On Monday, Apple released its latest batch of security patches for macOS, Safari, iOS, watchOS, tvOS, iTunes and iCloud for Windows.
The iTunes and iCloud for Windows updates fix four vulnerabilities in WebKit, the open source layout engine software component used for rendering web pages, and all four are pretty serious, as they could be triggered by maliciously crafted web content and allow for arbitrary (malicious) code execution.
The tvOS update contains fixes for three of these, but also for other WebKit arbitrary code execution and data exfiltration bugs that can be triggered through processing of maliciously crafted web content. It also plugs a buffer overflow issue and a use after free issue in the kernel that could be exploited by an app to execute arbitrary code with kernel privileges.
In fact, all of the updates released on Monday contain fixes for a variety of serious WebKit issues, as the engine is used by all of these Apple products.
The iOS update fixes a couple of less severe issues plaguing the Auto Unlock and Contacts components, as well as a WiFi bug that could force the device to show the home screen when it was effectively locked. The rest of the fixed issues are critical kernel and WebKit arbitrary code execution bugs.
This time, the watchOS update brings a bucketload of fixes in a wide variety of components. Some of the fixed issues are critical, as they could lead to arbitrary code execution triggered by the processing of maliciously crafted files, strings, font files, .mp4 files, web content, or certificates. The update also nixes a bug that could lead to certificates be unexpectedly evaluated as trusted, and makes the 3DES cryptographic algorithm no longer a default cipher.
The Safari update kills most of the previously mentioned WebKit bugs, and one state management issue in the address bar that could allow malicious website to show a spoofed URL to visitors.
The Safari update is also rolled into the macOS update, which nixed several PHP issues by implementing a newer version of the package, fixed two kernel issues, and plugged a potential code execution vulnerability in the vim editor that could be triggered by opening a maliciously crafted modeline.
None of the issues in the updates don’t seem to have been fixed in wake of known active attacks – they were mostly responsibly reported by security researchers. Still, that doesn’t mean that attackers didn’t known and didn’t exploit some of them in attacks that went undetected. In general, it’s a good idea to implement software security updates as soon as possible, and these are no exception.
Some of the documents accompanying the updates also contain thanks to the vusec group at Vrije Universiteit Amsterdam, as they assisted the company with some obviously much needed WebKit hardening.