Apple Patch Update Fixes 66 CVEs

Written by

Security experts are urging Apple users to get patching after the firm released seven updates addressing 66 vulnerabilities in iOS, macOS and other products.

Apple famously doesn’t say if any of the bugs it is fixing are being actively exploited in the wild, but “the consequences of not applying these updates could prove costly in the months to come”, according to TippingPoint’s Zero Day Initiative (ZDI), which found a third of the software flaws.

Many should be considered critical as they allow remote code execution (RCE), the firm said in a blog post.

The macOS Sierra 10.12.5 update covers 37 CVEs including several kernel-related issues, some of which are sandbox escapes.

Meanwhile, iOS 10.3.2 fixes 41 vulnerabilities including multiple fixes for WebKit, the most severe of which “could allow the processing of maliciously crafted web content to allow arbitrary code execution”, ZDI said.

There’s also an update to the certificate trust policy in there which fixes a validation issue in the handling of untrusted certs.

In addition, there are updates to watchOS and tvOS, which are shared with the iOS and/or macOS updates, the latter also sharing with the Safari update.

Safari 10.1.1 fixes 26 bugs including the WebKit RCE issue, and iCloud for Windows 6.2.1 fixes a WebKit arbitrary code execution bug, as does iTunes 12.6.1 for Windows.

According to ZDI, the update round addresses the majority of issues disclosed at the Pwn2Own contest earlier this year.

The updates come at a bad time for administrators given the critical WannaCry ransomware blitz that submerged many organizations over the weekend.

If nothing else, the past few days have shown that comprehensive patch management systems are a must for modern organizations.

However, it’s not always as simple as patching straightaway, according to Trend Micro VP of cloud research, Mark Nunnikhoven.

“Patches can change the landscape rendering critical business applications unusable until they too can be patched. This cycle is why most businesses stick to traditional practices of testing patches, which significantly delays their deployment. Investing in automated testing to reduce deployment time is expensive and a difficult cost to justify given the long list of areas that need attention within the IT infrastructure,” he explained.

“This unrelenting river of patches makes it difficult for organizations to truly evaluate the risks and challenges of deploying critical security patches.”

What’s hot on Infosecurity Magazine?