Apple fixed 66 vulnerabilities across seven product lines, including Safari, iTunes, macOS, and iOS, on Monday.
Many of the fixes – especially in macOS and Safari – resolve vulnerabilities uncovered at Pwn2Own, the hacking contest held at CanSecWest each year. Contestants collectively earned $143,000 for poking holes in Apple products when the competition was held in March.
The bulk of Monday’s fixes address memory corruption vulnerabilities, many which can lead to code execution, in WebKit. The web browser engine figures into Safari and iOS, as well as iCloud for Windows, iTunes for Windows, tvOS, and watchOS, all which received updates Monday.
Lokihardt – a one time Pwn2Own hacker – now part of Google’s Project Zero found seven of the WebKit bugs, and 13 vulnerabilities in Safari overall.
Two German hackers, Samuel Groß and Niklas Baumstark, are credited for finding five bugs, including a vulnerability in WebKit, a bug in DiskArbitration, and three sandbox escape bugs in the operating system’s Speech Framework, and Security features. The hackers leveraged a use after free in Safari, three logic bugs and a null pointer dereference to exploit Safari and elevate to root in macOS at Pwn2Own. As part of their attack, the hackers were able to broadcast a special message, “PWNED BY NIKLASB & SAELO”, across a MacBook Pro’s Touch Bar.
The macOS update also fixes a series of bugs in WindowServer, a component that manages requests between OS X apps and the machine’s graphics hardware, uncovered at Pwn2Own. Hackers used a use-after-free in the component, four type confusion bugs in Safari and an information disclosure in the browser to achieve root access on macOS. The macOS update also resolves WindowServer bugs identified by Richard Zhu and Keen Lab and PC Manager’s Team Sniper that were found at Pwn2Own.
According to Apple 11 of the vulnerabilities fixed in iOS could have led to code execution, either by an application, maliciously crafted piece of web content, or SQL query, Seven bugs in macOS could have been used to execute arbitrary code. One of those vulnerabilities – dug up by Google’s Ian Beer – could have let an application execute arbitrary code with kernel privileges.
The updates also resolved a nasty kernel info leak (CVE-2017-6987) uncovered by Patrick Wardle, director of research at Synack. The bug, described in depth by Wardle back in April existed in macOS 10.12.3, but also iOS, Apple TV (tvOS) and Apple Watch (watchOS). Wardle called the bug an “unpatched 0day” at the time, although stressed a system would have to have file access auditing enabled.
Four bugs in SQLite, a cross-platform C library that powers a SQL engine in iOS, tvOs and watchOS, were also fixed. The bugs were found by OSS-Fuzz, a program Google debuted in December to continuously fuzz open source software. Google said last week the program has found more than 1,000 open source bugs in the last five months but these are the first found by the program to be fixed by Apple.
According to Apple’s release notes, the iOS update is mostly focused on bug fixes and operating system improvements. But, the macOS update also fixes an issue that was occurring when audio was played through USB headphones and enhances macOS’ compatibility with Apple’s Apple Store.
The number of updates is markedly smaller than the last time Apple’s products received an update. In March the company fixed 223 vulnerabilities, a quarter of which could have led to arbitrary code execution. The update brings iOS to 10.3.2, macOS Sierra to 10.12.5, watchOS to 3.2.2, tvOS to 10.2.1, iCloud for Windows to 6.2.1, Safari to 10.1.1, iTunes for Windows to 12.6.1.
According to the Zero Day Initiative, which helps put on Pwn2Own with Trend Micro, 35 percent of the bugs fixed by Apple this week were found through the competition.
Dustin Childs, who handles communications for the Zero Day Initiative, recapped the vulnerabilities in a blog entry on Tuesday and hinted that problematic real-world events, like this past week’s WannaCry outbreak, can be effectively prevented by patch management.
“Apple doesn’t disclose if any of these issues are publicly known or under active attack, but as recently highlighted by real-world events, patching matters,” Childs wrote, “It may not be the easiest task – especially when patches release with little fanfare. However, the consequences of not applying these updates could prove costly in the months to come.”
The updates came the day before Apple announced it would begin to clampdown on third party apps that access iCloud user data like Microsoft Outlook. In an Apple Support email sent out early Tuesday the company said on June 15 it would require users to set up app-specific passwords for said apps.
The security measure essentially mandates non-native app users adopt two-factor authentication for apps that can access iCloud such as Outlook and Mozilla Thunderbird.
“If you are already signed in to a third-party app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again,” the email reads.