Categories: mobile OSMobility

Apple Updates OS X 10.11.4 And iOS 9.3 To Boost Security

Although industry watchers’ eyes were on Apple’s iPhone and iPad announcements on March 21, on the same day, the company released a series of important security updates for its mobile and desktop operating systems.

Of particular note is a high-impact vulnerability in Apple’s Messages app that is now fixed in both the OS X 10.11.4 and iOS 9.3 operating systems. The new Apple mobile and desktop operating system updates are the second so far in 2016, following the OS X 10.11.3 and iOS 9.2.1 updates released Jan. 19.

CVE-2016-1788 is a cryptographic issue in Apple’s Messages app that was reported to Apple by researchers Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers and Michael Rushanan of Johns Hopkins University. The potential risk of the vulnerability is that an attacker could read a user’s encrypted messages.

Apple security

“An attacker who is able to bypass Apple’s certificate pinning, intercept TLS [Transport Layer Security] connections, inject messages and record encrypted attachment-type messages may be able to read attachments,” Apple wrote in its advisory.

Apple’s Messages app is also being fixed for a pair of different issues in iOS 9.3 and OS X 10.11.4. In iOS 9.3, the CVE-2016-1763 vulnerability is an issue that could have enabled a malicious Website to auto-fill text into other Message threads.

In OS X 10.11.4, Messages is being patched for CVE-2016-1764, which is a flaw in which clicking on a malicious JavaScript link could have potentially exposed sensitive user information.

Apple’s Kernel in both OS X and iOS is being patched for nine different vulnerabilities (CVE-2016-1750 through CVE-2016-1758). The potential impact of the kernel vulnerabilities includes arbitrary code execution with full kernel privileges.

Another large set of patches for both iOS and OS X comes by way of the libxml2, XML parsing library, which is at risk from nine different vulnerabilities (CVE-2015-1819, CVE-2015-5312, CVE-2015-7499, CVE-2015-7500, CVE-2015-7942, CVE-2015-8035, CVE-2015-8242, CVE-2016-1761 and CVE-2016-1762).

iOS 9.3

“Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution,” Apple warns in its advisory. “Multiple memory corruption issues were addressed through improved memory handling.”

Both iOS and OS X also are receiving a patch for a pair of vulnerabilities (CVE-2016-0801 and CVE-2016-0802) in Apple’s Wi-Fi component.

“An attacker with a privileged network position may be able to execute arbitrary code,” Apple’s advisory warns.

Simply opening up a malicious PDF file on either OS X or iOS could have potentially triggered the CVE-2016-1740 vulnerability, which is now being patched. The CVE-2016-1775 vulnerability is somewhat similar, whereby processing a malicious font in OS X or iOS could have potentially led to arbitrary code execution.

In addition to the iOS and OS X update, Apple also has released the Safari 9.1 Web browser fixing a dozen different vulnerabilities (CVE-2009-2197, CVE-2016-1762, CVE-2016-1771, CVE-2016-1772, CVE-2016-1778, CVE-2016-1779, CVE-2016-1781, CVE-2016-1782, CVE-2016-1783, CVE-2016-1784, CVE-2016-1785 and CVE-2016-1786).

Originally published on eWeek

How well do you know Apple? Take our quiz.

iPhone SE 1

Picture 1 of 6

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Google Warns Of Italian Spyware On Apple, Android Phones

Italian company's hacking tools have been used to spy on Apple, Android smartphones in Italy…

2 days ago

Intel Signals Delay To Ohio Factory Over US Chips Act Dispute

Chip maker warns new factory in Columbus, Ohio could be delayed or scaled back, over…

2 days ago

Silicon UK In Focus Podcast: Sustainable Business

How do sustainable businesses use technology to innovate? And as businesses want to connect sustainability…

2 days ago

Australia Fines Samsung Over Water-Resistance Claims

Samsung rapped over the knuckles by Australian regulator because of 'misleading' Galaxy smartphone water-resistance claims…

3 days ago

Amazon Reveals Alexa Option To Mimic Any Person’s Voice

Bereavement aid for those in mourning? Amazon's Alexa voice assistant could be programmed to sound…

3 days ago