Apple Updates Everything (again) ... and fixes a "911 DoS bug" in iOS
Last Updated: 2017-03-28 02:12:12 UTC
by Johannes Ullrich (Version: 2)
Apple today released yet again one of its well known "surprise patch days" that update everything.
Apple iWork: This is Apple's Office suite. I do not remember seeing a lot of updates for it so far, and this release fixes a single flaw. Until now, Apple used RC4 to encrypt password protected iWork documents. RC4 is of course no longer adequate, and going forward iWork will use AES 128.
Safari: The Safari update addresses a number of WebKit issues and various other typical browser flaws. Some of the vulnerabilities can lead to arbitrary code execution. Based on the "Credits" given to researchers, it appears that some of the flaws came from the pwn2own contest.
macOS Sierra / OS X El Capitan and Yosemite: This update fixes vulnerabilities for open source software included in Apple's operating system (libressl, php, tcpdump , OpenSSH, OpenSSL and others). In particular, the tcpdump issues are interesting as they are quite old by now. This update also fixes (yet again) and EFI issue that would allow an attacker to retrieve the FielVaul 2 encryption password if the attacker can connect to the Thunderbolt port during boot.
iOS: Lots of overlap with the OS X and Safari updates due to the shared code base. An interesting iOS specific vulnerability that is addressed here allows attackers to use third party apps to make phone calls without user permission. Problems like this have been abused by pranksters to trick users into dialing 911 which in some cases lead to DoS attacks against 911 call centers.
watchOS/tvOS: A lot of overlap here with the other updates, so nothing special to mention. Still: Patch!
There has been a lot of interest in exploiting Apple products. I highly recommend updating expeditiously. So far I haven't heard of any issues with these updates (if you know of any: please leave a comment below)
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute