Apple Makes Security Improvements to iOS and OS X

iOS alone is being patched for 39 vulnerabilities, but it's not just about fixing existing flaws; the update is also providing new features to harden security.

iOS, Mac OS X

Apple updated its mobile and desktop operating systems on May 16, with the release of iOS 9.3.2 and Mac OS X 10.11.5 with patches to a number of security vulnerabilities.

For Apple's OS X desktop operating system, the new update follows the 10.11.4 release that debuted on March 21, while the iOS 9.3.1 mobile operating system update came out on March 31.

As has been the case with prior Apple updates, Google's Project Zero security researchers and Trend Micro researchers are the leading sources for vulnerability reports patched by Apple. Apple credits Google Project Zero researcher Ian Beer with reporting nine vulnerabilities that it patched in this cycle (CVE-2016-1793, CVE-2016-1794, CVE-2016-1803, CVE-2016-1807, CVE-2016-1813, CVE-2016-1819, CVE-2016-1821, CVE-2016-1823 and CVE 1846).

Trend Micro, meanwhile, is credited with reporting 22 flaws, of which 13 were reported by researchers working through the Zero Day Initiative (ZDI). ZDI became part of Trend Micro by way of the $300 million acquisition of Hewlett Packard Enterprise's Tipping Point division. ZDI pays security researchers for vulnerabilities and then responsibly discloses the flaws to the impacted vendors.

"Mac OS X and iOS are platforms that Trend Micro's security researchers look at," Christopher Budd, global threat communications manager at Trend Micro, told eWEEK. "As far as our Zero Day Initiative soliciting vulnerabilities from researchers for Mac OS X and iOS for possible vulnerabilities, Mac OS is one of the platforms of focus for Pwn2Own 2016."

At the Pwn2Own 2016 hacking challenge, which ran in March, security researchers were awarded a total of $460,000 in prizes for finding vulnerabilities in Apple, Microsoft, Google and Adobe technologies.

Among the noteworthy vulnerabilities patched in iOS and OS X is CVE-2016-1801, which was reported by security researchers Alex Chapman and Paul Stone of Context Information Security. The CVE-2016-1801 flaw is in the CFNetwork Proxies component of both iOS and OS X, providing network protocol abstractions.

"An information leak existed in the handling of HTTP and HTTPS requests," Apple warned in its advisory. "This issue was addressed through improved URL handling."

Looking specifically at the iOS 9.3.2 update, Andrew Blaich, security researcher at Lookout, said Apple patched 39 vulnerabilities.

"In this OS update, as has happened in previous updates, we're continuing to see patches come out for iOS that are aimed at hardening the software used to process media such as images, XML documents and Web content," Blaich told eWEEK. "These patches are critical, since enterprise and consumer users are constantly using their mobile devices to view this type of content on their devices."

Media processing libraries are particularly important on mobile operating systems and have been exploited by attackers, most notably on Android with the Stagefright mediaserver flaws.

"We will continue to see further hardening in the libraries responsible for media processing as it's an easy attack vector to get someone to view an image or open a document," Blaich said. "As smartphones become even more essential to our everyday work and personal lives, in many cases serving as the access token for any number of sensitive or corporate accounts, cracking them will be increasingly attractive to the attackers."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.