Apple bolsters security in new iOS and macOS

Apple today released new versions of its iOS mobile and macOS operating systems that contain a large number of security patches.

A total of 70 vulnerabilities have been patched by Apple in iOS 10.3. Of these, 18 can lead to arbitrary code execution, in many cases using maliciously crafted font and image files.

A flaw in the Webkit rendering engine - CVE-2017-2378 - could be exploited by dragging and dropping a malicious link, and lead to bookmark spoofing or arbitrary code execution. 

Webkit received a total of 19 patches against various vulnerabilites in iOS 10.3, including memory contents leakage and corruption, data exfiltration, and universal cross-site scripting.

Apple also added new pre-emptive security measures in iOS 10.3. Users wanting to change their iCloud passwords in the systems settings control panel and set up two-factor authentication will find that easier to do, as the password and security section has been moved up the menu hierarchy.

iOS 10.3 now shows all devices that are associated with the Apple ID users are signed in with, including Macs and Watch, and Windows devices running Apple software like iTunes.

The new section provides easy access to Find My iPhone for tracking devices, and if they're lost or stolen, to erase them. Other information such as serial numbers, credit cards associated with devices, and further identifiers are also now grouped under passwords and security.

Even more patches for Sierra

Apple's desktop and laptop OS, macOS Sierra, received a whopping 127 security patches with version 10.12.4, also released today.

Many of the vulnerability fixes are shared with iOS 10.3, but macOS gets a range of patches fixing open source components such as the Apache webserver, tcpdump low level network tool, Python scripting language, OpenSSL crypto library, and the OpenSSH remote access utility.

Apple updated the version of tcpdump to 4.9.0 in the new Sierra, El Capitan and, Yosemite versions of macOS/OS X, and patched 41 vulnerabilties in the process.

A validation issue in Apple's anti-malware security feature, the system integrity protection (SIP) that could allow malicious applications to modify protected disk locations during installation, was also fixed in macOS 10.12.4.

Fixes are also available for vulnerabilities in the macOS kernel, hardware drivers, and network subsystem that could be exploited to run code with full system privileges.