SANS ISC: Apple Patches for iOS, OS X and Apple TV

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

With yesterday's updates for iOS, OS X and Apple TV, Apple also addressed a number of security vulnerabilities, most notably the "Freak" vulnerability. After updating, the affected operating systems no longer support export quality ciphers. However, Apple browsers continue to support SSLv3 and as a result, continue to be vulnerable to POODLE.

Quick Summary of the security content of Apple's updates:

XCode 6.2: This update addresses 4 vulnerabilities in subversion and 1 in git. 

OS X: 5 vulnerabilities. The most serious of which is likely a code execution vulnerability in Keychain.

Apple TV: 3 vulnerabilities. One of which would allow an attacker to write files to the system if the user mounts a corrupt disk image.

iOS: 6 vulnerabilities. In addition to FREAK and the above mentioned Keychain problem, a vulnerability that allows an attacker with physical access to the device to see the home screen on a locked devices is patched.

For details from Apple, see https://support.apple.com/en-us/HT1222

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn