In addition to fixing the serious crypto vulnerabilities in iMessage that surfaced yesterday, Apple also deployed patches for nearly all of its products, including Safari, OS X, iOS, Apple TV’s tvOS, and watchOS.
The iOS update, 9.3, is arguably the most pressing given the cryptographic issue dug up by researchers at Johns Hopkins University, but it also fixes a slew of other bugs.
Nine memory corruption issues that exist in many of the operating system’s kernels and parsers were addressed, while a handful of other issues, such as use-after-free, denial of service, and out of bounds bugs were also fixed. Only one issue, a series of vulnerabilities in HTTPProtocol, could have led to remote code execution.
9.3 also fixes an issue in WebKit dug up by four scholars at Newcastle University in the UK. Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao from the university’s School of Computing Science discovered that a hidden web page could track user information and “device-motion data.” Apple fixed the issue by suspending the availability of that data.
Yesterday also brought fixes for a dozen issues in Safari, seven involving WebKit. Issues in the web browser engine could’ve led to a few outcomes, including interface spoofing, data exfiltration, and unexpected crashes.
A researcher at Dropbox, Devdatta Akhawe, discovered a bug similar to the one dug up by the Newcastle students that was also remedied. Akhawe found that the way Safari handled attachment URLs could’ve let a site track user information. Apple fixed the issue through improved URL handling. A separate issue identified by researchers with Tencent’s Xuanwu Lab was also fixed that stemmed from the way geolocation requests were parsed. Before the fix, if a user navigated to a malicious website the browser could’ve given away a user’s location.
Absent from the update are fixes for vulnerabilities in Safari highlighted at this year’s Pwn2Own hacking competition last week in Vancouver. It’s expected Apple will address those bugs, which escalated privileges and gave hackers root level access, in a future release.
The OS X update, which graduates the operating system to El Capitan v10.11.4, fixes 59 bugs in total. 15 of the vulnerabilities could have let an application execute arbitrary code – a dozen with kernel privileges. A dozen more could have simply led to code execution.
The bulk of the fixes apply to ubiquitous utilities like OpenSSH and OpenSSL, software like Python and Quicktime, and other assorted drivers, since OS X also runs Messages, the update resolves the same cryptographic, certificate pinning issue that the iOS update fixed.
More than 30 issues in watchOS – updating the operating system to 2.2 – and eight issues in tvOS – updating the operating system to 9.1.1 – were addressed yesterday as well. Several bugs, like a memory corruption issue Joshua Drake and Nikias Bassen of Zimperium zLabs discovered in syslog, affected both watchOS and tvOS, as both operating systems share some of the same libraries and kernel extensions.