More like this

Security

Apple Macs, iPhones, iPads, Watches, TVs can be hijacked by evil Wi-Fi, PDFs – update now

iOS, OS X, watchOS, tvOS all patched

Updated Apple has today emitted security updates for pretty much everything it makes, and you should install them as soon as you can because it's all bad news.

iPhones, iPads and iPods should grab iOS 9.3, Macs should fetch OS X 10.11.4 or Security Update 2016-002 for non-El Capitan Macs, Apple Watches should get watchOS 2.2, and Apple TVs should install tvOS 9.2. Your hardware should eventually offer the updates to you automatically, or you can follow these instructions to get going right away.

As well as fixing the iMessage decryption flaw that we were warned about on Sunday, the new software also closes bugs that allow malicious Wi-Fi networks, PDF files, fonts and more to execute malware on devices and computers.

Opening a booby-trapped file, or connecting to a dodgy wireless network, could lead to your computer or handheld being hijacked to spy on you, steal your passwords, and so on. In this latest round of patches, there's a heady mix of remote code execution flaws, code signing bypasses, escalations to kernel mode, and kernel memory map leaks, which can be chained together to fully compromise Apple gear.

Here are all the bugs found and fixed in iOS and OS X, which need to be squashed on your systems and gadgets before miscreants start exploiting them in the wild:

iOS

Grab iOS 9.3 to fix...

  • CVE-2016-1734 in AppleUSBNetworking: An application may be able to execute arbitrary code with kernel privileges by exploiting a memory corruption bug in the parsing of data from USB devices.
  • CVE-2016-1740 in FontParser: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2015-8659 in HTTPProtocol: A remote attacker may be able to execute arbitrary code by exploiting a bug in Nghttp2.
  • CVE-2016-0801 and CVE-2016-0802 in Wi-Fi: An attacker with a privileged network position may be able to execute arbitrary code, thanks to a frame validation and memory corruption issue for a given ethertype.
  • CVE-2016-1752 in Kernel: An application may be able to cause a denial of service. Found by GCHQ's bug hunters CESG.
  • CVE-2016-1750 in Kernel: An application may be able to execute arbitrary code with kernel privileges. Also found by CESG.
  • CVE-2016-1753 in Kernel: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-1751 in Kernel: An application may be able to bypass code signing, ie: untrusted malware can exploit this bug to run within Apple's walled garden.
  • CVE-2016-1757 in Kernel: An application may be able to execute arbitrary code with kernel privileges by exploiting a race condition existed during the creation of new processes.
  • CVE-2016-1756 in Kernel: An application may be able to execute arbitrary code with kernel privileges by exploiting a null pointer dereference.
  • CVE-2016-1754 and CVE-2016-1755 in Kernel: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-1758 in Kernel: An application may be able to determine kernel memory layout.
  • CVE-2016-1748 in IOHIDFamily: An application may be able to determine kernel memory layout.
  • A shedload of bugs fixed in libxml2: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution.
  • CVE-2016-1763 in Messages: Visiting a maliciously crafted website may auto-fill text into other Message threads due to an issue in the parsing of SMS URLs.
  • CVE-2016-1788 in Messages: An attacker who is able to bypass Apple's certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments. A cryptographic issue was addressed by rejecting duplicate messages on the client. This is the scary flaw highlighted over the weekend; it is by far not the worst bug here. You need to be able to impersonate a root CA to pull it off.
  • CVE-2016-1766 in Profiles: An untrusted MDM profile may be incorrectly displayed as verified.
  • CVE-2016-1950 in Security: Processing a maliciously crafted certificate may lead to arbitrary code execution. A memory corruption issue existed in the ASN.1 decoder, surprise, surprise.
  • CVE-2016-1775 in TrueTypeScaler: Processing a maliciously crafted font file may lead to arbitrary code execution.
  • A shedload of bug fixes in WebKit: Processing maliciously crafted web content may lead to arbitrary code execution.

OS X

Updates are now available to install for OS X Mavericks 10.9, OS X Yosemite 10.10, and OS X El Capitan 10.11. A number of the following bugs are fixed only in El Capitan for reasons best understood by Apple; in general, it's strongly advised that you use Apple's latest operating system releases as these tend to comprehensively patched.

  • CVE-2015-8126 and CVE-2015-8472 in apache_mod_php: Processing a maliciously crafted .png file may lead to arbitrary code execution.
  • CVE-2016-1733 in AppleRAID: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-1734 in AppleUSBNetworking: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-0801 and CVE-2016-0802 in Wi-Fi: An attacker with a privileged network position may be able to execute arbitrary code.
  • CVE-2016-1735 and CVE-2016-1736 in Bluetooth: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-1746 and CVE-2016-1747 in IOGraphics: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-1741 in the Nvidia Graphics Drivers: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-1749 in IOUSBFamily: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-1753 in Kernel: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-1750 in Kernel: An application may be able to execute arbitrary code with kernel privileges. Discovered and reported by the UK government's CESG.
  • CVE-2016-1757 in Kernel: An application may be able to execute arbitrary code with kernel privileges due to a race condition during the creation of new processes.
  • CVE-2016-1756 in Kernel: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-1754, CVE-2016-1755 and CVE-2016-1759 in Kernel: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-1950 in Security: Processing a maliciously crafted certificate may lead to arbitrary code execution.
  • CVE-2016-1737 in Carbon: Processing a maliciously crafted .dfont file may lead to arbitrary code execution.
  • CVE-2016-1738 in dyld: An attacker may tamper with code-signed applications to execute arbitrary code in the application's context.
  • CVE-2016-1740 in FontParser: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2015-8659 in HTTPProtocol: A remote attacker may be able to execute arbitrary code.
  • CVE-2016-1743 and CVE-2016-1744 in the Intel Graphics Driver: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-1775 in TrueTypeScaler: Processing a maliciously crafted font file may lead to arbitrary code execution.
  • CVE-2016-1745 in IOFireWireFamily: A local user may be able to cause a denial of service.
  • CVE-2016-1748 in IOHIDFamily: An application may be able to determine kernel memory layout.
  • CVE-2016-1758 in Kernel: An application may be able to determine kernel memory layout.
  • CVE-2016-1752 in Kernel: An application may be able to cause a denial of service.
  • A shedload of bug fixes in libxml2: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution.
  • CVE-2016-1764 in Messages: Clicking a JavaScript link can reveal sensitive user information.
  • CVE-2016-1788 in Messages: An attacker who is able to bypass Apple's certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments.
  • CVE-2016-0777 and CVE-2016-0778 in OpenSSH: Connecting to a malicious server may leak sensitive user information, such as a client's private keys (the SSH roaming flaw).
  • CVE-2015-3195 in OpenSSL: A remote attacker may be able to cause a denial of service.
  • Various bug fixes in libpng used by Python and Tcl: Processing a maliciously crafted .png file may lead to arbitrary code execution.
  • CVE-2016-1767 and CVE-2016-1768 in QuickTime: Processing a maliciously crafted FlashPix Bitmap Image may lead to unexpected application termination or arbitrary code execution.
  • CVE-2016-1769 in QuickTime: Processing a maliciously crafted Photoshop document may lead to unexpected application termination or arbitrary code execution.
  • CVE-2016-1770 in Reminders: Clicking a telephone number link can make a call without prompting the user.
  • CVE-2015-7551 in Ruby: A local attacker may be able to cause unexpected application termination or arbitrary code execution.
  • CVE-2016-1773 in Security: A local user may be able to check for the existence of arbitrary files.
  • CVE-2016-1732 in AppleRAID: A local user may be able to determine kernel memory layout.

watchOS and tvOS also have similar bug fixes, so update your watches and TVs because this is 2016 and that's the state of technology. And don't forget to patch Safari and Xcode. Just because you've got zillions of dollars in the bank doesn't mean your software is free of zillions of bugs. ®

Sponsored: Best practices for writing a successful NSF MRI grant proposal