Story image

Apple issues security patches for…just about everything

25 Jan 2017

If you have a piece of Apple technology in your house or office, chances are that it’s time you updated it.

On Monday Apple issued security patches for all of its major operating systems – fixing vulnerabilities in iOS, macOS, watchOS, tvOS, the Safari browser, and iCloud for Windows.

iPhones and iPads, for instance, now have access to new version of the iOS operating system – version 10.2.1. In a support knowledge base article, Apple shares details of a host of vulnerabilities that iOS 10.2.1 reportedly fixes, including a flaw that allowed devices to be automatically unlocked even when users were not wearing a linked Apple Watch.

In addition, updating to iOS 10.2.1 is said to fix two very serious remote code execution flaws that Google vulnerability researchers uncovered in Apple’s code.  

Such vulnerabilities potentially, if left unpatched, could be abused by criminal hackers eager to install malware onto targeted devices.

Furthermore, 12 vulnerabilities in Webkit – the technology Apple uses to render webpages in iOS and macOS – have been fixed.

More details of these and other security fixes in iOS 10.12.1 are described on Apple’s support knowledgebase webpage. To update your iPhones and iPads, select “Settings / General / Software update”.

Macs and MacBooks haven’t escaped the wave of security patches either, with users encouraged to update to macOS Sierra 10.12.3 to protect against a variety of vulnerabilities.

The security holes addresses in macOS Sierra 10.12.13 include “multiple issues” in PHP, and a method by which an attacker may be able to exploit a weakness in Apple’s Bluetooth code to execute malicious code with kernel privileges.

In addition, the new version of macOS Sierra is said to fix a vulnerability in Help Viewer which – if left unpatched – could allow a malicious attacker to plant boobytrapped content on a webpage that would result in arbitrary code execution.

Mac users, including those still running Mac OS X Yosemite and El Capitan, are advised by Apple to update their copies of the Safari web browser to version 10.0.3. The new version of Apple’s browser fixes numerous flaws which could be exploited by attackers if users visit poisoned webpages from a vulnerable computer.

More details of these and other security fixes in macOS Sierra 10.12.13 are described on Apple’s support knowledgebase webpage.

To update your Apple desktop and laptop computers, open the “App Store” and choose “Updates” from the top right corner of the window.

Meanwhile watchOS (updated to version 3.0.3) and tvOS (updating Apple TV devices to version 10.1.1 of the operating system) also received fixes, including fixes for flaws that could see maliciously crafted content leading to arbitrary code execution.

My view is that if Apple is treating the security vulnerabilities seriously, and pushing the patch out to the masses, then you should take them seriously too.

Although there is an argument that it’s unwise to be one of the very first to install a security update, in case the code is buggy or causes conflicts, for most people it probably makes sense to install the updates at the earliest opportunity.

Patches and security updates are an essential part of your arsenal of weaponry, defending you from online attack. Combined with other security solutions you can harden your systems and reduce the chances of a hacker stealing your records or hijacking your online identity.

Although it would have been better if these software bugs had not been present in the first place, Apple should be applauded for addressing the security holes and helping to make their users safer.

A notable rival smartphone operating system has had a much more chequered history when it comes to making security updates available to users.

Article by Graham Cluley, We Live Security, ESET 

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.