Patch iOS, OS X now: PDFs, JPEGs, URLs, web pages can pwn your kit
Plus: iThings and desktops at risk of NEW SSL attack flaw
Apple has released updates to its iOS and OS X operating systems that address serious security flaws.
The company said the iOS 7.1.1 upgrade will include, as well as some stability updates, fixes for 19 security flaws.
One of those vulnerabilities is a "triple handshake" error in iOS SecureTransport – which is part of the OS that provides SSL/TLS encryption for stuff sent across the internet. The flaw, which also affects OS X 10.8.5 and 10.9.2, effectively allows a network snooper to maliciously inject data into a supposedly secure connection.
According to Apple, the bug allows an eavesdropper "to establish two [SSL] connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other".
Also fixed were a flaw in IOKit that leaked kernel pointers – handy for jailbreaking tools – and a possible login cookie disclosure flaw in the iOS HTTPProtocol component. According to Apple: "Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie."
Leveraging the IOKit bug requires the attacker, or jailbreaker, to be running code on the vulnerable device, whereas the SecureTransport and HTTPProtocol flaws can be exploited be anyone managing a point along the network chain, such as an evil Wi-Fi point in a cafe.
WebKit bugs affecting iOS Safari app and others
Meanwhile in the iOS 7.1.1 update, 16 WebKit flaws are fixed, many of which were previously addressed by Apple for the desktop version of the Safari web browser earlier this month. Much like that desktop patch, the iOS update credits discovery of 10 of the flaws to members of Google's security team.
The worst of the WebKit flaws could allow an attacker to remotely execute code on an iThing that visits a maliciously crafted web page. Some resourceful modders have in the past used such flaws to streamline the jailbreaking process on iOS devices.
The iOS 7.1.1 update can be applied to gadgets running iOS 7.1, including iPhone 4 and later models, iPad 2 or later, iPad mini, and iPod touch 5th generation and later. Users can obtain the update in iOS at Settings > General > Software Update component.
Along with that bug-squashing come stability fixes for the fingerprint-recognizing Touch ID, improve on-screen keyboard responsiveness, and resolves a compatibility issue between Bluetooth keyboards and the VoiceOver screen-reading capability.
OS X security updates
Users running OS X should also update their Macs. Apple released a separate security update for OS X which addresses the aforementioned HTTPProtocol, IOKit and severe SecureTransport SSL flaws, along with 10 other fixes for vulnerabilities in components of OS X Mountain Lion (10.8) and Mavericks (10.9), which could allow for elevation of privilege and remote code execution.
On computers running OS X 10.8.5, opening a PDF with specially crafted font data could result in remote-code execution or a crash – effectively allowing miscreants to hijack Macs by sending over dodgy documents to victims. OS X 10.9.2 can be pwned by opening a malicious JPEG thanks to a buffer overflow bug in the operating system's ImageIO component.
A bug in CoreServicesUIAgent on OS X 10.9.2 allows hackers to execute code on victims' machines by making them click on a special URL. The tech giant admitted: "A format string issue existed in the handling of URLs. This issue was addressed through additional validation of URLs."
The Intel Graphics Driver on OS X 10.8.5 and 10.9.2 doesn't validate a pointer from userspace properly, allowing an application running on a vulnerable system to take control of the Mac. Keypresses are now ignored while the machine goes to sleep in OS X 10.9.2, allowing the system to lock properly.
And last, but not least, Apple says "maliciously crafted applications can execute arbitrary code outside the sandbox", thanks to a flaw in WindowServer. Mac users should patch as soon as possible now that these bugs are known. ®