UPDATE Apple pushed out its latest operating system, El Capitan, yesterday, and while it boasts many security fixes, the update fails to address the outstanding vulnerability in Gatekeeper that came to light this week.
The issue with Gatekeeper, as described yesterday by Patrick Wardle, the director of research at Synack, fails to verify whether an app runs or loads other apps or dynamic libraries from the same or relative directory. Apple is reportedly working on a short term mitigation for the simple, but effective bypass that Wardle cooked up and presented at Virus Bulletin today in Prague.
The new OS X doesn’t appear to fix the XARA password stealing vulnerabilities in Keychain that a collective of Indiana University students publicized this summer either. When reached by Threatpost Thursday, Luyi Xing, one of the researchers who discovered the flaws in June, claimed that when he checked El Capitan on Wednesday the XARA Keychain problem was still there and that “OS X users are still under risks.”
There is a fix in El Capitan that pertains to access control lists as they relate to iCloud Keychain items – and Apple credits Xing and company with discovering the issue – but it doesn’t fix the XARA problem, which affects the “login” keychain and stemmed from weak and faulty access control lists which made it easier to gain access to a user’s Keychain items. Apple claims it fixed that issue in its Online Store Kit through improved access control list checks.
What Apple does fix in El Capitan 10.11 is a slew of other vulnerabilities, 100 in total, that existed in everything from Address Book to Mail to Time Machine to Notes.
The update also fixes roughly 20 bugs in PHP, a trio of bugs in bash, and multiple bugs in older versions of OpenSSH, and OpenSSL, all of which have been updated to their most recent versions.
45 issues were addressed in Safari 9, which Apple also pushed out Wednesday. In addition to a new feature that can mute audio on some Safari tabs, the latest iteration of the browser also fixed a handful of security issues, including bugs that could lead to compromise, arbitrary code execution, leak browsing history, and more. The bulk of issues fixed by the update were WebKit-related memory corruption bugs that could have resulted in browser termination, and in one case, thanks to an API, leak browsing history, network activity, and mouse movements.
One of the more curious fixes addressed an issue with how the browser interacted with password managers.
“The local communication between Safari extensions such as password managers and their native companion apps could be comprised by another native app,” Apple warns in its advisory, adding that the issue was addressed by a “new, authenticated communications channel between Safari extensions and companion apps.”
A separate update for iOS brought the mobile operating system to 9.0.2 and fixed another lockscreen bypass that was recently identified. Assuming an attacker had access to the physical device, because Apple enabled its personal assistant Siri on the lockscreen by default, they could access a users’ photos and contacts from the lockscreen.
The bug, dug up by iPhone user Jose Rodriguez, existed in iOS 9, and iOS 9.0.1, but was fixed yesterday.
This article was updated on October 1 to reflect that the XARA vulnerabilities have not been addressed in El Capitan