Coinciding with the launch of its new iCloud service, Apple has rolled out massive updates fixing scores of security vulnerabilities in Mac OS X, iOS and related software.
The latest mobile operating system, iOS 5, went live Oct. 12, which requires the latest version of iTunes to install. Apple released a new version of its iTunes software for Windows on Oct. 11. If those two major upgrades weren’t enough, Apple also updated the Mac OS X Lion operating system with 10.7.2. A security update for Snow Leopard users, 10.6, is also available.
Users trying to access so many updates so close together are putting a strain on Apple servers, resulting in long download times and strange error messages when trying to install, according to irate users on Twitter and Apple support forums.
The upgrades are necessary for users interested in using iCloud to synchronize music, photos, documents and other files across their iPhone, iPad or iPod Touch and the Mac desktop. The latest iTunes, version 10.5, is necessary to upgrade to newer models of the iPhone, iPad and iPod Touch to iOS 5. Both the Mac and Windows versions of iTunes have all the features necessary to take advantage of iCloud support, wireless synchronization and iOS 5.
The iTunes 10.5 for Windows update patched 79 security vulnerabilities in a slew of components, including WebKit, ColorSync, CoreFoundation, CoreAudio, CoreMedia and ImageIO, according to Apple’s advisory. WebKit alone accounted for 73 bugs that Apple fixed in this version of iTunes. The framework is a core part of iTunes and the Safari Web browser, and all but one of the bugs were memory corruption vulnerabilities. Several of the bugs, if exploited, could have resulted in an attacker remotely executing code on the affected Mac. Other WebKit issues would have resulted in denial-of-service conditions or crashed iTunes, according to Apple.
Apple fixed the security issues in iTunes only in the Windows version, and rolled the fixes into the OS X updates for Mac users.
In the Mac OS X 10.7.2 update and the update for 10.6 (Snow Leopard), Apple fixed 75 known vulnerabilities in the operating system, Chester Wisniewski, senior security adviser at Sophos, told eWEEK. Most could lead to arbitrary code execution, while others could result in denial of service or escalation of privileges, Wisniewski said.
Apple addressed “quite a few important security issues,” including the vulnerabilities with Open Directory that had been introduced this summer with the release of Lion, the latest Mac OS X operating system. The various flaws in Open Directory allowed people to read other users’ password hashes, change passwords without having to know the old password and log into the system without a password, according to Wisniewski. The OS X update also fixed how Web cookies are stored and handled so that malicious sites can no longer read information stored on them.
In addition, Apple released a new version of the Safari Web browser for Lion and Snow Leopard. Wisniewski estimated there were approximately another 70 security flaws fixed in the browser update.
Apple also removed the DigiNotar certificates from its mobile devices in iOS 5. While the company had removed the embattled certificate authority from the desktop last month after reports emerged of attackers compromising DigiNotar to issue fraudulent Secure Sockets Layer (SSL) certificates for major Websites, mobile devices running Safari had remained unprotected.
There is already a jailbreak available for iOS 5. At the moment, only a tethered jailbreak exists for iOS 5 running on iPhone 4 and 3GS, iPad and iPod Touch. A tethered jailbreak means the user has to connect the mobile device to the computer to run the code. An untethered jailbreak is expected shortly, according to rumors.
