Apple is updating both its desktop macOS Sierra and mobile IOS operating systems for multiple security vulnerabilities. The IOS 10.2 update was officially released on December 12, while the macOS 10.12.2 update followed a day later on December 13.
Among the items fixed in IOS 10.2 is a vulnerability that was first publicly disclosed in a YouTube video on November 16 that can enable a potential attacker to access a user’s photos and contacts from the iPhone’s lock screen. The vulnerability is identified as CVE-2016-7664 and was reported by Miguel Alvarado of iDeviceHelp.
“A lock screen issue allowed access to photos and contacts on a locked device,” Apple’s security advisory warns. “This issue was addressed by restricting options offered on a locked device.”
There are two other iPhone unlocking vulnerabilities patched in the IOS 10.2 update, with both issues found in the SpringBoard system. SpringBoard is the IOS application that manages the home screen on an iPhone. The CVE-2016-4781 issues could have enabled an attacker with physical access to an IOS device to unlock the device, due to what Apple refers to as a ‘counter issue’ with handling passcode reset requests. The CVE-2016-7597 vulnerability in SpringBoard would have potentially enabled an attacker with physical access to keep a device unlocked, thanks to an issue in the Siri personal assistant.
Also of note is CVE-2016-4690 which is a flaw in IOS’ Image Capture libraries that could have enabled a malicious Human Interface Device (HID) to trigger arbitrary code execution.
“A validation issue existed in the handling of USB image devices,” Apple states in its advisory. “This issue was addressed through improved input validation.”
For both the IOS 10.2 and macOS 10.2.2 updates, there are also multiple patches to Apple’s FontParser library. CVE-2016-4691 and CVE-2016- 4688 are vulnerabilities that could have enabled an attacker to execute arbitrary code, with a maliciously-built font file.
There are also seven Apple kernel vulnerabilities (CVE-2016-7606, CVE-2016-7607, CVE-2016-7612, CVE-2106-7615, CVE-2106-7621, CVE-2016-7637 and CVE-2016-7644) that impact both IOS and macOS. The kernel vulnerabilities are all memory related security issues.
In addition to the operating system updates, Apple is updating its Safari web browser to version 10.0.2 for 24 security vulnerabilities, of which 23 are found in the WebKit browser rendering engine. The single issue fixed in Safari that isn’t WebKit related is CVE-2016-7650 in the Safari Reader. The Safari Reader is a feature in the Safari web browser that aims to make web pages more readable.
“Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting,” Apple warns in its Safari advisory.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist