Tag Archives: Apple OS X Server

Apple Releases Security Updates To Address iMessage Vulnerability

Yesterday Apple released a very large collection of security updates that affect most of their product range to address issues among them the widely published vulnerability in the iMessage app:

=======================

  • Apple iOS 9.3: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Apple watchOS 2.2: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
  • Apple tvOS 9.2: For Apple TV (4th generation)
  • Apple Xcode 7.3: For OS X El Capitan v10.11 and later
  • Apple OS X El Capitan v10.11.4 and Security Update 2016-002: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3
  • Apple Safari 9.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.3
  • Apple OS X Sever 5.1: For OS X Yosemite v10.10.5 and later

=======================
As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.

Without question the most important update is for iOS bringing it to version 9.3. This issue is also present in watchOS and OS X. These updates resolve the cryptographic flaw in Apple’s iMessage app as reported by Matthew Green and his team of research students known as CVE-2016-1788 (defined). I will provide more detail on this vulnerability below.
=======================

Noteworthy fixes included are as follows:

Apple iOS 9.3: Resolves 38 CVEs and includes fixes for AppleUSBNetworking, FontParser, HTTPProtocol, iOS kernel (defined), libxml2, Security, TrueTypeScaler, WebKit (and associated components and Wi-Fi (among others).

Apple watchOS 2.2: Resolves 34 CVEs and includes fixes for DiskImages, FontParser, HTTPProtocol, IOHIDFamily, watchOS kernel, libxml2, Messages, Security, syslog, TrueTypeScaler, WebKit and Wi-Fi.

Apple tvOS 9.2: Addresses 23 CVEs, the most severe present in the following components: DiskImages, FontParser, HTTPProtocol, IOHIDFamily, watchOS kernel, libxml2, Messages, Security, syslog, TrueTypeScaler, WebKit and Wi-Fi.

Apple Xcode 7.3: Resolves 2 critical CVEs.

Apple OS X El Capitan v10.11.4 and Security Update 2016-002: Resolves 59 CVEs the most severe being present in the following: apache_mod_php, AppleRAID (defined), AppleUSBNetworking, Bluetooth, Carbon, dyld, FontParser, HTTPProtocol, Intel Graphics Driver (defined), IOGraphics, IOUSBFamily, OS X kernel, libxml2, Messages, Nvidia Graphics Drivers, OpenSSH, OpenSSL, Python, QuickTime, Ruby, Security, Tcl, TrueTypeScaler, Wi-Fi.

Update: 30th March 2016:
The update for OS X 10.11 (El Capitan) also addresses a vulnerability in the System Integrity Protection (SIP) present in the most recent version of the OS. This vulnerability was assigned the following CVE: CVE-2016-1757 Further discussion of this vulnerability is available here.

Apple Safari 9.1: Resolves 12 CVEs the most critical being present in the libxml2 and WebKit (the renderer of Safari).

Apple OS X Server 5.1: Addresses 4 CVEs the most severe of which could allow information disclosure.

An alternative summary of these updates is available within Intego’s blog post.

=======================
Why Should The Critical Cryptographic Flaw Resolved in the Updated Messages App be Considered Important?
From the information that has been made available on this attack it appears to be a side-channel attack; namely one where real world data is gathered in how the cryptosystem works. This is then used to attack it. If an attacker were to access Apple’s servers without being detected and obtained cipher texts(encrypted messages sent using iMessage) they could given sufficient time decrypt the attachments of the messages which can be photos or other files providing that either the sender or receiver of that encrypted message is online.

The tests to decrypt the attachments are done by sending 2^18 (invisible) encrypted messages to the target device. For each response, an attacker can tell if they “guessed” the encryption of that segment of the attachment correctly. This process must be repeated over and over until the entire attachment has been decrypted. It took the researchers over 70 hours to complete a proof of concept attack using un-optimized code but they estimate with optimized code only a fraction of 1 day would be needed.

A more complete technical description is available in Matthew Green’s blog post.

How Can I Protect Myself From This Issue?
As mentioned below if you own any devices that have Apple iOS, watchOS, tvOS or OS X or you know someone that does, advise them to use the links below to install the most recent security updates.
=======================

If you use any of the above software, please install the appropriate updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Updates October 2015

On Wednesday of last week Apple made available a large collection of security updates to resolve vulnerabilities across it’s product range:

=======================

  • Apple OS X Server 5.0.15: For OS X Yosemite v10.10.5, OS X El Capitan v10.11.1 or later).
  • Apple Xcode 7.1: For OS X Yosemite v10.10.5, OS X El Capitan v10.11.1 or later.
  • Mac EFI: For OS X Mavericks v10.9.5.
  • Apple iTunes: For Windows 7 and later (while this was also available for Apple systems it does not appear to contain security related changes i.e. Apple devices may not be vulnerable to those vulnerabilities).
  • OS X El Capitan 10.11.1 and Security Update 2015-007: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.
  • Apple Safari 9.0.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.
  • Apple watchOS v2.0.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes.
  • Apple iOS 9.1: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.

=======================

Full details on all updates are available on Apple’s Security Updates page. If you wish to prioritize these updates I would suggest beginning with installing the updates for OS X, iOS, watchOS, Safari and OS X Server due to the number and severity of the vulnerabilities that they address.

Noteworthy fixes included are as follows:

OS X Server 5.0.15: Resolves 3 CVEs (defined) with potentially high severity (includes 2 CVEs in ISC BIND).

Apple Xcode 7.1: Addresses a Swift type conversion issues (1 CVE).

Mac EFI Security Update 2015-002: Addresses 1 potentially high severity CVE

Apple iTunes 12.3.1: Addresses 12 critical CVEs.

Apple OS X El Capitan 10.11.1 and Security Update 2015-007: Addresses 60 CVEs and includes fixes for apache_mod_php, CoreText, EFI, FontParser, Grand Central Dispatch, Graphics Drivers, OS X kernel, OpenGL and OpenSSH (among others).

Apple Safari 9.0.1: Addresses 9 critical CVEs in WebKit (the renderer of Safari).

Apple watchOS v2.0.1: Resolves 14 CVEs which includes fixes for Apple Pay, CoreGraphics, FontParser and Grand Central Dispatch (among others).

Apple iOS 9.1: Includes fixes for 49 CVEs; notable fixes of which are CoreGraphics, CoreText, FontParser, Grand Central Dispatch, Graphics Driver, iOS kernel, OpenGL and WebKit (among others).

If you use any of the above software, please install the appropriate updates as soon as possible.
As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad especially since the iOS upgrade is a significant one.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Updates for OS X Server, iOS, iTunes and Xcode

Yesterday Apple made available a large collection of security updates for the following list of products:

  • Apple OS X Server: OS X Yosemite (10.10.5 or later)
  • Apple iTunes (for Windows 7 and later)
  • Apple Xcode 7.0 (for OS X Yosemite v10.10.4 or later)
  • Apple iOS 9: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Full details on all updates are available on Apple’s Security Updates page. I would suggest prioritizing the installation of the updates for iOS, OS X Server and iTunes since they resolve the largest number of CVEs (defined) and address serious security issues in OS X Server.

Noteworthy fixes included are as follows:
Apple Xcode 7.0: Includes fixes for 10 CVEs (which includes 4 issues in OpenSSL, 2 in subversion (svn) and 1 in the API of the Apache configuration).

Apple iTunes 12.3: Includes fixes for 66 CVEs (includes 7 critical issues with CoreText, 2 issues in ICU and 55 critical issues in WebKit (the renderer within iTunes)).

OS X Server: Addresses 20 CVEs (which includes critical issues resolved within PostgreSQL).

Apple iOS 9: Includes fixes for Apple Pay, CoreCrypto, CoreText, iOS kernel, libc, libpthread, Safari, OpenSSL, Siri and WebKit (among others) (101 CVEs addressed in total with a further 5 issues not assigned a CVE at this time).

If you use any of the above software, please install the appropriate updates as soon as possible. As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad especially since the iOS upgrade is a significant one.

Further details of the features/improvements incorporated into iOS 9 are located here, here and here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Updates for OS X, OS X Server, Safari and iOS

Yesterday Apple made available a collection of security update for the following list of products:

—————-
Apple Safari: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
Apple OS X: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
Apple OS X Server: OS X Yosemite (10.10.5 or later)
Apple iOS 8.4.1: for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
—————-

As always full details on all updates are available on Apple’s Security Updates page. For this large collection of security updates, I would suggest prioritizing the installation of the update for OS X since it resolves the largest number of CVEs (defined) and addresses a serious publically disclosed issue in a component known as the DYLD_PRINT_TO_FILE environment variable. This flaw is discussed further in this post and this post.

Noteworthy fixes included are as follows:

Apple Safari: Includes fixes for 26 CVEs in WebKit (the renderer of Safari) and WebKit related components (27 CVEs addressed in total).

OS X (10.10, 10.9 and 10.8): Includes fixes for Apache (the popular open source web server), Bluetooth security fixes, FontParser OS X kernel, libc, libpthread, OpenSSH, OpenSSL, PostreSQL, Python, QuickTime, sudo and tcpdump (135 CVEs addressed in total).

Apple iOS 8.4.1: Includes fixes for CoreText, FontParser, iOS kernel, libc, libpthread, Safari and 25 CVEs in WebKit (and WebKit related components)(71 CVEs addressed in total).

OS X Server: Addresses 1 CVE in ISC BIND (as discussed in a previous blog post).

If you use any of the above software, please install the appropriate updates as soon as possible. As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed) in order to prevent data loss in the rare event that any update causes unexpected issues.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.