Apple fixed hundreds of bugs, 223 to be exact, across a slate of products including macOS Sierra, iOS, Safari, watchOS, and tvOS on Monday.
More than a quarter of the bugs, 40 in macOS Sierra, and 30 in iOS, could lead to arbitrary code execution – in some instances with root privileges, Apple warned.
The lion’s share of the vulnerabilities patched Monday, 127 in total, were fixed in the latest version of macOS Sierra, 10.12.4.
Ian Beer, a researcher with Google’s Project Zero group, uncovered seven of the vulnerabilities, including six that could have enabled an application to execute arbitrary code with kernel privileges. South Korean hacker Jung Hoon Lee, perhaps better known in hacking circles by his handle Lokihardt, is credited for finding two vulnerabilities as well – one in the kernel and one in WebKit. Lokihardt, a veteran of Pwn2Own competitions, joined Project Zero in December 2016.
The update also fixed a memory corruption issue that stemmed from how certificates were parsed. The bug, technically a use-after-free vulnerability, existed in the X.509 certificate validation functionality present in macOS and iOS. According to Aleksandar Nikolic, a researcher with Cisco’s Talos Security Intelligence and Research Group who found the bug, an attacker with a specially crafted X.509 certificate could have triggered it and carried out remote code execution. Nikolic claims a victim could either be tricked several ways – a user could get served a malicious cert via a website, by the Mail app connecting to a mail server that contains a malicious cert, or by opening a malicious cert to import into the keychain.
Talos claims it verified the most recent versions of macOS Sierra, 10.12.3, and iOS, 10.2.1, are vulnerable. Older versions of the operating systems are likely affected too, the firm claims.
Per usual, a large chunk of vulnerabilities in the OS were addressed by updating open source software implementations that macOS uses to the next version. Forty-one different bugs were fixed by updating tcpdump, a free packet analyzer, to version 4.9.0. 11 vulnerabilities were fixed by updating LibreSSL and PHP to versions 2.4.25 and 5.6.30 respectively. Four vulnerabilities were addressed by updating OpenSSH in macOS to version 7.4.
One of the vulnerabilities fixed in iOS pertains to how the mobile version of Safari handled JavaScript pop ups. Researchers with Lookout Security found the bug and claim it was being leveraged by attackers to trick victims into thinking they were locked out of browser. Code created by the attackers creates a popup window, which infinitely loops until the victim pays money in the form of iTunes gift cards.
Code used in the attack was previously published on a Russian website and reused to essentially perform a denial of service (DOS) attack on the browser, Lookout claims.
According to the iOS advisory, the update also does away with the DES cryptographic algorithm for Profiles. In its place Apple has added support for the 3DES algorithm. While its been superseded by AES in some systems, 3DES is viewed as secure enough for most purposes today. DES, now widely considered insecure, was approved for withdrawal by the National Institute of Standards and Technology back in 2005.
Apple also fixed 38 bugs, 23 that could have led to arbitrary code execution, in its Safari browser on Monday. The rest of the bugs could led to a variety of issues, universal cross site scripting, the exfiltration of data cross-origin, application termination, and spoofing.
Nearly all of the bugs, 30 of them, existed in WebKit, the web browser engine used by Safari. Details on bugs uncovered by Project Zero researchers like Ivan Fratric, lokihardt, and Natalie Silvanovich have been published on the team’s Chromium bugtracker:
I ❤️ these bugshttps://t.co/xuuA6OzSqDhttps://t.co/IKw6qNuTurhttps://t.co/H5jjnzAaKV
— Natalie Silvanovich (@natashenka) March 27, 2017
A bug that affected three programs in iWork – Pages, Numbers, and Keynote – was also fixed by Apple this week. Because the office suite used a weak 40-but RC4 encryption scheme for password-protected PDFs, an attacker could have broken into files thought to be secure. Apple remedied the issue by changing iWork export so it uses AES-128. It’s unclear why Apple was using such a low level of security. Recent advances in computing technology has left 40-bit encryption in the dust; academics with UC Berkeley even went as far as to call the standard obsolete back in 1997.
Apple Releases Security Update for iWork https://t.co/0svDnkFy7o
— CISA Cyber (@CISACyber) March 27, 2017
Several bugs in Apple’s television operating system tvOS, and smart watch operating system, watchOS, were also patched this week. As the operating systems share much of the same code as iOS, many of the vulnerabilities listed in the advisories overlap.
While the patches mark one of Apple’s largest updates in a while, none of Monday’s patches appear to resolve vulnerabilities uncovered by this month’s Pwn2Own hacking competition.
While many of the bugs fixed were identified by researchers from Tencent Security and Qihoo 360 who found critical bugs in Vancouver three weeks ago, none of them made their way into this week’s patches.
Hackers with Chaitin Security Research Lab took down Safari with the help of an information disclosure bug, four different type confusion bugs, and a use-after-free in WindowServer. The group also used an info leak and an out of bounds bug in the operating system’s kernel on the second day. Two German hackers, Samuel Groß and Niklas Baumstark, also hacked macOS, elevating to root privilege by chaining together a use-after-free in Safari, three logic bugs and a null pointer dereference. Apple told Groß and Baumstark at Pwn2Own that it had fixed the use-after-free in a beta version of the browser but it’s unclear when the fix will go live.
Apple fixed one use-after-free issue this week in Safari’s WebKit, dug up by Fratric, but it’s unclear if it’s the same one the two German hackers used.
Apple was targeted multiple times over the course of the Pwn2Own. Hackers with Qihoo’s 360 Security also exploited Safari with an integer overflow, and escalated to root through a macOS kernel use-after-free on the second day. The team also used an info leak and race condition in macOS’ kernel to exploit the operating system. Judging from Apple’s advisory, none of the bugs appear to be fixed yet.