Have an iPhone? Mac? Just about anything else Apple flogs? Patch now

Massive update addresses iOS, OS X, and Safari security holes

Bug eating an apple

Apple has issued a huge wad of updates to address dozens of CVE-listed security vulnerabilities in iOS, OS X Yosemite, Safari, and OS X Server.

The update includes fixes for security flaws that an attacker could exploit to remotely execute code on one's shiny belongings.

For newer iOS devices, Apple is putting out the iOS 8.4.1 software update. The patch applies to iPhone 4S and later, iPod Touch 5th generation and later, and iPad 2 and later.

Among the fixes are patches for four code-signing vulnerabilities in iOS discovered and used by the TaiG Jailbreak Team, a hacking team famous for discovering ways to unlock iOS devices via security exploits. Those flaws would allow unsigned (and potentially unsafe) code to run on iOS hardware.

Safari and WebKit were a major focus of the iOS security update. Apple listed 26 CVE-classified remote code flaws in WebKit for iOS and two other flaws in Safari, potentially allowing for website spoofing and denial of service from endless alert prompts.

Other fixes in the iOS update deal with a flaw in CloudKit that allows malicious apps to pull user iCloud details, remote code execution flaws in ImageIO triggered by processing or viewing .TIFF images, and a flaw in UIKit WebView that could allow applications to make FaceTime calls without authorization.

Those running OS X should also look to update their machines following the release of a security update for Yosemite and Mavericks. The OS X Yosemite v10.10.5 and Security Update 2015-006 patches include WebKit and Safari fixes as well as updates for vulnerabilities in Apache, BlueTooth, Kernel, and QuickTime 7.

OS X Mavericks and Mountain Lion owners will also want to install Apple's Safari update. The browser patch is included with the Yosemite update but not the 2015-006 package. The update, listed as Safari 8.0.8, 7.1.8, and 6.2.8, includes fixes for 26 CVE flaws in WebKit including remote code execution, as well as an interface spoofing flaw in Safari that could allow one web page to create a fake prompt on another.

Finally, Apple pushed out an update for its lesser-known OS X Server build. The 4.1.5 update, intended for Yosemite Macs, addresses a denial of service vulnerability in the BIND networking tool. ®


Biting the hand that feeds IT © 1998–2017