Apple plugs large number of security holes in iOS 9.2

Apple today released a substantial update for its iOS mobile operating system, containing bug fixes and multiple patches for remotely exploitable vulnerabilities.

No fewer than 50 security flaws are patched in iOS 9.2, 19 of which permitted local and remote execution of arbitrary code without user interaction.

The zlib file compression library, CoreMedia Playback media utility, libarchive archival utility and the OpenGL 2D and 3D graphics platform all allowed maliciously crafted websites to run arbitrary code on victims' systems, Apple said in its security advisory.

Ten flaws in the WebKit rendering engine, used by Apple's Safari web browser and the company's App Store and other iOS and OS X applications could be abused in a similar manner.

Safari itself was vulnerable to URL link spoofing, which could be used to trick users into thinking they were visiting a specific site, when in fact they had been lured elsewhere.

The DYLD dynamic linker, which was hit by a zero-day exploit in August this year, was once again patched after Apple and the PanguTeam jailbreakers discovered malicious applications could abuse multiple segment validation flaws to run arbitrary code on victims' systems.

Today's updates are for Apple iPhone 4s and later models, fifth generation iPod Touch and beyond, and iPad 2 and newer.

A total of 54 security flaws were patched with the 10.11.2 update for Apple's OS X desktop operating system; the update for OS X incorporates security patches for components shared with iOS. 

Of the OS X vulnerabilities, 24 could be used for local and remote execution of arbitrary code, Apple said. OS X 10.11.2 also fixes bugs in system components such as Handoff and Airdrop, and makes wi-fi and Bluetooth networking more reliable.

Security updates are also available for watchOS, tvOS and the Xcode set of development tools.