It’s time to patch your Mac, iDevices and software again: Apple has released security updates for MacOS (all the way back to Yosemite), iOS, watchOS, tvOS, iTunes, iCloud for Windows, and Safari.
The iTunes and iCloud for Windows updates fix one vulnerability in WebKit each. But both of these are critical, as they can be triggered by maliciously crafted web content and could lead to arbitrary code execution.
One of these flaws also affects Safari, but the Apple security team fixed also a bucketload of other WebKit memory corruption issues that can be exploited in the same way and lead to either arbitrary code execution or universal cross site scripting.
The watchOS and the tvOS updates fix pretty much the same vulnerabilities, but Apple Watch users also get fixes for many of the aforementioned WebKit flaws, and a WebKit Web Inspector that could allow an application to execute unsigned code.
Among the flaws fixed in these two updates are also four code execution flaws in the open source SQLite component, which were discovered by Google’s OSS-Fuzz project, as well as a several vulnerabilities that could allow an application to either read restricted memory, or execute arbitrary code with kernel privileges.
The macOS update addresses a total of 37 vulnerabilities, including a certificate validation issue that could allow a malicious network to capture user network credentials, an iBooks flaw that could allow attackers to open arbitrary websites without user permission just by tricking users into opening a maliciously crafted book, and a number of flaws in various components that would allow an app to escape its sandbox or to gain kernel privileges.
Finally, the iOS update fixes a combination of all the aforementioned flaws in WebKit, SQLite, iBooks, and other components. It also contains a certificate validation issue that cropped up when untrusted certificates were handled.
Apple advises users to update all their software as soon as possible.
Despite the fact that Apple’s products are targeted by attackers much less often than, let’s say, Microsoft’s Windows or Google’s Android, the recent WannaCry attack has shown how crucial it is to keep up with security updates.