Apple released its first operating system updates of 2017 on Jan. 23, with the debut of macOS 10.12.3 on the desktop and IOS 10.2.1 for iPhone and iPad users. The updates are the first since December 2016, when Apple released macOS 10.12.2 and IOS 10.2.
The IOS 10.2.1 update provides patches for 18 vulnerabilities, while the macOS 10.12.13 releases patches 11 vulnerabilities. In the IOS update, 12 of the issues are in the WebKit web browser rendering engine. The WebKit flaws include issues that could have enabled data exfiltration and arbitrary code execution. Apple is also fixing the same 11 WebKit issues in its Safari 10.0.3 web browser which is available for macOS.
Additionally, there is an interesting WiFi vulnerability identified as CVE-2017-2351 that could have potentially enabled a locked device to show a user’s home screen.
“An issue existed with handling user input that caused a device to present the home screen even when activation locked,” Apple warns in its advisory.
IOS 10.2.1 also addresses an auto unlock flaw identified as CVE-2017-2352 that is related to the use of an iPhone with an Apple Watch. According to Apple’s description of the flaw, the auto unlock feature may unlock when Apple Watch is not on the user’s wrist. The auto unlock capability with Apple Watch is intended to be a user convenience feature that will unlock a locked IOS or macOS device.
Both macOS and IOS are being patched for a pair of kernel vulnerabilities that could have potentially enabled an attacker to execute arbitrary code. CVE-2017-2370 is buffer overflow issue in the kernel, while CVE-2017-2360 is a use-after-free memory vulnerability in the kernel.
Apple macOS 10.12.3 also includes a patch for a vulnerability in the Help Viewer component, which is used by the desktop operating system to display help files.
“Processing maliciously crafted web content may lead to arbitrary code execution,” Apple warned in its advisory. “A cross-site scripting issue was addressed through improved URL validation.”
Multiple researchers contributed bug reports to Apple, though it is Google’s Project Zero research group that has the highest representation across both IOS and macOS updates. Eleven vulnerabilities in the Jan. 23 Apple updates are credited to Google Project Zero researchers. Three are credited to Ian Beer (CVE-2017-2370,CVE-2017-2360 and CVE-2017-2353), Ivan Fratic is also credited with three reports (CVE-2017-2362,CVE-2017-2373 and CVE-2017-2369). Google Project Zero researcher Jung Hoon Lee, who is known by the alias ‘lokihardt’, is credited with reporting four vulnerabilities (CVE-2017-2363, CVE-2017-2364, CVE-2017-2365 and CVE-2017-2371) that are patched by Apple this month.
In addition to the security fixes in the macOS 10.12.3 update, Apple is fixing multiple bugs that impact its new MacBook Pro that was released in October 2016. Among the fixes are improved automatic graphics switching and an update to resolve graphics issues related to Adobe Premiere Pro use on a MacBook Pro with Touch Bar.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.