Apple slips out security patches while world goes gaga over watches
Remote-code exec in iOS, OS X iCloud, plus FREAK fix
While everyone was losing their mind over expensive watches, Apple sneaked out security fixes for iOS phones and tablets, and OS X computers.
Leading the charge is a patch to squish the FREAK bug in the two operating systems' SSL/TLS code. Disclosed last week by researchers, the flaw allows an eavesdropper to intercept connections to HTTPS websites and downgrade the strength of the encryption, allowing miscreants to crack the traffic and steal things like login cookies and banking details.
The bug affects Safari on iOS and OS X as well as other applications that use Apple's SecureTransport. Apple issued the patch for all supported OS X systems and iOS devices.
Meanwhile, a man-in-the-middle vulnerability (CVE-2015-1065) in iOS and OS X was discovered by researcher Andrey Belenko of NowSecure, and has been patched. An attacker who can intercept connections between Apple's iCloud and a Yosemite-powered Mac or an iOS 8 iThing can exploit buffer overflows during a Keyring recovery process to execute malicious code on the vulnerable computer or device.
Also patched in both iOS and OS X is a code execution flaw in the IOSurface software component. Apple warned that a malicious application could operate on a target device with system privileges. Discovery of the flaw, labeled CVE-2015-1061, was credited to Ian Beer of Google Project Zero.
For iOS devices (iPhone 4S or later, 5th gen and later iPod touch and iPad 2 or later) the security update will address four additional CVE-listed flaws, including a remote restart bug (CVE-2015-1063, credited to Roman Digerberg of Sweden), a jailbreak flaw (CVE-2015-1062, TaiG Jailbreak Team), and a bug allowing the home screen to be viewed without activation (CVE-2015-1064).
For OS X systems, the FREAK, iCloud and IOSurface fixes will be accompanied by two other patches.
The first addresses a code execution flaw in the IOAcceleratorFamily tool. That programming blunder, CVE-2015-1066 could be exploited by convincing the user to run a malicious application that exploits the vulnerability to gain root privileges. Its discovery was credited to Ian Beer of Google Project Zero.
Finally, the update will patch a kernel flaw discovered by the TaiG Jailbreak Team. CVE-2014-4496 allows an attacker to spot and target specific memory addresses in the kernel, bypassing randomization protections.
Users running OS X Mountain Lion or later and iPhone 4S, iPad 2 and iPod touch 5 and later are all advised to update their systems to patch the flaws. Owners of Apple TV sets are also advised to update their boxes to address the CVE-2015-1067, CVE-2015-1061 and CVE-2015-1062 vulnerabilities. ®