NEW YORK: Apple introduces a large amount of security fixes in its latest set of patches for its OS X and iOS operating systems, plugging some serious, high-profile vulnerabilities in its code.
A tally of the common vulnerability and exposures (CVE) tags in the OS X Yosemite 10.10.4, Security Update 2015-005 and Safari 8.0.7 update packages showed 80 vulnerabilities have been patched by Apple.
These range from a flaw that allowed attackers to write to the low-level extensible firmware interface (EFI) – which manages the hardware in Mac computers – when the systems resume from sleep. The EFI zero-day was discovered by Pedro Vilaça in May this year.
Apple also fixed the Rowhammer RAM disturbance issue in EFI. This could be used by attackers to induce memory corruption, in order to gain privilege escalation.
Several other hardware-related security fixes including handling a memory corruption issue in the Bluetooth Human-Computer Interaction (HCI) interface, and multiple buffers overflow problems in the Intel video display driver in OS X that could lead to arbitrary code execution.
The Logjam flaw that meant attackers could trick systems into downgrading their Secure Sockets Layer/Transport Layer Security protected network connections to weak and breakable 512-bit Diffie-Hellman export strength keys have also been addressed, by forcing a minimum key size of 768 bits.
Similarily, OpenSSL in OS X Yosemite has been upgraded to 0.9.8zf, to handle the weak export-grade ciphers issue and other flaws.
Ian Beer of Google’s Project Zero security team is credited with finding the multiple problems in the Intel graphics driver, and also in the OS X kernel, the main program that interfaces between user tools and the hardware drivers.
The system default Safari web browser in OS X Yosemite has been upgraded to version 8.0.7, which includes several fixes for vulnerabilities in the WebKit rendering framework.
One such flaw, CVE-2015-3658, was discovered by Facebook engineer Brad Hill. It allowed malicious websites to circumvent cross-site request forgery (CSRF) protections in order to take over user accounts.
That fix and others that could be abused for remote code execution, information leakage via WebSQL databases and cookie theft from browsers have been backported to the older Safari 6.x and 7.x versions.
A bogus digital certificate, incorrectly issued by the China Internet Network Information Centre (CNNIC) that was used in a man in the middle attack to intercept user traffic, has also been yanked by Apple from OS X.
CNNIC root certificates can now have user trust in them revoked in OS X.
Non-security related fixes in OS X Yosemite 10.10.4 include more reliable networking, improvements to Photos, Mail and the Migration Assistant as well as addressing an issue that stopped some external displays from working properly.
Large amount of security fixes in iOS 8.4
Apple addressed no fewer than 34 CVEs in the iOS 8.4 mobile operating system update, many of which are components shared with OS X.
An issue with iOS devices auto-associating with untrusted wireless access points that advertised a known station identifier but with downgraded security has been rectified for iPhone 4s and later devices, iPod Touch 5th generation and newer, as well as iPad 2 and later.
SIM cards now have improved payload validation in iOS. Prior to iOS 8.4, a maliciously crafted SIM could be used by attackers for arbitrary code execution.
The “Masque Attack” that abuse a collision condition in Apple bundle identifiers and which could be used to replace apps, bypass virtual private networks, and also prevent Watch apps from launching is also handled in iOS 8.4
