Apple hurls out patches for dozens of security holes in iOS, macOS

Project Zero, GCHQ, and city of Mishawaka, Indiana among credited bug-hunters

Apple has today released patches addressing roughly four dozen exploitable security vulnerabilities in iOS, macOS, and WatchOS.

The iOS 10.3.3 update resolves 47 flaws for the iPhone, iPad and iPod Touch, including multiple remote code execution holes in the WebKit browser engine. Fixes were also posted for the Apple Watch's WatchOS firmware.

Of the CVE-listed flaws in the update, 23 were found in WebKit, the browser engine Apple uses for iOS and Safari. Those include 16 memory corruption errors that could be exploited for remote code execution via a malicious webpage.

One of those memory corruption bugs, CVE-2017-7055, was reported to Apple by the UK National Cyber Security Centre, a branch of the GCHQ spying nerve center. As usual, bug hunters with Google's Project Zero were also well represented, with Ian Beer, lokihardt, and Ivan Fratric credited for discovering multiple flaws.

Other notable vulnerabilities include CVE-2017-7060, a bug in Safari Printing that allows an attacker to freeze the browser by flooding it with print dialogue boxes. Discovery of that bug was credited to Travis Kelley, with the City of Mishawaka, Indiana.

Also addressed were flaws that allow attackers to crash the Messages app (CVE-2017-7063), and bugs in the iOS Kernel that allow an application to remotely execute code or access restricted memory space.

Meanwhile, Mac users will need to update their systems as well, thanks to a fresh crop of security fixes for OS X Sierra, El Capitan, and Yosemite. Those updates include a half-dozen CVE-listed vulnerabilities in the Intel Graphics Driver that allow applications to execute arbitrary code at the kernel level and view restricted memory addresses.

Also included in the update were multiple flaws in the macOS Kernel and a flaw in the Wi-Fi protocol (CVE-2017-9417) for both iOS and OS X that allow an attacker to "execute arbitrary code on the Wi-Fi chip." That bug, also present on the Apple Watch and Apple TV, was credited to Nitay Artenstein of Exodus Intelligence. It's basically the Broadpwn wireless stack vulnerability Google patched in Android, too.

A separate update for the Safari browser on MacOS includes many of the WebKit fixes from the iOS update, including multiple remote code execution flaws that could be exploited via malicious webpages.

Moving on to the less-popular Apple products, the WatchOS, tvOS and Windows versions of iTunes and iCloud also received updates for vulnerabilities, including the WebKit remote code execution flaws.

In short, fire up your software update tool, download, install, reboot. ®


Biting the hand that feeds IT © 1998–2017