Apple released its first security updates of 2016 on Jan. 19, with the debut of OS X 10.11.3 and IOS 9.2.1, which provides patches for multiple classes of vulnerabilities that could potentially enable attackers to exploit users and their devices. Apple last issued security patches for OS X and iOS on Dec. 9.
Among the problems fixed in OS X and iOS is CVE-2016-1722, a vulnerability in the syslog logging function that was discovered by security researchers Joshua Drake and Nikias Bassen of Zimperium zLabs. CVE-2016-1722 is a privilege escalation issue that could have potentially led to remote code execution or a denial-of-service attack.
Drake is well-known in the security research community for his discovery of the Stagefright media library flaws in Google’s Android operating system. Though Zimperium has been successful in finding Android flaws, the company wasn’t specifically looking for an issue with Apple’s syslog.
“We sort of stumbled on it on accident,” Drake told eWEEK.
Zimperium researchers had found a crash condition when doing fuzzing—a security research technique in which random characters and code are thrown at a program to see what will happen, Drake explained.
“Our fuzzer was not targeting the syslog code, but some of our fuzzing framework just happened to exercise the vulnerable code leading to a crash,” Drake said.
Another high-impact flaw Apple is patching is CVE-2016-1730, an iOS vulnerability in the WebSheet function. WebSheet is an internal iOS app that enables users to connect to public WiFi access points.
“A malicious captive portal may be able to access the user’s cookies,” Apple warned in its advisory.
The CVE-2016-1730 vulnerability was reported to Apple by Skycure security researchers Adi Sharabani and Yair Amit. In a blog post, Amit explained that the vulnerability is triggered by how iOS handles cookies when it interfaces with a WiFi captive portal.
“When iOS users connect to a captive-enabled network (commonly used in most of the free and paid WiFi networks at hotels, airports, cafes, etc.), a window is shown automatically on users’ screens, allowing them to use an embedded browser to log in to the network via an HTTP interface,” Amit wrote. “As part of Skycure’s continuous research on network-based attacks against mobile devices, we found that the embedded browser used for Captive Portals creates a vulnerability by sharing its cookie store with Safari, the native browser of iOS.”
As has been the case in previous Apple security updates, Ian Beer, a security researcher with Google’s Project Zero, is credited with discovering multiple issues. For OS X 10.11.3 and iOS 9.2.1 updates, Apple credits Beer with reporting three memory corruption vulnerabilities—CVE-2016-1719, CVE-2016-1720 and CVE-2016-1721—which affect both OS X and iOS.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.