Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Applications
    • Applications
    • Cybersecurity
    • Mobile
    • PC Hardware

    Apple Patches OS X and iOS, Yet Unpatched Flaws Remain

    Written by

    Sean Michael Kerner
    Published February 26, 2014
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Apple is updating both its Mac OS X desktop operating system and its iOS mobile operating system to fix flaws related to the implementation of Secure Sockets Layer (SSL) encryption. The iOS 7.0.6 update was released by Apple on Feb 21, and the OS X Maverick 10.9.2 update got its release on Feb 25.

      The iOS and Mac OS X updates share a critical security flaw identified by the Common Vulnerabilities and Exposures (CVE) number CVE-2014-1266.

      “Secure Transport failed to validate the authenticity of the connection,” Apple warned in its security advisory. “This issue was addressed by restoring missing validation steps.”

      Security researcher Adam Langley blogged that the missing validation step was an incorrect use of the “goto fail” statement in the code that validates that a given SSL certificate is in fact valid.

      The SSL flaw isn’t iOS’ only security issue. Research firm FireEye released details of a new and unpatched flaw that also affects iOS devices. The flaw is a background app logging issue that could enable a potential malicious app to collect information without user authorization.

      “We have created a proof-of-concept ‘monitoring’ app on non-jailbroken iOS 7.0.x devices,” FireEye noted. “This ‘monitoring’ app can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server.”

      A FireEye spokesperson confirmed to eWEEK that Apple has been properly notified about the issue and is working on a fix. Apple did not directly respond to a request for comment from eWEEK on the issue.

      There is, however, a mitigation iOS users can perform on their own to limit the risk of a malicious background monitoring app.

      “The only way for IOS users to avoid this security risk is to use the iOS task manager to stop the apps from running in the background to prevent potential background monitoring,” FireEye advises.

      OS X 10.9.2

      While the SSL flaw fix in OS X 10.9.2 is noteworthy because it is identical to the one in iOS, other flaws were also fixed in the OS X update.

      Apple is patching its QuickTime media player software in OS X for six separate vulnerabilities that could have exposed users to risk and enabled an attacker to take control of a system.

      Simply viewing a maliciously crafted JPEG image file also potentially could have enabled an attack to exploit a Mac OS X user.

      “An uninitialized memory access issue existed in libjpeg’s handling of JPEG markers, resulting in the disclosure of memory contents,” Apple warned in its advisory. “This issue was addressed by better JPEG handling.”

      Among the other interesting security fixes in the new Mac OS X 10.9.2 update is one for a security flaw in the system clock. The risk was that an unprivileged user could have potentially been able to change the system clock.

      “This update changes the behavior of the ‘systemsetup’ command to require administrator privileges to change the system clock,” Apple’s advisory stated.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.