New Software Updates From Apple Address Two Critical Vulnerabilities

It’s time to patch ALL the Apple things!
Apple has released a slew of software updates this week for various products. Most importantly, the updated iOS 9.3.

In March there were two vulnerabilities discovered within iPhone’s iOS

  • One vulnerability, a proof-of-concept (PoC), was discovered by a research team from John Hopkins University. The researchers discovered a way to break the encryption used by iMessage that could allow attackers to access and steal attachments such as images, videos and documents that are being shared securely with contacts
  • The second vulnerability discovered involves the handling of PDF documents.  An attacker could send you a booby-trapped PDF that would then cause malicious code to run on your iPhone.

These vulnerabilities and others are also affecting other versions of Apple’s OS, so it’s a good idea to take a moment and update all your iDevices. Yes, it’s a lengthy and bothersome task, but in addition to patching all of these nasty vulnerabilities, there are also improvements and shiny new features bundled up in these updates as well.

This is hot on the heels of the very first of the first Mac-focused ransomware campaign executed by cybercriminals. This just goes to show the importance of performing software updates when they are immediately available.

**Update from Apple**

iOS 9.0 introduced aggressive certificate pinning across iOS applications, which made the attack more difficult to perform. The most recent version, iOS 9.3 fully patched the vulnerability.

Here are just a few of the vulnerabilities that Apple patched this week across various OS’s:

 

iOS 9.3

  • Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
  • Messages- Visiting a maliciously crafted website may auto-fill text into other Message threads
  • Messages- An attacker who is able to bypass Apple's certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments
  • Processing a maliciously crafted font file may lead to arbitrary code execution
  • A website may be able to track sensitive user information
  • Visiting a maliciously crafted website may reveal a user's current location
  • Processing maliciously crafted web content may lead to an unexpected Safari crash
  • Wi-Fi- An attacker with a privileged network position may be able to execute arbitrary code

watchOS 2.2

  • Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
  • Messages- An attacker who is able to bypass Apple's certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments
  • Processing a maliciously crafted font file may lead to arbitrary code execution
  • An attacker with a privileged network position may be able to execute arbitrary code

tvOS 9.2

  • Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
  • A remote attacker may be able to execute arbitrary code
  • Processing a maliciously crafted font file may lead to arbitrary code execution
  • An attacker with a privileged network position may be able to execute arbitrary code

OS X El Capitan 10.11.4 and Security Update 2016-002

  • Processing a maliciously crafted .png file may lead to arbitrary code execution
  • Messages- Clicking a JavaScript link can reveal sensitive user information
  • Messages- An attacker who is able to bypass Apple's certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments
  • A remote attacker may be able to cause a denial of service
  • Processing a maliciously crafted Photoshop document may lead to unexpected application termination or arbitrary code execution
  • A local attacker may be able to cause unexpected application termination or arbitrary code execution
  • An attacker with a privileged network position may be able to execute arbitrary code

Safari 9.1

  • Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution
  • Visiting a maliciously crafted webpage may lead to a system denial of service
  • A website may be able to track sensitive user information. A cookie storage issue existed in the Top Sites page
  • Visiting a maliciously crafted website may reveal a user's current location
  • Processing maliciously crafted web content may lead to an unexpected Safari crash