Apple bolsters security in new iOS and macOS

By

Patches galore for security holes.

Apple today released new versions of its iOS mobile and macOS operating systems that contain a large number of security patches.

Apple bolsters security in new iOS and macOS

A total of 70 vulnerabilities have been patched by Apple in iOS 10.3. Of these, 18 can lead to arbitrary code execution, in many cases using maliciously crafted font and image files.

A flaw in the Webkit rendering engine - CVE-2017-2378 - could be exploited by dragging and dropping a malicious link, and lead to bookmark spoofing or arbitrary code execution. 

Webkit received a total of 19 patches against various vulnerabilites in iOS 10.3, including memory contents leakage and corruption, data exfiltration, and universal cross-site scripting.

Apple also added new pre-emptive security measures in iOS 10.3. Users wanting to change their iCloud passwords in the systems settings control panel and set up two-factor authentication will find that easier to do, as the password and security section has been moved up the menu hierarchy.

iOS 10.3 now shows all devices that are associated with the Apple ID users are signed in with, including Macs and Watch, and Windows devices running Apple software like iTunes.

The new section provides easy access to Find My iPhone for tracking devices, and if they're lost or stolen, to erase them. Other information such as serial numbers, credit cards associated with devices, and further identifiers are also now grouped under passwords and security.

Even more patches for Sierra

Apple's desktop and laptop OS, macOS Sierra, received a whopping 127 security patches with version 10.12.4, also released today.

Many of the vulnerability fixes are shared with iOS 10.3, but macOS gets a range of patches fixing open source components such as the Apache webserver, tcpdump low level network tool, Python scripting language, OpenSSL crypto library, and the OpenSSH remote access utility.

Apple updated the version of tcpdump to 4.9.0 in the new Sierra, El Capitan and, Yosemite versions of macOS/OS X, and patched 41 vulnerabilties in the process.

A validation issue in Apple's anti-malware security feature, the system integrity protection (SIP) that could allow malicious applications to modify protected disk locations during installation, was also fixed in macOS 10.12.4.

Fixes are also available for vulnerabilities in the macOS kernel, hardware drivers, and network subsystem that could be exploited to run code with full system privileges.

Update After Apple distributed iOS 10.3 over the air, security vendor Lookout revealed that the upgrade fixed a vulnerability in the Mobile Safari web browser that was actively exploited by criminals.
 
The vulnerability lay in how Mobile Safari handles Javascript pop-up dialogs. Attackers created malicious websites, which would display pop-ups purporting to be from police, alleging visitors had viewed illegal pornography on their devices. 
 
Due to the way Mobile Safari handled Javascript popups prior to iOS 10.3, the attackers were able to put the browser into an infinite loop, locking users out. The blackmailers attempted to scare users into paying money via iTunes gift cards to unlock their browsers, Lookout said.
 
Lookout noted that technically knowledgeable users were able to unfreeze their browsers by clearing website history and data for Mobile Safari, effectively starting it as a fresh app.
 
Australian and New Zealand iOS users were targeted by the extortion campaign, as well as people in the United States, United Kingdom and Ireland, according to Lookout
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?