Apple Patches DROWN, Lockscreen Bypass Vulnerability, With Latest Round of Updates

Apple on Monday rolled out a series of patches for nearly all of its operating systems, including fixes for March’s DROWN vulnerability in OS X and a lockscreen bypass vulnerability in iOS.

Apple on Monday rolled out a series of patches for nearly all of its operating systems, OS X, iOS, its smart watch operating system, watchOS, and Apple TV’s tvOS, along with fixes for both iTunes and Safari.

OS X received the lion’s share of the updates, 67 in total, bringing Apple’s operating system El Capitan to version 10.11.5.

Among the fixes, the OS X update finally resolves the DROWN vulnerability, first detailed back in March by a cooperative of 15 researchers. The vulnerability stems from a flaw in SSLv2 that relates to export-grade cryptography and could have let an attacker leak user information. Apple claims it fixed the issue by disabling SSLv2 in Tcl, an embeddable dynamic language interpreter.

Roughly 25 of the 67 OS X patches address vulnerabilities that could ultimately lead to code execution, including 19 issues that could trigger an application to execute code with kernel privileges. Six more could result in either application termination or arbitrary code execution and primarily stem from flaws in graphics standards and frameworks like SceneKit, Quicktime, and OpenGL, and libraries like libxml2 and libxslt.

While most of the issues exist in Apple’s most recent operating system, El Capitan, 12 bugs were fixed in Mavericks 10.9.5 and 14 in Yosemite 10.10.5.

The libxslt issue in particular, dug up by Sebastian Apelt, a researcher at the German pentesting firm Siberas, exists in all three operating systems. The vulnerability also affects iOS, tvOS, and watchOS by extension, since the XSLT C library exists in each operating system. If an attacker tricked a user into visiting a malicious site, the vulnerability could lead to code execution.

The same 19 issues that could let an application execute code with kernel privileges in OS X also affect iOS but were fixed Monday.

In addition, two issues in Messages – also present in OS X – were fixed, including one that could have let an attacker modify a users’ contact list, and another that could have let attackers leak sensitive user information.

The iOS update also remedies a lockscreen bypass vulnerability that could have allowed access to contacts and photos. Spanish iPhone researcher, Jose Rodriguez a.k.a videodebarraquito, has dug up a handful of lockscreen bypass bugs in the past and is credited by Apple for finding this particular vulnerability.

Apple also took the opportunity on Monday to patch a handful of issues in platforms like watchOS and tvOS, many of the same bugs it patched in iOS and OS X. Just a single issue needed to be fixed in iTunes: A dynamic library loading issue that could have led to code execution.

Only seven vulnerabilities were addressed with this week’s Safari update, five that could lead to code execution and two that could lead to the leaking of data. The vulnerabilities could still easily make their way into attackers’ toolkits however, experts claim.

“Such vulnerabilities are hooks for phishers to use to bait users to visit malicious websites and compromise their systems,” warned Chris Goettl, director of product management at LANDESK. “If you have any doubt, make sure Safari is up to date quickly as the five arbitrary code vulnerabilities will undoubtedly be useful for targeting users,” Goettl said.

The updates come roughly two weeks after Apple’s last set of patches, when it fixed two issues in its development environment Xcode, as they relate to its implementation of git.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.