Tag Archives: Apple WatchOS

May 2017 Security Updates Summary

Today Microsoft and Adobe made available their expected monthly security updates.

Microsoft’s updates address 57 vulnerabilities more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

At the time of writing there are no Known Issues for this month’s Microsoft updates. The IT Pro Patch Tuesday blog while not updated since last month doesn’t contain this months updates yet.
====================

Before continuing with this months updates I wanted to provide information on a critical out of band (un-scheduled) update made available by Microsoft yesterday to address a vulnerability responsibly disclosed (defined) by Google Project Zero researchers Natalie Silvanovich and Tavis Ormandy within Microsoft’s Malware Protection Engine. The full list of affected products is listed within their security advisory. The exploit code for this vulnerability was later published within a tweet (which will not exploit the vulnerability).

I recommend updating your version of the Malware Protection Engine as soon as possible to version 1.1.13704.0 (or later) since this vulnerability when exploited by an attacker will lead to them obtaining system level access (NT AUTHORITY\SYSTEM)(defined)(namely the highest level of privilege within a Windows system) over an affected system.

====================
Also today Adobe issued two security bulletins for the following products:

Adobe Experience Manager Forms (1x priority 2 CVE)
Adobe Flash Player (7x priority 1 CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated version installed automatically later this week.

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As always the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For the Microsoft updates this month, I will prioritize the order of installation for you below:
====================
Critical severity:
Microsoft Malware Protection Engine
Microsoft Office
Microsoft Edge
Internet Explorer
Microsoft SMB (CVE-2017-0277, CVE-2017-0278, CVE-2017-0279)
====================

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Update: 10th May 2017:
=======================
I wish to provide information on other notable updates from May 2017 which I would recommend you install if you use these software products. I only choose a small number of products to list here since it can easily become too many and I wish to highlight the security benefits of installing the latest version of applications many of us use everyday:

=======================
Mozilla Firefox:
=======================
Firefox 53.0.2

=======================
Mozilla Firefox ESR:
=======================
Firefox ESR 52.1.1

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google Chrome: includes 1 security fix.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Nvidia Geforce Drivers:
=======================
This update applies to Linux, FreeBSD, Solaris and Windows and resolves up to 15 security vulnerabilities. The steps to install the drivers are detailed here.

I detailed where Nvidia list their security advisories in a previous blog post.

=======================
Malwarebytes:
=======================
This update to Malwarebytes 3.1 (specifically v3.1.2.1733) resolves more than 1 security vulnerability (exact numbers and further details are not available).

Malwarebytes typically roll out updates in waves meaning it may be sometime before you receive this update. If the update is not automatically downloaded and installed in a timely manner, it is available from this link. Manual installation and general troubleshooting steps are available here.

=======================
Apple security updates:
=======================
Updates were made available by Apple on the 15th of May for iTunes for Windows, Safari, macOS Sierra, El Capitan and Yosemite, iOS, watchOS, tvOS, and iCloud for Windows.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page). This link details how to update your Apple Watch.

Further information on the content of these updates is available this blog post.

=======================
Hitman Pro:
=======================
As recommended on my Tools and Resources page, Hitman Pro (now part of Sophos Security) has been updated to version 3.7.20 (Build 286). This update resolves 3 important vulnerabilities relating to the driver the tool uses for scanning. Any previous version of the tool should update automatically when opened to the most recent version.

=======================
VideoLAN VLC:
=======================
=======================
Update: 25th May 2017:
=======================
Yesterday VideoLAN released version 2.2.6 of VLC for Windows only. It resolves the security issues listed below (assuming at least 2 heap overflows (given their use of the plural form)). This list came from the NEWS.txt file after installing version 2.2.6 since the detailed release notes on VideoLAN’s website have not yet been updated (and may not be until 2.2.6 is officially made available for macOS and Linux systems).

The update is currently being distributed via their automatic updater (upon opening VLC) and manually from their website (unexpectedly that page also contains tarballs for Linux):

Changes between 2.2.5.1 and 2.2.6:
———————————-

Video output:
* Fix systematic green line on nvidia
* Fix direct3d SPU texture offsets handling

Demuxer:
* Fix heap buffer overflows

———————————-

It was not known at the time version 2.2.5.1 was made available that the correction of “Fix potential out-of-band reads in subtitle decoders and demuxers” were actually security issues assigned to 4x CVEs discovered by CheckPoint security.

=================
Late last week VideoLAN released version 2.2.5.1 of VLC. This update is available for Linux, Apple Mac OS X and Windows. It addresses (at least) 13 security issues mentioned here (I’ll explain my numbering using the list below). This update is available for download for the above operating systems from this page.

If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

1. Security hardening for DLL hijacking environments
2. Fix potential out-of-band dereference in flac decoder
3. Fix potential out-of-band reads in mpeg packetizers
4. Fix incorrect memory free in ogg demuxer
5. Fix potential out-of-band reads in subtitle decoders and demuxers
6. Fix ADPCM heap corruption (FG-VD-16-067)
7. Fix DVD/LPCM heap corruption (FG-VD-16-090)
8. Fix possible ASF integer overflow
9. Fix MP4 heap buffer overflows
10. Fix Flac metadata integer overflow
11. Fix flac null-pointer dereference
12. Fix vorbis and opus comments integer overflows and leaks
13. The plugins loading will not load external DLLs by default. Plugins will need to LoadLibrary explicitly.

=======================
Notepad++:
=======================
On the 14th of May, Notepad++ made available a new version updating it to version 7.4. While it is not a security update it includes a security related improvement namely: Improve certificate verifying method.

This version has since been updated to version 7.4.1 to resolve a number of non-security issues. If you use Notepad++, please consider updating to the most recent version to benefit from the security improvement and the bug fixes it includes.

Please note, the 64 bit version of Notepad++ became available in September 2016. It allows the opening of larger files and includes High Entropy ASLR (Address Space Layout Randomization (defined)) on a 64 bit version of Windows. I have discussed HEASLR on this blog before and it’s an excellent security measure/control/mitigation (defined). Further information on HEASLR can be found on Alex Ionescu’s blog.

=======================
GIMP (photo editor):
=======================
The open source ((the source code (human readable code) is free to view and edit by the wider IT community) photo editor GIMP has made available version 2.8.22 which resolves one security vulnerability. If you use this editor, please update it to this version (or later).

Apple Releases Security Updates May / June 2016

Earlier this week Apple released a firmware (defined) update for its AirPort wireless base stations to resolve a critical vulnerability. Since I haven’t published information on Apple updates in many weeks I will also discuss the large collection of updates released on the 16th of May applying to the following products:

    =======================
    Apple iOS 9.3.2: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 3 and later
    Apple watchOS 2.2.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
    Apple tvOS 9.2.1: For Apple TV (4th generation)
    Apple OS X El Capitan v10.11.5 and Security Update 2016-003: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.5
    Apple Safari 9.1.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.5
    Apple iTunes 12.4: For Windows 7 and later
    =======================

    As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.

    Why Should These Issues Be Considered Important?

    The most important updates to install are the AirPort firmware updates and the OS X security updates.

    The AirPort firmware update is particularly severe since it relates to how the devices within how these devices parse (defined) DNS (defined) data. The possible implications of such a vulnerability are clearly explained in this ComputerWorld article. As that article notes, DNS cannot be easily disabled without affecting functionality providing even more reason to install the necessary firmware updates as soon as possible.

    =======================
    Apart from the AirPort firmware updates the collection of updates made available on the 16th of May includes fixes for issues such as those detailed below:

    Apple iOS 9.3.2: Resolves 39 CVEs and includes fixes for CommonCrypto, IOAcceleratorFamily, Disk Images, iOS kernel (defined), libc, libxml2, OpenGL, WebKit (and associated components (among others).

    Apple watchOS 2.2.1: Resolves 26 CVEs and includes fixes for CommonCrypto, CorCapture, Disk Images, IOHIDFamily, IOAcceleratorFamily, watchOS kernel, libc, libxml2, libxslt and OpenGL

    Apple tvOS 9.2.1: Addresses 33 CVEs, the most severe present in the following components: CommonCrypto, IOAcceleratorFamily, Disk Images, IOHIDFamily, tvOS kernel (defined), libc, libxml2, libxslt, OpenGL, WebKit (and associated components (among others).

    Apple OS X El Capitan v10.11.5 and Security Update 2016-003: Resolves 70 CVEs the most severe being present in the following: AMD, AppleGraphicsControl, AppleGraphicsPowerManagement, ATS, Audio, CommonCrypto, CoreCapture, CoreStorage, Crash Reporter, Disk Images, Graphic Drivers, Intel Graphics Drivers, OAcceleratorFamily, IOAudioFamily. IOFireWireFamily, IOHIDFamily, OS X kernel, libc, libxml2, libxslt, Nvidia Graphics Drivers, OpenGL, QuickTime, SceneKit (among others).
    Apple Safari 9.1.1: Resolves 7 CVEs the most critical being present in WebKit (the renderer of Safari) and WebKit Canvas.

    Apple iTunes 12.4 for Windows: Resolves 1 critical CVE in the iTunes installer.

    How Can I Protect Myself from These Issues?
    If you own any devices that use Apple AirPort wireless base stations, use Apple iOS, watchOS, tvOS or OS X or you know someone that does, advise them to use the links below to install the most recent security updates.

    =======================
    As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

    Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

    For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

    Thank you.

Apple Releases Security Updates To Address iMessage Vulnerability

Yesterday Apple released a very large collection of security updates that affect most of their product range to address issues among them the widely published vulnerability in the iMessage app:

=======================

  • Apple iOS 9.3: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Apple watchOS 2.2: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
  • Apple tvOS 9.2: For Apple TV (4th generation)
  • Apple Xcode 7.3: For OS X El Capitan v10.11 and later
  • Apple OS X El Capitan v10.11.4 and Security Update 2016-002: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3
  • Apple Safari 9.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.3
  • Apple OS X Sever 5.1: For OS X Yosemite v10.10.5 and later

=======================
As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.

Without question the most important update is for iOS bringing it to version 9.3. This issue is also present in watchOS and OS X. These updates resolve the cryptographic flaw in Apple’s iMessage app as reported by Matthew Green and his team of research students known as CVE-2016-1788 (defined). I will provide more detail on this vulnerability below.
=======================

Noteworthy fixes included are as follows:

Apple iOS 9.3: Resolves 38 CVEs and includes fixes for AppleUSBNetworking, FontParser, HTTPProtocol, iOS kernel (defined), libxml2, Security, TrueTypeScaler, WebKit (and associated components and Wi-Fi (among others).

Apple watchOS 2.2: Resolves 34 CVEs and includes fixes for DiskImages, FontParser, HTTPProtocol, IOHIDFamily, watchOS kernel, libxml2, Messages, Security, syslog, TrueTypeScaler, WebKit and Wi-Fi.

Apple tvOS 9.2: Addresses 23 CVEs, the most severe present in the following components: DiskImages, FontParser, HTTPProtocol, IOHIDFamily, watchOS kernel, libxml2, Messages, Security, syslog, TrueTypeScaler, WebKit and Wi-Fi.

Apple Xcode 7.3: Resolves 2 critical CVEs.

Apple OS X El Capitan v10.11.4 and Security Update 2016-002: Resolves 59 CVEs the most severe being present in the following: apache_mod_php, AppleRAID (defined), AppleUSBNetworking, Bluetooth, Carbon, dyld, FontParser, HTTPProtocol, Intel Graphics Driver (defined), IOGraphics, IOUSBFamily, OS X kernel, libxml2, Messages, Nvidia Graphics Drivers, OpenSSH, OpenSSL, Python, QuickTime, Ruby, Security, Tcl, TrueTypeScaler, Wi-Fi.

Update: 30th March 2016:
The update for OS X 10.11 (El Capitan) also addresses a vulnerability in the System Integrity Protection (SIP) present in the most recent version of the OS. This vulnerability was assigned the following CVE: CVE-2016-1757 Further discussion of this vulnerability is available here.

Apple Safari 9.1: Resolves 12 CVEs the most critical being present in the libxml2 and WebKit (the renderer of Safari).

Apple OS X Server 5.1: Addresses 4 CVEs the most severe of which could allow information disclosure.

An alternative summary of these updates is available within Intego’s blog post.

=======================
Why Should The Critical Cryptographic Flaw Resolved in the Updated Messages App be Considered Important?
From the information that has been made available on this attack it appears to be a side-channel attack; namely one where real world data is gathered in how the cryptosystem works. This is then used to attack it. If an attacker were to access Apple’s servers without being detected and obtained cipher texts(encrypted messages sent using iMessage) they could given sufficient time decrypt the attachments of the messages which can be photos or other files providing that either the sender or receiver of that encrypted message is online.

The tests to decrypt the attachments are done by sending 2^18 (invisible) encrypted messages to the target device. For each response, an attacker can tell if they “guessed” the encryption of that segment of the attachment correctly. This process must be repeated over and over until the entire attachment has been decrypted. It took the researchers over 70 hours to complete a proof of concept attack using un-optimized code but they estimate with optimized code only a fraction of 1 day would be needed.

A more complete technical description is available in Matthew Green’s blog post.

How Can I Protect Myself From This Issue?
As mentioned below if you own any devices that have Apple iOS, watchOS, tvOS or OS X or you know someone that does, advise them to use the links below to install the most recent security updates.
=======================

If you use any of the above software, please install the appropriate updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Updates December 2015

On the 8th and 11th of December Apple released numerous security updates for the following products:

=======================

  • Apple iOS 9.2: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Apple tvOS 9.1: For Apple TV (4th generation)
  • Apple OS X: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5 (2 updates), OS X El Capitan v10.11 and v10.11.1
  • Apple watchOS v2.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
  • Apple Safari 9.0.2: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  • Apple Xcode 7.2: For OS X Yosemite v10.10.5 or later
  • Apple iTunes 12.3.2: For Windows 7 and later

=======================

Comprehensive details of all of these updates are provided on Apple’s Security Updates page.

If you wish to prioritize these updates I would suggest beginning with installing the updates for iOS, OS X, watchOS and tvOS as well as Safari due to the number and severity of the issues they address (the most serious resulting in an attacker having the ability to run code of their choice (remote code execution) with kernel or system level privileges).

Noteworthy fixes included are as follows:

Apple iOS 9.2: Resolves 51 CVEs (defined) and includes fixes for AppleMobileFileIntegrity, CoreGraphics, GPUTools Framework, ImageIO, iOS Kernel, libc, MobileStorageMounter, iOS Safari and WebKit (among others)

Apple OS X and Security Update 2015-006 Yosemite: Resolves 55 CVEs which includes fixes for apache_mod_php, AppSandbox, Bluetooth, , CoreGraphics, CoreMedia Playback, EFI, Intel Graphics Driver, OS X kernel, libc, OpenGL, OpenSSH and System Integrity Protection (among others).

Apple tvOS 9.1: Resolves 45 CVEs including security issues within AppleMobileFileIntegrity, CoreGraphics, CoreMedia Playback, ImageIO, tvOS kernel, libc, MobileStorageMounter, OpenGL and WebKit (among others).

Apple watchOS 2.1: Resolves 30 CVEs within components such as AppSandbox, CoreGraphics, CoreMedia Playback, FontParser, GasGauge, ImageIO, watchOS kernel, libc, OpenGL and Sandbox (among others).

Apple Safari 9.0.2: Resolves 12 CVEs all within WebKit (the renderer of Safari).

Apple Xcode 7.2: Resolves 4 CVEs. The most serious of which were present within the otools component of Xcode.

Apple iTunes 12.3.2: Resolves 12 CVEs: all within WebKit. This updates applies to the Windows version of iTunes only.
=======================

If you use any of the above software, please install the appropriate updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Updates October 2015

On Wednesday of last week Apple made available a large collection of security updates to resolve vulnerabilities across it’s product range:

=======================

  • Apple OS X Server 5.0.15: For OS X Yosemite v10.10.5, OS X El Capitan v10.11.1 or later).
  • Apple Xcode 7.1: For OS X Yosemite v10.10.5, OS X El Capitan v10.11.1 or later.
  • Mac EFI: For OS X Mavericks v10.9.5.
  • Apple iTunes: For Windows 7 and later (while this was also available for Apple systems it does not appear to contain security related changes i.e. Apple devices may not be vulnerable to those vulnerabilities).
  • OS X El Capitan 10.11.1 and Security Update 2015-007: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.
  • Apple Safari 9.0.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.
  • Apple watchOS v2.0.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes.
  • Apple iOS 9.1: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.

=======================

Full details on all updates are available on Apple’s Security Updates page. If you wish to prioritize these updates I would suggest beginning with installing the updates for OS X, iOS, watchOS, Safari and OS X Server due to the number and severity of the vulnerabilities that they address.

Noteworthy fixes included are as follows:

OS X Server 5.0.15: Resolves 3 CVEs (defined) with potentially high severity (includes 2 CVEs in ISC BIND).

Apple Xcode 7.1: Addresses a Swift type conversion issues (1 CVE).

Mac EFI Security Update 2015-002: Addresses 1 potentially high severity CVE

Apple iTunes 12.3.1: Addresses 12 critical CVEs.

Apple OS X El Capitan 10.11.1 and Security Update 2015-007: Addresses 60 CVEs and includes fixes for apache_mod_php, CoreText, EFI, FontParser, Grand Central Dispatch, Graphics Drivers, OS X kernel, OpenGL and OpenSSH (among others).

Apple Safari 9.0.1: Addresses 9 critical CVEs in WebKit (the renderer of Safari).

Apple watchOS v2.0.1: Resolves 14 CVEs which includes fixes for Apple Pay, CoreGraphics, FontParser and Grand Central Dispatch (among others).

Apple iOS 9.1: Includes fixes for 49 CVEs; notable fixes of which are CoreGraphics, CoreText, FontParser, Grand Central Dispatch, Graphics Driver, iOS kernel, OpenGL and WebKit (among others).

If you use any of the above software, please install the appropriate updates as soon as possible.
As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad especially since the iOS upgrade is a significant one.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Update for WatchOS

Earlier this week Apple made available a large update for their Apple Watch bringing it’s operating system to version 2 from the previous 1.01 released in May.

Full details of this update are available within this Apple knowledge base article.

The update resolves 36 CVEs (defined) and 2 other issues by updating the Certificate Trust Policy and CoreCrypto.

Noteworthy fixes included are as follows:

Apple Pay, CoreCrypto, CFNetwork, CoreText, dyld (dynamic linker), IOKit, watchOS kernel and libpthread

If you own an Apple Watch, please install the appropriate update as soon as possible following Apple’s directions within this support article.

Thank you.