Apple released a major set of security updates on May 15, fixing 37 security vulnerabilities in the desktop macOS operating system and 41 vulnerabilities in the IOS mobile operating system. Apple is also updating its tvOS and watchOS operating systems, which are derived from an IOS base.
Among the major sources of vulnerability disclosures that Apple credits is Google Project Zero. For IOS 10.3.2, Google Project Zero researchers are credited with reporting 16 issues, with an additional 8 issues reported for macOS. The largest single pool of issues reported by Google Project Zero is in the WebKit browser rendering component where researcher Jung Hoon Lee, who is known by the alias ‘lokihardt’, reported 13 different vulnerabilities, including memory corruption and cross site scripting flaws.
Beyond WebKit, there are several other components in IOS 10.3.2 that are being updated for memory corruption issues. The AVEVideoEncoder library had a memory corruption identified as CVE-2017-6989 that is now patched. According to Apple’s advisory, the impact of the flaw is that an application may be able to gain kernel privileges. The CVE-2017-6989 vulnerability was reported to Apple by Zimperium zLabs Team researcher Adam Donenfeld. Zimperium is the same security firm that first report the Stagefright media server vulnerabilities in Google’s Android operating system back in June 2015.
Donenfeld is also credited with discovering a memory corruption issue (CVE-2017-6979) in the IOSurface component that is present in both IOS and macOS that could potentially enable an application to gain kernel privileges.
Both IOS and macOS are also being patched for CVE-2017-2524 which is a memory corruption issues issue in the TextInput library.
“Parsing maliciously crafted data may lead to arbitrary code execution,” Apple warns in its advisory.
The macOS sandbox is a critical element of the desktop operating system’s security model providing a restricted area for applications that limits risk. In the macOS 10.12.4 update Apple is patching for 4 sandbox related vulnerabilities. Security researcher Federico Bento of the Faculty of Sciences at the University of Porto in Portugal discovered the CVE-2017-2512 vulnerability in the macOS sandbox.
“An application may be able to escape its sandbox,” Apples advisory states. “A memory corruption issue was addressed with improved memory handling.”
Security researchers Samuel Groß and Niklas Baumstark working with Trend Micro’s Zero Day Initiative are credited by Apple for reporting CVE-2017-2535, which is a resource exhaustion issue that could have enabled a sandbox escape. The two researchers are also credited with reporting two sandbox escape issues (CVE-2017-2534 and CVE-2017-6977) in Apple’s Speech Framework.
Apple had last patched macOS with the 10.12.4 update on March 27, while IOS was previously updated on April 3 with the IOS 10.3.1 release.