Tag Archives: ios

Apple Releases Security Updates May / June 2016

Earlier this week Apple released a firmware (defined) update for its AirPort wireless base stations to resolve a critical vulnerability. Since I haven’t published information on Apple updates in many weeks I will also discuss the large collection of updates released on the 16th of May applying to the following products:

    =======================
    Apple iOS 9.3.2: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 3 and later
    Apple watchOS 2.2.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
    Apple tvOS 9.2.1: For Apple TV (4th generation)
    Apple OS X El Capitan v10.11.5 and Security Update 2016-003: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.5
    Apple Safari 9.1.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.5
    Apple iTunes 12.4: For Windows 7 and later
    =======================

    As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.

    Why Should These Issues Be Considered Important?

    The most important updates to install are the AirPort firmware updates and the OS X security updates.

    The AirPort firmware update is particularly severe since it relates to how the devices within how these devices parse (defined) DNS (defined) data. The possible implications of such a vulnerability are clearly explained in this ComputerWorld article. As that article notes, DNS cannot be easily disabled without affecting functionality providing even more reason to install the necessary firmware updates as soon as possible.

    =======================
    Apart from the AirPort firmware updates the collection of updates made available on the 16th of May includes fixes for issues such as those detailed below:

    Apple iOS 9.3.2: Resolves 39 CVEs and includes fixes for CommonCrypto, IOAcceleratorFamily, Disk Images, iOS kernel (defined), libc, libxml2, OpenGL, WebKit (and associated components (among others).

    Apple watchOS 2.2.1: Resolves 26 CVEs and includes fixes for CommonCrypto, CorCapture, Disk Images, IOHIDFamily, IOAcceleratorFamily, watchOS kernel, libc, libxml2, libxslt and OpenGL

    Apple tvOS 9.2.1: Addresses 33 CVEs, the most severe present in the following components: CommonCrypto, IOAcceleratorFamily, Disk Images, IOHIDFamily, tvOS kernel (defined), libc, libxml2, libxslt, OpenGL, WebKit (and associated components (among others).

    Apple OS X El Capitan v10.11.5 and Security Update 2016-003: Resolves 70 CVEs the most severe being present in the following: AMD, AppleGraphicsControl, AppleGraphicsPowerManagement, ATS, Audio, CommonCrypto, CoreCapture, CoreStorage, Crash Reporter, Disk Images, Graphic Drivers, Intel Graphics Drivers, OAcceleratorFamily, IOAudioFamily. IOFireWireFamily, IOHIDFamily, OS X kernel, libc, libxml2, libxslt, Nvidia Graphics Drivers, OpenGL, QuickTime, SceneKit (among others).
    Apple Safari 9.1.1: Resolves 7 CVEs the most critical being present in WebKit (the renderer of Safari) and WebKit Canvas.

    Apple iTunes 12.4 for Windows: Resolves 1 critical CVE in the iTunes installer.

    How Can I Protect Myself from These Issues?
    If you own any devices that use Apple AirPort wireless base stations, use Apple iOS, watchOS, tvOS or OS X or you know someone that does, advise them to use the links below to install the most recent security updates.

    =======================
    As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

    Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

    For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

    Thank you.

Apple Releases Security Updates for iOS, OS X and Safari

Yesterday Apple made available a large collection of security updates for the following list of products:

  • Apple OS X El Capitan 10.11
  • Apple iOS 9.0.2: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Apple Safari 9: for OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11

Full details on all updates are available on Apple’s Security Updates page. I would suggest prioritizing the installation of the updates for OS X and Safari due of the number and severity of the vulnerabilities that they address.

Noteworthy fixes included are as follows:

Apple OS X El Capitan 10.11: addresses 100 CVEs (defined)(and 3 issues not assigned CVEs at this time) includes fixes for Apache webserver, bash, CoreCrpyto, EFI, OS X Kernel, libc, libpthread, Apple Mail, OpenSSL, OpenSSH, terminal and Time Machine.

Apple Safari 9: Includes fixes for 45 CVEs (and 4 issues not assigned CVEs at this time) in Safari, WebKit (the renderer of Safari) and WebKit related components.

Apple iOS 9.0.2: Addresses an important CVE in relation to the ability to bypass the lock screen of iOS using Siri. More details are available in this Sophos blog post. That blog post also provides additional security hardening advice that you may wish to apply to your lock screen configuration.

If you use any of the above software, please install the appropriate updates as soon as possible. As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see this link from Apple for advice on backing up your Mac laptop/desktop especially since the OS upgrade is a significant one.

Further details of the features/improvements incorporated into OS X El Capitan are located here. The steps on upgrading are provided here which include checking if your Mac devices meet the requirements to install the new operating system.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Finally the update for OS X does not address a known bypass for Apple’s Gatekeeper security feature but as this article mentions, Apple is working on a fix for that issue.

Thank you.

Apple Releases Security Updates for OS X Server, iOS, iTunes and Xcode

Yesterday Apple made available a large collection of security updates for the following list of products:

  • Apple OS X Server: OS X Yosemite (10.10.5 or later)
  • Apple iTunes (for Windows 7 and later)
  • Apple Xcode 7.0 (for OS X Yosemite v10.10.4 or later)
  • Apple iOS 9: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Full details on all updates are available on Apple’s Security Updates page. I would suggest prioritizing the installation of the updates for iOS, OS X Server and iTunes since they resolve the largest number of CVEs (defined) and address serious security issues in OS X Server.

Noteworthy fixes included are as follows:
Apple Xcode 7.0: Includes fixes for 10 CVEs (which includes 4 issues in OpenSSL, 2 in subversion (svn) and 1 in the API of the Apache configuration).

Apple iTunes 12.3: Includes fixes for 66 CVEs (includes 7 critical issues with CoreText, 2 issues in ICU and 55 critical issues in WebKit (the renderer within iTunes)).

OS X Server: Addresses 20 CVEs (which includes critical issues resolved within PostgreSQL).

Apple iOS 9: Includes fixes for Apple Pay, CoreCrypto, CoreText, iOS kernel, libc, libpthread, Safari, OpenSSL, Siri and WebKit (among others) (101 CVEs addressed in total with a further 5 issues not assigned a CVE at this time).

If you use any of the above software, please install the appropriate updates as soon as possible. As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad especially since the iOS upgrade is a significant one.

Further details of the features/improvements incorporated into iOS 9 are located here, here and here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Updates for OS X, OS X Server, Safari and iOS

Yesterday Apple made available a collection of security update for the following list of products:

—————-
Apple Safari: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
Apple OS X: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
Apple OS X Server: OS X Yosemite (10.10.5 or later)
Apple iOS 8.4.1: for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
—————-

As always full details on all updates are available on Apple’s Security Updates page. For this large collection of security updates, I would suggest prioritizing the installation of the update for OS X since it resolves the largest number of CVEs (defined) and addresses a serious publically disclosed issue in a component known as the DYLD_PRINT_TO_FILE environment variable. This flaw is discussed further in this post and this post.

Noteworthy fixes included are as follows:

Apple Safari: Includes fixes for 26 CVEs in WebKit (the renderer of Safari) and WebKit related components (27 CVEs addressed in total).

OS X (10.10, 10.9 and 10.8): Includes fixes for Apache (the popular open source web server), Bluetooth security fixes, FontParser OS X kernel, libc, libpthread, OpenSSH, OpenSSL, PostreSQL, Python, QuickTime, sudo and tcpdump (135 CVEs addressed in total).

Apple iOS 8.4.1: Includes fixes for CoreText, FontParser, iOS kernel, libc, libpthread, Safari and 25 CVEs in WebKit (and WebKit related components)(71 CVEs addressed in total).

OS X Server: Addresses 1 CVE in ISC BIND (as discussed in a previous blog post).

If you use any of the above software, please install the appropriate updates as soon as possible. As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed) in order to prevent data loss in the rare event that any update causes unexpected issues.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Updates

On Tuesday of this week, Apple made available a large collection of security updates for the following products:

  • Apple Safari: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
  • Apple OS X: for OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8)
  • Apple iOS 8.4: for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • EFI Updates: for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 based systems
  • Apple QuickTme: for Windows
  • Apple iTunes: for Windows (while this was also available for Apple systems it does not appear to contain security related changes i.e. Apple devices may not be vulnerable to those vulnerabilities).

Full details on all updates are available on Apple’s Security Updates page. For this large collection of security updates, I believe that the OS X update has the highest priority since it resolves the largest number of CVEs.

Noteworthy fixes included are as follows:

  • Apple Safari: Addresses 1 critical SQL input validation flaw (as well as 3 other CVEs).
  • OS X (10.10, 10.9 and 10.8): includes fixes for 52 critical remote code execution CVEs as well as fixes for Apache, Certificate Trust Policy, CoreTLS (to address the Logjam flaw), EFI flash memory, display drivers (for non-Intel and Intel drivers), the OS X kernel, NTP, OpenSSL, QuickTime and SQLite (77 CVEs in total, not all flaws fixed were assigned CVE numbers).
  • Apple iOS 8.4: includes fixes for CoreTLS (to address the Logjam flaw), the iOS kernel and several fixes for Safari and the WebKit library (33 CVEs in total, not all flaws fixed were assigned CVE numbers).
  • Mac EFI Security Update 2015-001: Addresses 2 privilege escalations CVEs.
  • Apple iTunes 12.2 for Windows: Addresses 39 CVEs.
  • Apple QuickTime 7.7.7 for Windows: Addresses 9 CVEs.

Excellent explanations of the issues resolved by these updates are available for both OS X and iOS.

For an explanation of the term CVE, please see the first short aside within this blog post.

If you use any of the above software, please install the appropriate updates as soon as possible (if you have not already done so). As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed) in order to prevent data loss in the rare event that any update causes unexpected issues. This is especially important for the Mac EFI update mentioned above since if an issue occurs during the update, your computer may no longer start up correctly when turned on.

Thank you.

Apple Releases Security Updates

Yesterday Apple released security updates for Apple Safari, OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8), Apple iPad (2nd generation and later), Apple iPhone (4S and later), Apple iPod (iPod Touch 5th generation and later), Apple TV (3rd generation and later), Apple Safari and finally Xcode for OS X Mavericks and later.

Full details on all updates are available on Apple’s Security Updates page. The updates to prioritize in my opinion are the updates for:

Apple TV:includes fixes for WebKit
Apple iOS: includes fixes for WebKit, the iOS kernel and 2 lockscreen bypasses
OS X (10.10, 10.9 and 10.8): includes fixes for Apache, OS X kernel, NTP, OpenSSL and PHP
Apple Safari: since it address 5 critical memory corruption flaws (as well as 5 other CVEs)

If you use any of the above software, please install the appropriate updates as soon as possible. As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues. Thank you.