Apple has released security updates for its many popular products, and has finally plugged the recently unveiled WPA2 flaws that allow attackers to extract sensitive information from Wi-Fi traffic.
Fixes for preventing a KRACK attack being leveraged against users have been included in the updates for all of Apple’s Wi-Fi enabled devices: Macs, iPhones and iPads, Apple Watch and Apple TV.
Other plugged flaws of note
A glut of vulnerabilities in WebKit, Apple’s layout engine software component of choice, have been fixed in iCloud and iTunes for Windows, as well as Safari, iOS, and tvOS. The flaws could have been exploited by attackers via maliciously crafted web content to achieve arbitrary code execution.
The Safari update also includes a fix for two vulnerabilities that can allow a malicious website to show an URL that should reassure users they are on a legitimate site.
Among other flaws, the iOS update fixes two vulnerabilities that could allow a person with physical access to an iOS device to access photos or read notifications from the lock screen.
The macOS update
As usual, the macOS update is the most substantial.
It includes fixes for vulnerabilities in several packages and libraries maintained by third parties, like Apache, PCRE, Postfix, and Tcpdump. Those were addressed by updating to newer versions of the packages.
Among the other closed up holes are:
- A vulnerability in Apple File System (APFS) that could allow a malicious Thunderbolt adapter to recover unencrypted APFS filesystem data
- Many code execution flaws that can be triggered with maliciously crafted files (mach binaries, archive files, font files, images, Office documents, etc.).
As an interesting side note, among the fixed vulnerabilities are five flagged and disclosed by the Australian Cyber Security Centre (which is part of the Australian Signals Directorate), and one by the UK National Cyber Security Centre (part of GCHQ).