It was only three weeks ago that Apple patched its core line of products and pushed its latest version of OS X, El Capitan. Yet another wave of patches arrived Thursday however to address scores of vulnerabilities in OS X, iOS, Safari, iTunes, and even the company’s smart watch operating system, watchOS.
With the iOS update, iOS 9.1, Apple effectively kills two vulnerabilities that a group of Chinese hackers, Pangu Team, were using to jailbreak the operating system. The collective had been leveraging a heap based buffer overflow and a memory corruption issue to elevate privileges and execute arbitrary code with kernel privileges as part of its jailbreak tool.
The fixes are part of what’s become a common pattern. Apple fortifies iOS to the best of its ability, but eventually jailbreakers find a way around Apple’s fixes.
“It seems that with each new version of iOS, new jailbreaks occur,” Patrick Wardle, the Director of Research at Synack told Threatpost, adding that while jailbreaks may have become more commonplace, the constant back and forth with Apple can be still risky for jailbreakers.
“Trusting a closed-source jailbreak is always somewhat of a risk – and also, yes it likely opens up the device up to various iOS malware,” Wardle said, “I think this matters to Apple as they strive quite hard to prevent jailbreaks.”
The iOS update also fixes another issue that Apple’s security team has worked against in the past – pesky lock screen bugs. This one allowed Phone and Messages notifications to sometimes appear on the lock screen when they weren’t supposed to. The iOS 9.1 update also fixes an issue in the online certificate status protocol (OCSP) client that could’ve let an attacker make a revoked certificate seem valid.
In addition to the lock screen bug, the jailbreak bugs, and the certificate bugs, iOS 9.1 also includes fixes for a dozen other vulnerabilities that could have led to code execution, and two kernel issues that could have been leveraged to cause a denial of service condition.
In OS X El Capitan v10.11.1, Apple patched 60 vulnerabilities, including 16 that could have led to code execution, three that could have led to application, or system termination, and two that could have led to a denial of service condition.
In OS X and iOS, Apple addressed a cookie injection attack issue that a group of students brought to Apple’s attention last month at USENIX. The students stressed that because of a weakness in the way Apple handled cookies, an attacker could have injected cookies in an HTTP session that could have attached themselves to HTTPS connections via a man-in-the-middle attack.
While the iOS update was somewhat all encompassing, the Safari update was relatively small potatoes. Apple fixed several issues in WebKit – mostly memory corruption bugs – that could have led to arbitrary code execution, but that’s it.
Like they did in Safari, Apple also fixed a slew of WebKit issues in iTunes, bringing it to version 12.3.1. Some could’ve been used to trigger arbitrary code execution or terminated the app through a man-in-the-middle attack.
The operating system that Apple uses for its ever ubiquitous smart watches wasn’t left out of the fun either. Apple patched 14 vulnerabilities in watchOS, bringing the operating system to version 2.0.1. While many of the same bugs fixed in watchOS were also fixed in iOS, the main difference – aside from a bunch of performance fixes – is that the watchOS update includes a fix for an Apple Pay bug. The vulnerability, CVE-2015-5916, could have let a terminal retrieve limited recent transaction information from the device when a user was making a payment. Apple fixed that by doing away with the transaction log functionality in Apple Pay entirely.
Apple last week that patched a handful of issues in the software Keynote, Pages, Numbers, and iWork. Many of the bugs it fixed stemmed from memory corruption vulnerabilities and input validation vulnerabilities in the software.