Security News

Today Apple has released security updates for macOS, iOS, tvOS, watchOS and Safari. Also released were previously undisclosed notes about security fixes from past updates. Here’s the scoop on macOS 10.13.1 High Sierra, iOS 11.1 and more, and where to grab the software updates.

macOS 10.13.1 High Sierra, Security Update 2017-001 Sierra and Security Update 2017-004 El Capitan

A total of 147 security issues were addressed for the current and last two OS versions. Apache, APFS, ImageIO, Sandbox and Kernel all received some attention, but the most work was done on tcpdump with 90 fixed issues. Apple’s release notes currently lack detail and simply state the problem as “Multiple issues in tcpdump,” with the fix being “Multiple issues were addressed by updating to version 4.9.2.” Tcpdump is a packet analyzer that’s part of the OS. It can see and display all incoming and outgoing traffic on your Mac, so it is certainly not an ideal place to have a security vulnerability, let alone 90!

Most notably is the previously discussed KRACK vulnerabilities, which have now been addressed for High Sierra, Sierra and El Capitan users. As long as these updates are installed, of course.

Apart from a slew of security related fixes, High Sierra users also get:

• Adds support for 70 new emoji, including food types, animals, mythical creatures, clothing options, more expressive smiley faces, gender-neutral characters and more.
• Fixes a bug where Bluetooth appeared as unavailable during Apple Pay transactions.
• Improves the reliability of Microsoft Exchange message sync in Mail.
• Fixes an issue where Spotlight does not accept keyboard input.

Enterprise content:

• Improves the reliability of SMB printing.
• Makes Touch ID preferences accessible while logged in as a mobile account on MacBook Pro with Touch Bar.
• Adds support for unlocking a FileVault-encrypted APFS volume using a recovery keychain file. For details, enter man diskutil in Terminal.

For the full list of security issues addressed by these updates, have a look here. macOS 10.13.1 High Sierra can be downloaded through the App Store or as a stand-alone installer here. Security Update 2017-001 macOS Sierra can be downloaded from here. And Security Update 2017-004 El Capitan can be downloaded from here.

iOS 11.1

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

Kernel, Messages, Siri and WebKit all got some attention in this update, which received patches for 20 security issues. A few of the issues worth mentioning are as follows:

Messages
Impact: A person with physical access to an iOS device may be able to access photos from the lock screen
Description: A lock screen issue allowed access to photos via Reply With Message on a locked device. This issue was addressed with improved state management.

Siri
Impact: A person with physical access to an iOS device may be able to use Siri to read notifications of content that is set not to be displayed at the lock screen
Description: An issue existed with Siri permissions. This was addressed with improved permission checking.

Having those two issues resolved should be enough reason to update for most, as the thought of unauthorized access to one’s device is the biggest concern among most users. Apple also addressed a KRACK vulnerability in iOS 11.1, but sadly did not feel the need to make it available to a wide range of iOS users.

Wi-Fi
Available for: iPhone 7 and later, and iPad Pro 9.7-inch (early 2016) and later
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks – KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.

iPhone 7 and later and iPad Pro 9.7-inch (early 2016) and later are the only devices to see the KRACK vulnerabilities addressed. There are countless iPhone 6, SE, 5S and even older devices still out there that will therefore remain vulnerable to these particular vulnerabilities.

Apart from security related fixes, iOS 11.1 users also get:

• Over 70 new emoji characters including new food types, animals, mythical creatures, clothing options, more expressive smiley faces, gender-neutral characters and more
• Several issues fixed in Photos to resolve photos to appear blurry and Live Photo playback to be slow
• Several accessibility fixes and improvements for braille support and VoiceOver
• And more.

The full list of security issues addressed can be found here. iOS 11.1 can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.

tvOS 11.1

Nineteen security issues were addressed in this update with the biggest focus on WebKit. Of course, tvOS also had a KRACK vulnerability addressed, but it is only available to 4K Apple TV users. Anyone with a 4th generation Apple TV is out of luck.

The full list of security issues addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

watchOS 4.1

With just four security issues addressed, this is not a major update — yet installing it is recommended as always. One of the updates was designed to address a KRACK vulnerability, which is only available for Series 1 and Series 2 watches.

New features and other fixes and improvements include:

• Stream music on Apple Watch Series 3 with Apple Music or iCloud Music Library
• Listen to live radio on Beats 1 on Apple Watch Series 3
• Use Siri to find, discover, and play music
• Sync fitness data with GymKit-enabled equipment
• Fixes an issue for Apple Watch Series 1 and later where Heart Rate notifications were delivered when the feature was not enabled
• Resolves an issue that was causing haptics to not be delivered for silent alarms

The full list of security issues addressed can be found here. watchOS 4 can be installed by connecting the watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.

Safari 11.0.1

Fifteen security related issues were addressed, 13 of which were for WebKit.

The full, albeit small, list of security issues addressed can be found here. The update can be downloaded by going to the App Store > Updates tab.

Updated documentation

Apple has also updated previously released documentation for the following software:

• macOS 10.13 High Sierra
  At the time of release on September 25, this document listed just 43 issues that were addressed. Today this document was updated to include 49 more. Issues were addressed in Apache, 802.1X, AppleScript and more.
• iOS 11
  At the time of release on September 19, this document listed just 8 issues that were addressed. Today this document was updated to include 76 more.
  Issues were addressed in Bluetooth, 802.1X, Network Proxies, Kernel and more.
• tvOS 11
  At the time of release on September 19, this document listed just 7 issues that were addressed. Today this document was updated to include 58 more.
  Issues were addressed in much of the same components mentioned in the iOS 11 update.
• watchOS 4
  At the time of release on September 19, this document listed just 23 issues that were addressed. Today this document was updated to include 20 more.
  Issues were addressed in much of the same components mentioned in the iOS 11 and tvOS 11 update.

You can read each document and watch for the “Entry added” notes under each CVE listing. The fixed issues that were added to those documents have been part of their respective OS versions since they were released, Apple just didn’t mention them, likely because additional fixes were needed to make fully functional patches.

It is recommended to update to the latest system and application versions as soon as you can to take advantage of all the new features, enhancements and fixes. And, of course, make sure your data is backed up before doing so!

About Jay Vrijenhoek