Apple Posts Security Updates for OS X, iOS, and Safari

Severity: High

Summary:

  • These vulnerabilities affect: Apple OS X 10.6.x-10.8.x, Safari 6.0 and below, and iOS 5.1.1 and below.
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files, or visiting malicious websites
  • Impact: Various results; in the worst case, an attacker can execute code with your privileges, and leverage other flaws to elevate to root
  • What to do: Install the appropriate OS X, Safari, and iOS update as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Yesterday, Apple released three security updates to fix many vulnerabilities in OS X, iOS, and Safari (Mac version only). Like the iTunes patch from last week, these updates fix an unusually large number of vulnerabilities. For instance, the iOS update fixes around 197 flaws, many of them affecting the Webkit component.  If you use Mac computers, or iOS devices, you should apply these significant updates quickly. I quickly summarize Apple’s three alerts below:

If you paid attention to Apple’s iPhone 5 announcement last week, you may also have been excited about iOS 6, which they posted yesterday. If iOS 6’s new features weren’t enough to sell you on the new firmware, Apple’s iOS 6 security alert should close the deal. According to Apple’s alert, iOS 6 fixes around 197 security vulnerabilities. The flaws differ widely, but attackers can exploit the worst of them to execute arbitrary code on your iOS devices. The attacker only has to lure you to a site containing malicious content, or entice you to interact which some sort of file (whether it be an image, movie, or config file). If you have an iPhone, iPod, or iPad, you should update it to iOS 6 as quickly as possible. See Apple’s security update if you want more details on the individual flaws, including their CVE numbers.
WatchGuard rating: Critical

Apple also released a huge OS X security update to fix vulnerabilities in all current versions of OS X. The almost 700MB patch fixes about 35 (number based on CVE-IDs) security issues in many components that ship as part of OS X or OS X Server, including QuickTime, the Kernel, and BIND. Again, the flaws differ in scope and impact, but the worst allow attackers to execute code with your privileges simply by enticing you into viewing malicious file or web content. Furthermore, some of the Kernel flaws allow attackers to elevate their privilege, gaining complete control of your computer. If you use a Mac, you should install the update as quickly as you can. See Apple’s alert for more detail on each flaw.
WatchGuard rating: Critical

Finally, Apple also released an update to fix about 60 security flaws in Safari for Mac (Apple seems to have discontinued supporting Safari for Windows). Many of these flaws are the same Webkit component issues that Apple recently patched in iTunes. Like those flaw, by enticing you to a web site containing malicious code, attackers can execute code with your privileges. Many of the vulnerabilities are ideal for drive-by download attacks. Again, if you have a Mac, I recommend you patch Safari, even if you don’t use it as your primary browser.
WatchGuard rating: Critical

Solution Path:

Apple has released update for all these products. If you use Mac computers, or iOS devices, you should download and install the updates as soon as you can, or let Apple’s Software Updater do it for you. That said, the OS X update is rather large, and will require a reboot, so plan that update accordingly.  Personally, I have had few issues with Apple’s Automatic Updater. I recommend you use the Automatic Updater to download and remind you of patches regularly, at least on your client machines (you may need to plan your OS X server updates more carefully).

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured UTM appliance can help mitigate the risk of some of these issues. That said, it cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Apple’s updates are your best solution.

Status:

Apple has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

4 Responses to “Apple Posts Security Updates for OS X, iOS, and Safari”

  1. Thanks for the sensible critique. Me & my neighbor were
    just preparing to do a little research on this. We got a grab a book
    from our area library but I think I learned more clear from this post.
    I’m very glad to see such wonderful info being shared freely out there.

  2. Luckily with Brazilian laser hair removal, you do not need to grow
    your hair out for weeks at a time like you do with waxing.

    People who have undergone it report that it’s similar to gently snapping rubber band against the skin. They will be able to give you an estimate on how many sessions you are likely to need and the approximate cost.

Trackbacks/Pingbacks

  1. WatchGuard Security Week in Review: Episode 34 – IE 0day | WatchGuard Security Center - September 21, 2012

    [...] OS X, Safari, and iOS security updates – WGSC [...]

  2. WatchGuard Security Week in Review: Episode 34 – IE 0day « microreksa - September 23, 2012

    [...] OS X, Safari, and iOS security updates – WGSC [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,689 other followers

%d bloggers like this: