Apple Releases OS X, Safari, and iOS Security Updates

Yesterday, Apple released a handful of security advisories for various products, including:

The Snow Leopard update only fixes one security issue. If you read my “Fraudulent Certificate” post from a few weeks ago, you know that attackers were able to get their grubby hands on some fraudulently-issued, but technically legitimate digital certificates for some pretty well known domains. At the time, Microsoft had released a fix for Windows to ensure that it would not consider these certificates legitimate. This small OS X updates does the same thing for Snow Leopard.

The Safari update, which is probably the most critical of them all, fixes two flaws in the popular browser’s WebKit component. By enticing you to a web page containing malicious code, an attacker could leverage this flaw to execute code on your computer, with your privileges. Attackers commonly exploit these type of flaws in drive-by download attacks.

The two iOS updates also fix various code execution vulnerabilities that could occur on iPhones, iPods, and iPads. The worst is similar to the Safari vulnerabilities above. If an attacker can lure you to a special site with your iPhone, he could exploit this vulnerability to execute code. Since certain applications run on iPhones as root, this could give attackers full control of the device. In the real-world, these sorts of iOS flaws are more commonly leveraged by jailbreakers; to gain control of their phones. However, nothing is stopping malicious attackers from leveraging the same techniques to spread mobile malware.

If you have any of these products, you should download and install the updates recommended in each advisory, or just let Apple’s automatic update software do it for you. — Corey Nachreiner, CISSP. (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: