Earlier this week Apple released a firmware (defined) update for its AirPort wireless base stations to resolve a critical vulnerability. Since I haven’t published information on Apple updates in many weeks I will also discuss the large collection of updates released on the 16th of May applying to the following products:
-
=======================
Apple iOS 9.3.2: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 3 and later
Apple watchOS 2.2.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Apple tvOS 9.2.1: For Apple TV (4th generation)
Apple OS X El Capitan v10.11.5 and Security Update 2016-003: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.5
Apple Safari 9.1.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.5
Apple iTunes 12.4: For Windows 7 and later
=======================
As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.
Why Should These Issues Be Considered Important?
The most important updates to install are the AirPort firmware updates and the OS X security updates.
The AirPort firmware update is particularly severe since it relates to how the devices within how these devices parse (defined) DNS (defined) data. The possible implications of such a vulnerability are clearly explained in this ComputerWorld article. As that article notes, DNS cannot be easily disabled without affecting functionality providing even more reason to install the necessary firmware updates as soon as possible.
=======================
Apart from the AirPort firmware updates the collection of updates made available on the 16th of May includes fixes for issues such as those detailed below:
Apple iOS 9.3.2: Resolves 39 CVEs and includes fixes for CommonCrypto, IOAcceleratorFamily, Disk Images, iOS kernel (defined), libc, libxml2, OpenGL, WebKit (and associated components (among others).
Apple watchOS 2.2.1: Resolves 26 CVEs and includes fixes for CommonCrypto, CorCapture, Disk Images, IOHIDFamily, IOAcceleratorFamily, watchOS kernel, libc, libxml2, libxslt and OpenGL
Apple tvOS 9.2.1: Addresses 33 CVEs, the most severe present in the following components: CommonCrypto, IOAcceleratorFamily, Disk Images, IOHIDFamily, tvOS kernel (defined), libc, libxml2, libxslt, OpenGL, WebKit (and associated components (among others).
Apple OS X El Capitan v10.11.5 and Security Update 2016-003: Resolves 70 CVEs the most severe being present in the following: AMD, AppleGraphicsControl, AppleGraphicsPowerManagement, ATS, Audio, CommonCrypto, CoreCapture, CoreStorage, Crash Reporter, Disk Images, Graphic Drivers, Intel Graphics Drivers, OAcceleratorFamily, IOAudioFamily. IOFireWireFamily, IOHIDFamily, OS X kernel, libc, libxml2, libxslt, Nvidia Graphics Drivers, OpenGL, QuickTime, SceneKit (among others).
Apple Safari 9.1.1: Resolves 7 CVEs the most critical being present in WebKit (the renderer of Safari) and WebKit Canvas.
Apple iTunes 12.4 for Windows: Resolves 1 critical CVE in the iTunes installer.
How Can I Protect Myself from These Issues?
If you own any devices that use Apple AirPort wireless base stations, use Apple iOS, watchOS, tvOS or OS X or you know someone that does, advise them to use the links below to install the most recent security updates.
=======================
As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.
Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.
For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).
Thank you.
securityinaction 