Apple fixed dozens of vulnerabilities in its software on Monday, including 60 vulnerabilities in its operating system, OS X, and 43 in its mobile operating system, iOS. The OS X update graduates the desktop and server operating system to OS X El Capitan v10.11.6 and applies to anyone running OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, or OS X El Capitan v10.11. The updates mostly fix a number of glitches and bugs under the hood of the OS. As usual, the bulk of them apply to software libraries like OpenSSL, LibreSSL, and libxml2. Apple updated each library to their most recent versions to mitigate the issues. Meanwhile 21 of the vulnerabilities could lead to arbitrary code execution, six with kernel privileges, and two that could go on and lead to the compromise of user information. Seven vulnerabilities – each one of them dug up by Ke Liu, of Tencent’s Xuanwu Lab – exist in Quicktime. The bugs mostly stem from memory corruption issues and could allow malicious images to trigger code execution. A nasty issue with libc++abi – an implementation for a C++ library, was patched that could have allowed an app to execute arbitrary code with root privileges.
The update also fixed an issue with Safari’s Login Autofill feature that could have revealed a users’ password on screen. An interesting bug involving Facetime was fixed in both OS X and iOS that could have allowed an attacker in a privileged network position to get a relayed call to continue transmitting audio by tricking a user into thinking the call had been terminated. According to Apple’s advisory, “user interface inconsistencies” existed when Facetime was handling relayed calls. Apple claims it fixed the issue through improved display logic. Martin Vigo, a security engineer who spoke at Black Hat Europe last year, discovered the vulnerability. He acknowledged via Twitter Monday that he hasn’t publicly disclosed details around the bug yet because there are “other related vulns” in Facetime that still need to be fixed by Apple.
The iOS update, iOS 9.3.3, fixes 43 vulnerabilities, including a bug in the Calendar app that could have been leveraged to cause a device to unexpectedly restart. Henry Feldman, an Assistant Professor of Medicine at Beth Israel Deaconess Medical Center, who also runs the software development team for the hospital’s Division of Clinical Informatics discovered the bug could be caused by a malicious calendar invite. Bugs that affect Siri have been a dime a dozen since the personal assistant’s inception. The latest, discovered by a researcher in Portugal could have allowed anyone with physical access to someone’s device to see private contact information. Apple fixed the issue, which stemmed from the way Siri handles Contact cards, through what it calls improved state management. Aside from the Calendar app bug and the Siri bug, most of the iOS bugs, 12 in total, affect WebKit and could result in the exfiltration of data cross-origin, script execution, interface spoofing, and the disclosure of process memory, to name a few outcomes. As WebKit is the web browser engine used by Safari, the same 12 bugs fixed in the iOS update are also fixed by the Safari update, which updates the browser to version 9.1.2. As it usually does, Apple used the opportunity to release updates for both its watchOS and tvOS operating systems, along with iTunes. The iTunes update only applies to Windows 7 users and updates the media player to version 12.4.2. The updates are likely some of the last both OS X and iOS will receive in the near future as the company has its hands full readying new versions, iOS 10 and macOS Sierra, for release later this fall. Apple released the third beta of of both iOS 10 and macOS Sierra to developers and public beta testers on Monday, as well. Apple announced both operating systems in June at its Worldwide Developers Conference in San Francisco. macOS in particular is expected to include updates to Gatekeeper, and a new file system that includes native support for encryption.