Skip to content

October 13, 2011

Apple Releases Slew of Security Updates (OSX, Safari, iTunes, iOS 5, aTV)

I wasn’t going to post about last week’s fairly significant iTunes update, but then Apple went and patched a whole bunch of vulnerabilities across the board. Some of these are fairly significant so I thought I would provide a short breakdown of the changes. Either way, you should definitely be patching all of your Apple devices and software tonight.

Hit the jump for a summary of the key vulnerabilities patched in Apple’s security updates.

Mac OS X 10.7.2 (and Security Update 2011-006 for Mac OS X 10.6.8)

Safari 5.1.1

    • Fixes a major issue that allowed a website to remotely launch binaries and execute commands on the local system
    • Fixes an issue allowing malicious javascript to be executed in the context of an installed Safari extension
    • Fixes numerous WebKit vulnerabilities that could result in arbitrary code execution
    • Viewing maliciously-crafted Microsoft Office documents may lead to arbitrary code execution

iOS 5

    • Fixes issue where an attacker may intercept credentials to a CalDAV server
    • Fixes issue where iOS applications could access the user’s AppleID credentials that were logged to a file
    • Removal of DigiNotar Root CA certificate
    • SSL certificates signed using MD5 algorithm no longer trusted except for Root CA certificates
    • Addition of TLSv1.2 to help prevent BEAST-style SSL attacks
    • Parental controls password was stored in a plaintext file that could be accessed by applications
    • Numerous (69) WebKit fixes, some of which may result in arbitrary code execution
    • WiFi passwords were stored in a plaintext file that could be accessed by applications

iOS ‘Pages‘ and ‘Numbers‘ versions 1.5

    • Fixed a memory corruption vulnerability with Microsoft Word and Excel documents that could lead to arbitrary code execution

iTunes 10.5

    • iTunes no longer requires the installation of QuickTime on Windows
    • Fixes a number of arbitrary code execution vulnerabilities already patched in Mac OS X 10.6.8 or 10.7.2

Apple TV 4.4

    • Removal of DigiNotar Root CA certificate
    • SSL certificates signed using MD5 algorithm no longer trusted except for Root CA certificates
    • Addition of TLSv1.2 to help prevent BEAST-style SSL attacks

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

css.php