Apple today released security updates for its desktop Mac OS X 10.11 and mobile iOS 9 operating systems. The patched security issues span all aspects of both operating systems, including networking, graphics and wireless operations.
Of particular note in both the Mac OS X 10.11.2 and mobile iOS 9.2 updates is the volume of security vulnerabilities patched that were reported to Apple by a single man, Ian Beer, a security researcher with Google’s Project Zero. Apple credits Beer with reporting nine vulnerabilities impacting OS X (CVE-2015-7110, CVE-2015-7078, CVE-2015-7106, CVE-2015-7077, CVE-2015-7112, CVE-2015-7068, CVE-2015-7083, CVE-2015-7084 and CVE-2015-7047). Of those issues, five also impacted iOS 9 (CVE-2015-7112, CVE-2015-7068, CVE-2015-7083, CVE-2015-7084 and CVE-2015-7047).
Among the issues reported by Beer that impacted both OS X and iOS is a memory corruption one (identified as CVE-2015-7112) in the Apple IOHIDFamily library. The vulnerability could have potentially enabled an application to execute arbitrary code with full system rights.
Beer also found a pair of memory corruption issues (identified as CVE-2015-7083 and CVE-2015-7084) in both the OS X and iOS kernels. According to Apple’s advisory, these issues could have enabled a local user to execute arbitrary code with kernel privileges.
Of particular note in Apple’s updates is also the CVE-2015-7094 fix for the CFNetwork HTTPProtocol that impacts both iOS and Mac OS X. CFNetwork is the Apple operating system component that helps enable networking services. “An attacker with a privileged network position may be able to bypass HSTS [HTTP Strict Transport Security],” Apple warns in its advisory.
HSTS is a security configuration that forces Web connections to occur over Secure Sockets Layer/Transport Layer Security (SSL/TLS) encrypted communications. The risk of an HSTS bypass is that a site that should only be available over SSL/TLS is accessible over a nonencrypted connection, where an attacker could easily view a user’s data traffic. The CVE-2015-7094 issue was reported to Apple by security researchers Tsubasa Iinuma and Muneaki Nishimura.
As part of both the OS X 10.11.2 and IOS 9.2 updates, Apple is fixing another SSL/TLS vulnerability.
“A remote attacker may cause an unexpected application termination or arbitrary code execution,” Apple’s explanation of the CVE-2015-7073 vulnerability states. “A memory corruption issue existed in handling SSL handshakes.”
The CVE-2015-7073 vulnerability was reported to Apple by security researcher Benoit Foucher of ZeroC.
Networking-related flaws aren’t the only issues that Apple’s updates fix. The CVE-2015-7015 vulnerability in Apple’s CoreGraphics library impacts both iOS and OS X and was reported by security researcher John Villamil of the Yahoo Pentest Team.
“Processing a maliciously crafted font file may lead to arbitrary code execution,” Apple warns. “This issue was addressed through improved input validation.”
Looking specifically at iOS 9 vulnerabilities, the CVE-2015-7037 flaw in the Photos app is particularly interesting in that it could have enabled an attacker to get access to a user’s system by way of the mobile backup features.
“A path validation issue existed in Mobile Backup,” Apple’s advisory states. “This was addressed through improved environment sanitization.”
Apple also patched its Siri assistant technology for an information disclosure vulnerability identified as CVE-2015-7080. “A person with physical access to an iOS device may be able to use Siri to read notifications of content that is set not to be displayed at the lock screen,” Apple warns.
The new OS X and iOS updates follow the last major set of security updates, which debuted in October with the OS X 10.11.1 and 9.1 releases.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.