Apple Issues First OS X, iOS Security Updates For 2016

Apple released its first security updates of 2016 on Jan. 19, with the debut of OS X 10.11.3 and IOS 9.2.1, which provides patches for multiple classes of vulnerabilities that could potentially enable attackers to exploit users and their devices. Apple last issued security patches for OS X and iOS on Dec. 9.

Among the problems fixed in OS X and iOS is CVE-2016-1722, a vulnerability in the syslog logging function that was discovered by security researchers Joshua Drake and Nikias Bassen of Zimperium zLabs. CVE-2016-1722 is a privilege escalation issue that could have potentially led to remote code execution or a denial-of-service attack.

Secured

Drake is well-known in the security research community for his discovery of the Stagefright media library flaws in Google’s Android operating system. Though Zimperium has been successful in finding Android flaws, the company wasn’t specifically looking for an issue with Apple’s syslog.

“We sort of stumbled on it on accident,” Drake told eWEEK.

Zimperium researchers had found a crash condition when doing fuzzing—a security research technique in which random characters and code are thrown at a program to see what will happen, Drake explained.

“Our fuzzer was not targeting the syslog code, but some of our fuzzing framework just happened to exercise the vulnerable code leading to a crash,” Drake said.

Another high-impact flaw Apple is patching is CVE-2016-1730, an iOS vulnerability in the WebSheet function. WebSheet is an internal iOS app that enables users to connect to public WiFi access points.

“A malicious captive portal may be able to access the user’s cookies,” Apple warned in its advisory.

The CVE-2016-1730 vulnerability was reported to Apple by Skycure security researchers Adi Sharabani and Yair Amit. In a blog post, Amit explained that the vulnerability is triggered by how iOS handles cookies when it interfaces with a WiFi captive portal.

“When iOS users connect to a captive-enabled network (commonly used in most of the free and paid WiFi networks at hotels, airports, cafes, etc.), a window is shown automatically on users’ screens, allowing them to use an embedded browser to log in to the network via an HTTP interface,” Amit wrote. “As part of Skycure’s continuous research on network-based attacks against mobile devices, we found that the embedded browser used for Captive Portals creates a vulnerability by sharing its cookie store with Safari, the native browser of iOS.”

As has been the case in previous Apple security updates, Ian Beer, a security researcher with Google’s Project Zero, is credited with discovering multiple issues. For OS X 10.11.3 and iOS 9.2.1 updates, Apple credits Beer with reporting three memory corruption vulnerabilities—CVE-2016-1719, CVE-2016-1720 and CVE-2016-1721—which affect both OS X and iOS.

How well do you know Apple? Take our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

15 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

16 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

16 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

18 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

21 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

21 hours ago