Although industry watchers’ eyes were on Apple’s iPhone and iPad announcements on March 21, on the same day, the company released a series of important security updates for its mobile and desktop operating systems. Of particular note is a high-impact vulnerability in Apple’s Messages app that is now fixed in both the OS X 10.11.4 and iOS 9.3 operating systems.
The new Apple mobile and desktop operating system updates are the second so far in 2016, following the OS X 10.11.3 and iOS 9.2.1 updates released Jan. 19.
CVE-2016-1788 is a cryptographic issue in Apple’s Messages app that was reported to Apple by researchers Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers and Michael Rushanan of Johns Hopkins University. The potential risk of the vulnerability is that an attacker could read a user’s encrypted messages.
“An attacker who is able to bypass Apple’s certificate pinning, intercept TLS [Transport Layer Security] connections, inject messages and record encrypted attachment-type messages may be able to read attachments,” Apple wrote in its advisory.
Apple’s Messages app is also being fixed for a pair of different issues in iOS 9.3 and OS X 10.11.4. In iOS 9.3, the CVE-2016-1763 vulnerability is an issue that could have enabled a malicious Website to auto-fill text into other Message threads.
Apple’s Kernel in both OS X and iOS is being patched for nine different vulnerabilities (CVE-2016-1750 through CVE-2016-1758). The potential impact of the kernel vulnerabilities includes arbitrary code execution with full kernel privileges.
Another large set of patches for both iOS and OS X comes by way of the libxml2, XML parsing library, which is at risk from nine different vulnerabilities (CVE-2015-1819, CVE-2015-5312, CVE-2015-7499, CVE-2015-7500, CVE-2015-7942, CVE-2015-8035, CVE-2015-8242, CVE-2016-1761 and CVE-2016-1762).
“Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution,” Apple warns in its advisory. “Multiple memory corruption issues were addressed through improved memory handling.”
Both iOS and OS X also are receiving a patch for a pair of vulnerabilities (CVE-2016-0801 and CVE-2016-0802) in Apple’s WiFi component.
“An attacker with a privileged network position may be able to execute arbitrary code,” Apple’s advisory warns.
Simply opening up a malicious PDF file on either OS X or iOS could have potentially triggered the CVE-2016-1740 vulnerability, which is now being patched. The CVE-2016-1775 vulnerability is somewhat similiar, whereby processing a malicious font in OS X or iOS could have potentially led to arbitrary code execution.
In addition to the iOS and OS X update, Apple also has released the Safari 9.1 Web browser fixing a dozen different vulnerabilities (CVE-2009-2197, CVE-2016-1762, CVE-2016-1771, CVE-2016-1772, CVE-2016-1778, CVE-2016-1779, CVE-2016-1781, CVE-2016-1782, CVE-2016-1783, CVE-2016-1784, CVE-2016-1785 and CVE-2016-1786).
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.