Happy Holidays – New Updates for MAC OS

macos-10-12-2-610x276

It is the holiday season and with that comes presents for the MAC OS in the form of updates for a number of issues, including several denial of service.

Released on December 13th, Apple has new security updates for macOS Sierra 10.12.2, El Capitan 2016-003 and Yosemite 2016-007.

The winner for most CVE updates for this release is macOS Sierra 10.12.2 with 71 CVEs to address a wide variety of vulnerabilities. These vulnerabilities include 8 denial of service issues

  • CVE-2016-7609 : AppleGraphicsPowerManagement  – Improved input validation has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-7605 : Bluetooth – Improved input validation has been added to address the possible impact of an application being able to cause a system denial of service.
  • CVE-2016-7604 : CoreCapture – Improved state management has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-7603 : CoreStorage – Improved input validation has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-7667 : CoreText – Improved validation of overlapping ranges has been added to address the possible processing of a maliciously crafted string being able to cause a denial of service.
  • CVE-2016-7615 : Kernel  – Improved memory handling has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-6304 : LibreSSL and OpenSSL – Improved memory handling in unbounded OCSP growth has been added to address the possible impact of an attacker with a privileged network position being able to cause a denial of service.
  • CVE-2016-7636 : Security – Verification of OCSP revocation status after CA validation and limiting the number of OCSP requests per certificate has been added to address the possible impact of an attacker with a privileged network position being able to cause a denial of service.

This security update addresses memory corruption and shared memory issues, use after free issues, validation and system privilege issues on top of the denial of service critical vulnerabilities.

New security content is also available for Safari 10.0.2 which is made up of 25 CVEs to address vulnerabilities focusing on arbitrary code execution in both Safari Reader and WebKit. Given the number of user targeted vulnerabilities, it would be a good idea to look at installing this security update sooner rather than later.

With the pending end to 2016, now is the perfect time to start a new habit of patching your MAC regularly and having a more secure 2017.

Updates for MAC including recent Zero Day – Are you caught up?

updates for macOS Sierra

It’s December; let’s not forget about the MAC community and the recent updates available for the MAC OS.

Since the release of macOS Sierra 10.12.1, Security Update 2016-002 El Capitan, and Security Update 2016-006 Yosemite on the 24th of October 2016, there have been a number of updates to both Apple and 3rd-party products.

Here are some highlights to consider and possible updates you may want to verify you have.

November 30th – Zero Day Critical update CVE-2016-9079 for a use-after-free vulnerability in SVG Animation in Mozilla Firefox, Firefox ESR, and Thunderbird allowing attackers to execute arbitrary malicious code on a target machine.

Although there have only been documented active exploits on computers running Windows, the vulnerability is present in the Mac OS X version of the browser.

November 29th – Update CVE-2016-4780 for a null pointer de-reference issue in macOS Sierra 10.12 Thunderbolt allowing applications to execute arbitrary code with kernel privileges. This update includes improved input validation.

November 27th – 2 Updates for macOS Sierra 10.12:

  • AppleMobileFileIntegrity had a validation issue where a signed executable could substitute code with the same team ID. Update CVE-2016-7584 added additional validation.

  • FontParser had a buffer overflow in the handling of font files where a maliciously crafted font file could lead to arbitrary code execution. Update CVE-2016-4688 added improved bounds checking.

November 14th – Update CVE-2016-7580 for an issue in macOS Sierra 10.12 Mail where a malicious website could cause a denial of service. This update includes improved URL handling.

November 8th – Critical update APSB16-37 for Adobe Flash Player.  This update contains 9 different CVEs to address a vulnerability that could allow malicious native code to execute without a user being aware.

 

macOS Sierra and Safari 10 Security Updates

Apple Mac OS X Updates

Today brings a new version of macOS (formerly known as Mac OS X formerly known as Mac OS) with macOS Sierra 10.12. It also includes a new version of Safari with the release of version 10. While many will write about the cool new features such as Siri on the Mac or Apple Pay via the web, let’s talk about the vulnerabilities fixed and why enterprises should care.

macOS Sierra

macOS Sierra 10.12 fixed 60 vulnerabilities. Many of the vulnerabilities relate to escalation of privilege, denial of service, information disclosure. Some of the more interesting vulnerabilities include:

  • CVE-2016-4702: an Audio component vulnerability where a remote attacker may be able to execute a malicious program.
  • CVE-2016-4738: an libxslt component vulnerability where malicious web content could lead to executing a malicious program

These examples are noteworthy because they are often used as the starting point to exploiting a system through social engineering. Once the hacker has access, the other vulnerabilities may be useful to gain additional access or information.

Safari 10

Today also marks the release of Safari 10 which is embedded with macOS Sierra and available as an update for OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6. This update fixed a total of 21 vulnerabilities, 16 for which processing malicious web content may lead to arbitrary code execution. This is Apple speak for visiting bad websites or web ads may result in running malware. Needless to say, this update should be applied on all systems. If you still have systems on OS X Mavericks v10.9.x, time to upgrade.

Summary

With 60 vulnerabilities fixed in macOS Sierra and 21 in Safari 10, there are many reasons to upgrade. Based on the nature of the vulnerabilities, upgrading all systems to Safari should take priority as many of those vulnerabilities could be used in phishing and other web exploits. Finally, this release effectively ends support for OS X Mavericks.

Apple Mac OS X September 1, 2016 Security Updates

Apple Mac OS X Updates

September brings us a updates for Safari and Mac OS X which appears to be a late response to the iOS zero day vulnerabilities patched last week in iOS 9.3.5. Because of the nature of the exploits in these vulnerabilities and the small size of the update, these updates should be treated as critical and applied quickly.

iOS 9.3.5

To better understand these updates, we must explore iOS 9.3.5 that came out on August 25, 2016. Deep analysis by Lookout and Citizen Lab, found that a spyware product called Pegasus uses zero-day vulnerabilities and sophisticated techniques for targeted attacks on mobile devices. The three vulnerabilities in use are being dubbed the Trident Exploit Chain:

  • CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution
  • CVE-2016-4655: An application may be able to disclose kernel memory
  • CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges

To summarize the exploit actions, here is a summary from Lookout:

“The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.

Read more: Sophisticated, persistent mobile attack against high-value targets on iOS”

(https://blog.lookout.com/blog/2016/08/25/trident-pegasus/)

Once installed, the spyware can be used to gather data from the phones including calls, messages, and app data. Targets for these attacks include a human rights activist from the United Arab Emirates, a Mexican journalist, and unknown individuals from Kenya.

Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite

The two kernel vulnerabilities were included in these updates. With iOS 9.3.5 as a background, there are a few insights. First, OS X and iOS share a lot of code. This has always been known, but this update really reinforces this reality. Exploits may target one platform over the other, but potential for exploit often exists on both platforms. The second insight or question is why the delay? Obviously, the exploit chain was being used on iOS, but the same actions of phishing, opening a browser and loading malicious code on Mac OS X. It could be a simple case of engineering timelines, but security teams should again consider what happens on iOS may affect Mac OS X and vice versa.

Noticeably absent from these updates are an update for the nearly 3-year-old OS X Mavericks. There are a few conclusions that you can make based on this difference: OS Mavericks isn’t vulnerable or Apple didn’t chose to fix these issues. If there has ever been vulnerabilities worth fixing, this set would be it. That said, if I’m a betting man, I say that Apple decided not to fix these issues. As I’ve noted in previous articles, Apple is selective about fixing issues for the older versions of Mac OS X and staying current on the latest version is important as applying the latest patches. I can’t state for fact that OS X Mavericks is vulnerable, but I would be shocked if somehow it didn’t have these vulnerabilities.

Safari 9.1.3

Safari 9.1.3 fixes the vulnerability where a maliciously crafted website may lead to arbitrary code execution. We see such vulnerabilities addressed in almost every Safari update and should be a warning as these are prime for exploit through phishing or any other method which cons unsuspecting users to click on a link.

Summary

If there are few takeaways for IT and security teams here, they are:

  • Consider iOS and Mac OS X vulnerabilities to be related to each other
  • Older versions of Mac OS X are not going to have updates to fix every vulnerability including obvious critical ones
  • Don’t ignore your Apple devices – they get exploited too

Apple July 2016 Mac OS X Updates

AppleBuilding(own)(editorialuseonly)

As was the case in May, Happy Apple Patch Monday!

Apple’s July 2016 Mac OS X Updates apply to Mac OS X, including versions El Capitan 10.11.6; Security Update 2016-004 for Mavericks 10.9.5 and Yosemite 10.10.5; and Safari, with a new version 9.1.2. In total, there were 72 vulnerabilities fixed with many that create high-risk to enterprises.

OS X 10.11.6 and Security Update 2016-004

Apple is clearly in maintenance mode for released versions of OS X as they prepare to get macOS Sierra ready for release in a few months. There are no apparent significant new features in OS X 10.11.6, some bug fixes, and fixes for 60 vulnerabilities. These vulnerabilities also apply to older versions in the form of Security Update 2016-004.

As is the case in other security updates, Apple is selective about which vulnerabilities are fixed for the older, supported versions. I highly doubt that many of these vulnerabilities only apply to 10.11. In terms of a breakdown of the vulnerabilities fixed by OS X version, we get:

OS X Version Vulnerabilities Fixed
10.9.5 18
10.10.5 19
10.11 and later 60

Interesting vulnerabilities fixed in this release includes seven that apply to QuickTime where processing an image file can lead to arbitrary code execution. These types are golden for hackers since they can be emailed via SPAM or phishing and lure a target to compromise. With all of the terrible headlines in the news lately, it is easy to imagine how a hacker might send a message using news of the day with an image attached which someone would be enticed to open.

There were also a number of other arbitrary code execution vulnerabilities that address the PHP, Graphics, Image, and SSL components. There is one vulnerability, CVE-2016-2108, in the OpenSSL component that is particularly nasty with a CVSS 3.0 score of 9.8 out of 10. With all the attacks on SSL (Heartbleed) in recent times, this alone is a strong reason to upgrade all Macs with this update.

Safari 9.1.2

Safari 9.1.2 applies to OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.6 and fixes 12 vulnerabilities. Of the dozen vulnerabilities, six have the impact where, to quote Apple, “Visiting a maliciously crafted website may lead to arbitrary code execution.”

Needless to say, arbitrary code execution is bad news and by simply visiting a maliciously crafted website to do so is really bad news. A real world example is phishing an end user to get them to click on a link and visit a bad website which then causes ransomware to be downloaded and run. The first instance of ransomware in the wild was discovered in March and delivered by an infected BitTorrent client, but it’s only a matter of time before web-based targeting occurs using vulnerabilities like those fixed in Safari 9.1.2.

Other Updates

As is typically the case, Apple also released updates for other key software including iOS 9.3.3, watchOS 2.2.2, tvOS 9.2.1 (I’m wondering if this is version error as May also had a tvOS 9.2.1), and iTunes 12.4.2 for Windows. An interesting note is that on iTunes 12.4.2, all of the vulnerabilities fixed also applied to the OS X updates and came in the form of various xml libraries. There is not a lot of detail in the bulletin to determine the impact of these iTunes fixes, but there are some nasty vulnerabilities, including CVE-2016-1836, which allows arbitrary code execution via a bad XML file (check out my cool playlist and get hacked for example).

Summary

Like the May 2016 updates, this month’s release doesn’t have anything by way of features to encourage users to upgrade, but there are plenty of high-security risks that should encourage all enterprises to update as soon as possible.

Apple May 2016 Mac OS X Updates

Apple Mac OS X Updates

Happy Apple Patch Monday! Today’s, Apple May 2016 Mac OS X Updates impact Mac OS X including El Capitan 10.11.5, Security Update 2016-003 for Mavericks 10.9.5 and Yosemite 10.10.5, and Safari 9.1.1. In total, there were 77 vulnerabilities fixed including many high risk vulnerabilities that should be remediated quickly

OS X 10.11.5 and Security Update 2016-003

The last Mac OS X Security Update was on March 21 and today’s release of OS X 10.11.5 and Security Update 2016-003 brings fixes to 67 vulnerabilities across OS X Mavericks 10.9.5, OS X Yosemite 10.10.5, and OS X El Capitan 10.11. As with previous security updates the majority of vulnerabilities are only fixed in El Capitan. Here is the breakdown of vulnerabilities fixed by OS X version:

  • 12 in Mavericks 10.9.5
  • 13 in Yosemite 10.10.5
  • All 70 fixed in El Capitan 10.11

With Apple’s latest version focus, it is very interesting to explore the vulnerabilities that were fixed in the older versions. Included in that mix are vulnerabilities where:

  • Application that can determine the kernel memory layout
  • Attacker in a privileged network may execute arbitrary code with user assistance
  • Malicious XML, website, or web content may lead to arbitrary code execution

The last category is most interesting as malicious websites or files are useful for hackers to social engineer their way onto a system.

From the vulnerabilities only fixed in El Capitan, there is of note for the exploitability and impact. The first is a vulnerability in QuickTime (CVE-2016-1848) where opening a maliciously crafted file may lead to arbitrary code execution. This is interesting in that social engineering could be employed to get a user to click on video file such as using a headline of the day that would be enticing to watch such as “Funny Quotes from Donald Trump” and bad things ensue (quite literally in the case of a malicious video).

There are many other vulnerabilities, but the true severity and impact is obscured by Apple’s limited information. That said, there is plenty of reasons to update quickly.

Safari 9.1.1

Safari 9.1.1 applies to Mavericks 10.9.5, Yosemite 10.10.5, and El Capitan 10.11.5. This is a minor update with 7 vulnerabilities fixed including 5 where arbitrary code could be executed by visiting a malicious website. Such vulnerabilities are hooks for Phishers to use to bait users to visit malicious websites and compromise their systems. One other vulnerability is a minor risk in that it prevents fully deleting browsing history. The final vulnerability (CVE-2016-1858) is moderate risk where visiting a malicious website may disclose data from another website. If you have any doubt, make sure Safari is up to date quickly as the 5 arbitrary code vulnerabilities will undoubtedly be useful for targeting users.

Other Updates

Apple usually releases updates for everything at once and this release is no different. There were also updates for iOS (9.3.2), watchOS (2.2.1), tvOS(9.2.1), and iTunes (12.4).

Summary

This month’s updates do little to entice users to want to update their systems in terms of new features. That said, Apple will push them down unless a user explicitly avoids it. There is enough critical vulnerabilities in these updates that all organizations should ensure all Mac OS X systems are up to date quickly.

Apple Mac OS X Updates for March 2016

AppleBuilding(own)(editorialuseonly)With Macs continuing to expand in the enterprise, and our increased focus on Mac patching, we are overdue to provide analysis on OS X updates as we do with those on Microsoft and third-party vendors on Patch Tuesday. Apple released a number of updates on March 21 that impact Mac OS X, including El Capitan 10.11.4, Security Update 2016-002 for Mavericks 10.9.5 and Yosemite 10.10.5, Safari 9.1, Xcode 7.3, and OS X Server 5.1. In total,

Before diving into the analysis, it is clear that Apple is much less transparent about their security than Microsoft and other vendors. While listing the Common Vulnerabilities and Exposures (CVE) IDs for their vulnerabilities, they did not reveal much information for proprietary components in the CVEs making it difficult to assess risk. Yet, analyzing the impact descriptions for their fixes gives one a sense of the risk.

OS X 10.11.4 and Security Update 2016-002

The last OS X security update was in mid-January and the latest brings fixes to 59 vulnerabilities. Interestingly, 36 of the vulnerabilities fixed were only fixed in El Capitan. Looking through the fixes that apply to Mavericks and Yosemite, they include vulnerabilities that allow malicious PNG and XML files to run arbitrary code and such vulnerabilities are prime candidates for phishing attacks. Among the El Capitan-only fixes was a fix in the FontParser for a vulnerability that could allow a malicious PDF to run arbitrary code that, again, is a prime candidate for phishing and other social engineering techniques. While it isn’t clear if this vulnerability, and others only fixed on El Capitan 10.11, are also found in older versions of OS X. The clear gap in fix applicability suggest that organizations should always update to the latest version of Mac OS X, and not just the latest security update. There were many other types of vulnerabilities fixed across numerous OS X components that have lower risk exposure, but bottom line is one should update their Macs to secure all exposures.

Safari 9.1

Safari 9.1 is available for Mavericks 10.9.5, Yosemite 10.10.5, and El Capitan 10.11 to 10.11.3 (it’s included in 10.11.4). There where 12 vulnerabilities fixed, including three where arbitrary code could be executive through malicious XML or web content. These alone are a reason to upgrade. Other vulnerabilities compromise privacy, create denial of service, enable UI spoofing, or provide access to restricted ports. Safari 9.1 includes numerous new features that are the motivation for users to update and drag security fixes along.

Xcode 7.3

For developers, there is Xcode version 7.3 that fixed three vulnerabilities across two components: otool and subversion. The subversion vulnerabilities are the most significant where connection to a malicious server could allow arbitrary code execution. There were many new features in Xcode 7.3, like support for iOS 9.3, watchOS 2.2, tvOS 9.2, along with other improvements. Most developers will update for those features alone. However, the security fixes should be reason unto their own.

OS X Server 5.1

For those not familiar, OS X Server is an application that can be downloaded from the App Store (for $19.99 in the US) to enable server capabilities like website hosting, wikis, backups, file sharing, and many other features.

There were four vulnerabilities fixed in OS X Server that address RC4 exploits, access to sensitive information remotely, and storing backups on a volume without permissions enabled.

Summary

Apple is one of the best companies around for getting people to adopt new components by driving new features, interesting users and wrapping security in with the release. Most Apple users have grown accustomed to updating their devices when prompted. That said, it is still important to assess compliance and update systems in your organization to ensure there are no lingering risks.