Apple Patches Large Number of Flaws in iOS, macOS Updates

Apple on March 27 released updates for both iOS and macOS Sierra, its second security updates of 2017 for the operating systems. Both iOS 10.3 for iPhone and iPad users and macOS Sierra 10.12.4 for desktop users patch myriad flaws.

The prior iOS 10.2.1 and macOS Sierra 10.12.3 updates debuted on Jan 23.

The iOS 10.2.1 update is particularly large by iOS standards, with 71 different identified vulnerabilities patched by Apple. None of the issues in the new update, however, is identified in any way with the recent WikiLeaks Vault 7 CIA disclosure that alleged that there are multiple Apple operating system vulnerabilities.

Among the largest sources of vulnerability reports for iOS 10.2.1 is the Google Project Zero research team, which Apple credits for reporting 15 vulnerabilities across the mobile operating system.

Apple addressed a number of particularly interesting flaws in the iOS 10.2.1 update, including a pair (CVE-2017-2430 and CVE-2017-2462) in the Audio library. Apple’s advisory warns that the audio vulnerabilities could have enabled arbitrary code execution if a user attempted to process a maliciously crafted audio file.

Apple’s Siri voice assistant was also the root cause of a vulnerability that is now patched by Apple.

“Siri might reveal text message contents while the device is locked,” Apple warned in its advisory. “An insufficient locking issue was addressed with improved state management.”

While the iPhone is much more than just a simple cellular phone, one of the core capabilities is the aptly named Phone application that enables users and applications to make phone calls. As it turns out, there was a vulnerability, identified as CVE-2017-2484, that could have enabled a third-party application to start a phone call without the user’s permission and without any user interaction.

“An issue existed in iOS allowing for calls without prompting,” Apple’s advisory states. “This issue was addressed by prompting a user to confirm call initiation.”

Also of note was a flaw in the iTunes Store that could have enabled an attacker to interfere with iTunes network traffic. The flaw, identified as CVE-2017-2412, was also a relatively simple one. Requests to ITunes web services were being sent in cleartext—that is, they were sent unencrypted, according to Apple. As the flaw was simple, so too was the fix. Apple is now enabling HTTPS encrypted transport for the iTunes web services process.

macOS 10.12.4

The macOS 10.12.4 update in many respects is a superset of the vulnerabilities patched in iOS, with additional libraries that are only present on the desktop. The total number of macOS flaws fixed in the new update is 116, which might seem like a large number without looking at the underlying details.

At least 40 of the vulnerabilities patched in macOS 10.12.4 are in the open-source tcpdump network process.

“Multiple issues existed in tcpdump before 4.9.0,” the Apple advisory states. “These were addressed by updating tcpdump to version 4.9.0.”

Among the interesting flaws patched in the macOS 10.12.4 update was a hardware-related issue, whereby a malicious Thunderbolt adapter could have been used to recover a user’s FileVault storage encryption key.

Also of note is the CVE-2017-2403 vulnerability in Apple’s printing function that could have been trigged with an Internet Printing Protocol (IPP) link.

“Clicking a malicious IPP(S) link may lead to arbitrary code execution,” Apple warns in its advisory.