Yesterday, Apple released a handful of security advisories for various products, including:
The Snow Leopard update only fixes one security issue. If you read my “Fraudulent Certificate” post from a few weeks ago, you know that attackers were able to get their grubby hands on some fraudulently-issued, but technically legitimate digital certificates for some pretty well known domains. At the time, Microsoft had released a fix for Windows to ensure that it would not consider these certificates legitimate. This small OS X updates does the same thing for Snow Leopard.
The Safari update, which is probably the most critical of them all, fixes two flaws in the popular browser’s WebKit component. By enticing you to a web page containing malicious code, an attacker could leverage this flaw to execute code on your computer, with your privileges. Attackers commonly exploit these type of flaws in drive-by download attacks.
The two iOS updates also fix various code execution vulnerabilities that could occur on iPhones, iPods, and iPads. The worst is similar to the Safari vulnerabilities above. If an attacker can lure you to a special site with your iPhone, he could exploit this vulnerability to execute code. Since certain applications run on iPhones as root, this could give attackers full control of the device. In the real-world, these sorts of iOS flaws are more commonly leveraged by jailbreakers; to gain control of their phones. However, nothing is stopping malicious attackers from leveraging the same techniques to spread mobile malware.
If you have any of these products, you should download and install the updates recommended in each advisory, or just let Apple’s automatic update software do it for you. — Corey Nachreiner, CISSP. (@SecAdept)