• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Apple Posts Security Updates for OS X, iOS, and Safari

September 20, 2012 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: Apple OS X 10.6.x-10.8.x, Safari 6.0 and below, and iOS 5.1.1 and below.
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files, or visiting malicious websites
  • Impact: Various results; in the worst case, an attacker can execute code with your privileges, and leverage other flaws to elevate to root
  • What to do: Install the appropriate OS X, Safari, and iOS update as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Yesterday, Apple released three security updates to fix many vulnerabilities in OS X, iOS, and Safari (Mac version only). Like the iTunes patch from last week, these updates fix an unusually large number of vulnerabilities. For instance, the iOS update fixes around 197 flaws, many of them affecting the Webkit component.  If you use Mac computers, or iOS devices, you should apply these significant updates quickly. I quickly summarize Apple’s three alerts below:

  • iOS 6 Corrects 197 vulnerabilities

If you paid attention to Apple’s iPhone 5 announcement last week, you may also have been excited about iOS 6, which they posted yesterday. If iOS 6’s new features weren’t enough to sell you on the new firmware, Apple’s iOS 6 security alert should close the deal. According to Apple’s alert, iOS 6 fixes around 197 security vulnerabilities. The flaws differ widely, but attackers can exploit the worst of them to execute arbitrary code on your iOS devices. The attacker only has to lure you to a site containing malicious content, or entice you to interact which some sort of file (whether it be an image, movie, or config file). If you have an iPhone, iPod, or iPad, you should update it to iOS 6 as quickly as possible. See Apple’s security update if you want more details on the individual flaws, including their CVE numbers.
WatchGuard rating: Critical

  • OS X Update Fixes Leopard, Lion, and Mountain Lion Vulnerabilities

Apple also released a huge OS X security update to fix vulnerabilities in all current versions of OS X. The almost 700MB patch fixes about 35 (number based on CVE-IDs) security issues in many components that ship as part of OS X or OS X Server, including QuickTime, the Kernel, and BIND. Again, the flaws differ in scope and impact, but the worst allow attackers to execute code with your privileges simply by enticing you into viewing malicious file or web content. Furthermore, some of the Kernel flaws allow attackers to elevate their privilege, gaining complete control of your computer. If you use a Mac, you should install the update as quickly as you can. See Apple’s alert for more detail on each flaw.
WatchGuard rating: Critical

  • Safari for Mac Update

Finally, Apple also released an update to fix about 60 security flaws in Safari for Mac (Apple seems to have discontinued supporting Safari for Windows). Many of these flaws are the same Webkit component issues that Apple recently patched in iTunes. Like those flaw, by enticing you to a web site containing malicious code, attackers can execute code with your privileges. Many of the vulnerabilities are ideal for drive-by download attacks. Again, if you have a Mac, I recommend you patch Safari, even if you don’t use it as your primary browser.
WatchGuard rating: Critical

Solution Path:

Apple has released update for all these products. If you use Mac computers, or iOS devices, you should download and install the updates as soon as you can, or let Apple’s Software Updater do it for you. That said, the OS X update is rather large, and will require a reboot, so plan that update accordingly.  Personally, I have had few issues with Apple’s Automatic Updater. I recommend you use the Automatic Updater to download and remind you of patches regularly, at least on your client machines (you may need to plan your OS X server updates more carefully).

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured UTM appliance can help mitigate the risk of some of these issues. That said, it cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Apple’s updates are your best solution.

Status:

Apple has released patches correcting these issues.

References:

  • Apple’s september OS X security alert
  • Apple’s september iOS security alert
  • Apple’s september Safari security alert
  • Apple’s manual download page

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at [email protected].
More alerts and articles: Log into the LiveSecurity Archive.

Share This:

Related

Filed Under: Security Bytes Tagged With: Apple, iPad, iPhone, mac, Safari, Software vulnerabilities, Updates and patches

Comments

  1. phoenix garage door repair says

    May 2, 2013 at 7:51 pm

    Thanks for the sensible critique. Me & my neighbor were
    just preparing to do a little research on this. We got a grab a book
    from our area library but I think I learned more clear from this post.
    I’m very glad to see such wonderful info being shared freely out there.

    Reply
  2. https://m.facebook.com/saricalar?id=193929663995652&refsrc=httpstr-tr.facebook.com&_rdr says

    August 8, 2013 at 6:46 pm

    Luckily with Brazilian laser hair removal, you do not need to grow
    your hair out for weeks at a time like you do with waxing.

    People who have undergone it report that it’s similar to gently snapping rubber band against the skin. They will be able to give you an estimate on how many sessions you are likely to need and the approximate cost.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity’s Toll on Mental Health
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Cybersecurity’s Toll on Mental Health
  • Successfully Prosecuting a Russian Hacker
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use