Mishawaka, Indiana among credited bug-hunters

Apple has today released patches addressing roughly four dozen exploitable security vulnerabilities in iOS, macOS, and WatchOS.

The iOS 10.3.3 update resolves 47 flaws for the iPhone, iPad and iPod Touch, including multiple remote code execution holes in the WebKit browser engine. Fixes were also posted for the Apple Watch's WatchOS firmware.

Of the CVE-listed flaws in the update, 23 were found in WebKit, the browser engine Apple uses for iOS and Safari. Those include 16 memory corruption errors that could be exploited for remote code execution via a malicious webpage.

One of those memory corruption bugs, CVE-2017-7055, was reported to Apple by the UK National Cyber Security Centre, a branch of the GCHQ spying nerve center. As usual, bug hunters with Google's Project Zero were also well represented, with Ian Beer, lokihardt, and Ivan Fratric credited for discovering multiple flaws.

Other notable vulnerabilities include CVE-2017-7060, a bug in Safari Printing that allows an attacker to freeze the browser by flooding it with print dialogue boxes. Discovery of that bug was credited to Travis Kelley, with the City of Mishawaka, Indiana.

Also addressed were flaws that allow attackers to crash the Messages app (CVE-2017-7063), and bugs in the iOS Kernel that allow an application to remotely execute code or access restricted memory space.

Meanwhile, Mac users will need to update their systems as well, thanks to a fresh crop of security fixes for OS X Sierra, El Capitan, and Yosemite. Those updates include a half-dozen CVE-listed vulnerabilities in the Intel Graphics Driver that allow applications to execute arbitrary code at the kernel level and view restricted memory addresses.

Also included in the update were multiple flaws in the macOS Kernel and a flaw in the Wi-Fi protocol (CVE-2017-9417) for both iOS and OS X that allow an attacker to "execute arbitrary code on the Wi-Fi chip." That bug, also present on the Apple Watch and Apple TV, was credited to Nitay Artenstein of Exodus Intelligence. It's basically the Broadpwn wireless stack vulnerability Google patched in Android, too.

A separate update for the Safari browser on MacOS includes many of the WebKit fixes from the iOS update, including multiple remote code execution flaws that could be exploited via malicious webpages.

Moving on to the less-popular Apple products, the WatchOS, tvOS and Windows versions of iTunes and iCloud also received updates for vulnerabilities, including the WebKit remote code execution flaws.

In short, fire up your software update tool, download, install, reboot. ?

Biting the hand that feeds IT ? 1998–2017

  • 1015111305 2018-02-19
  • 6607141304 2018-02-19
  • 5587621303 2018-02-19
  • 6265761302 2018-02-19
  • 6666351301 2018-02-19
  • 3788381300 2018-02-19
  • 9596221299 2018-02-19
  • 1153531298 2018-02-19
  • 8253311297 2018-02-19
  • 1614291296 2018-02-19
  • 107351295 2018-02-18
  • 9487041294 2018-02-18
  • 7763841293 2018-02-18
  • 5836761292 2018-02-18
  • 615581291 2018-02-18
  • 5081161290 2018-02-18
  • 321961289 2018-02-18
  • 776731288 2018-02-18
  • 9075261287 2018-02-18
  • 3005511286 2018-02-18