Security updates for OS X, iOS fix bucketload of serious bugs

Apple has released security updates for Safari, OS X Yosemite (and previous OS X versions), and iOS.

The OS X update contains fixes for 77 vulnerabilities, many of which can be exploited by attackers to gain admin or root privilege, crash applications, perform unauthenticated access to the system, execute arbitrary code, intercept network traffic, and so on.

It also includes fixes for vulnerabilities in the Mac EFI (Extensible Firmware Interface), one of which could allow a malicious app with root privileges to modify EFI flash memory when it resumes from sleep states.

The existence of the suspend/resume vulnerability has been publicly revealed a month ago by SentinelOne researcher Pedro Vilaça, who based his research on previous discoveries by researchers Trammell Hudson, Xeno Kovah and Corey Kallenberg. You can find more details about it in this blog post.

“While (I believe) its real world impact is small, it is nonetheless a critical vulnerability,” Vilaça notes. The Mac EFI update (included in the OS X update) plugs this hole.

The iOS security update contains fixes for a slew of vulnerabilities that could lead to unexpected application termination or arbitrary code execution just by making the users open or the OS process a malicious crafted PDF, text, font or .tiff file.

The Logjam bug in coreTLS that could be exploited by an attacker with a privileged network position to SSL/TLS connections has also been plugged, as have two vulnerabilities discovered by FireEye researchers, which could allow attackers to deploy two new kinds of Masque Attack and prevent iOS and Watch apps from launching.

“We call these exploits Manifest Masque and Extension Masque, which can be used to demolish apps, including system apps (e.g., Apple Watch, Health, Pay and so on), and to break the app data container,” the researchers explained in a blog post, in which they also detailed a previously fixed, but undisclosed, masque vulnerability that bypasses iOS entitlement enforcement and hijacks VPN traffic.

According to the researchers, around one third of iOS devices is still sports the last flaw, as their owners have not yet updated their OS to to versions 8.1.3 or above.