Security News

This past week Apple released updates for its operating systems and Safari web browser. These updates were made available between December 2 and December 6, but release notes outlining the security content of all updates were delayed until just a day ago (Safari notes still haven’t been published). Following is an overview of Apple’s security updates and how to install them.

macOS 10.13.2 High Sierra, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan

A total of 22 security issues were addressed for the current and previous two operating system (OS) versions. Apache, Directory Utility, Intel Graphics Driver and Kernel all received some attention. Mail received a fix for an issue that could cause S/MIME encrypted emails to be sent out unencrypted. Directory Utility and Screen Sharing Server had some work done to it to fix what was left of the root vulnerability. The Kernel received the most attention with 8 issues addressed that could lead to an application reading restricted memory contents and execute arbitrary code with kernel privileges.

In terms of software security, it has not been a stellar month for Apple, so having some more security issues addressed is definitely a good thing and hopefully more attention will be paid before future updates are released.

Apart from security fixes, some non-security related issues were addressed as well, namely:

• Improves compatibility with certain third-party USB audio devices.
• Improves VoiceOver navigation when viewing PDF documents in Preview.
• Improves compatibility of Braille displays with Mail.

And for enterprise users:

• Improves performance when using credentials stored in the keychain to access SharePoint websites that use NTLM authentication.
• Resolves an issue that prevented the Mac App Store and other processes invoked by Launch Daemons from working on networks that use proxy information defined in a PAC file.
• If you change your Active Directory user password outside of Users & Groups preferences, the new password can now be used to unlock your FileVault volume (previously, only the old password would unlock the volume).
• Improves compatibility with SMB home directories when the share point contains a dollar sign in its name.

For the full list of security issues addressed by these updates, have a look here. macOS 10.13.2 High Sierra can be downloaded through the App Store or as a stand-alone installer here. A Combo update is now also available which can be downloaded here. Security Update 2017-002 macOS Sierra can be downloaded through the App Store or here. And Security Update 2017-005 El Capitan can be downloaded from the App Store.

iOS 11.2

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

iOS 11.2 introduced Apple Pay Cash to send, request, and receive money from friends and family with Apple Pay (US only), and also addressed quite a few non-security related bugs, which you can see listed here. In total, 14 security related issues were addressed with 8 for the Kernel, 1 for Mail addressing an S/MIME encryption issue and 1 for Wi-Fi.

The addressed Wi-Fi issue deserves some attention as this finally fixes the KRACK vulnerability for all the Apple devices that were left out in the cold almost two months ago. When the KRACK issues were first addressed, it was only made available for iPhone 7 and newer and 2016 iPad Pro and newer. Now the following devices are finally protected as well:

iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod touch 6th generation.

The full list of security issues addressed can be found here. iOS 11.2 can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.

tvOS 11.2

Ten security issues were addressed in this update with the biggest focus on Kernel. tvOS also saw an issue relating to KRACK addressed that is now available to all Apple TV (4th generation) users. Previously the KRACK vulnerability was only patched for Apple TV 4K users.

The full list of security issues addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

watchOS 4.2

watchOS received the same security related fixes that iOS 11.2 did, and the KRACK vulnerability that was previously only available for Series 1 and Series 2 watches is now also available for Apple Watch (1st Generation) and Apple Watch Series 3.

New features and other fixes and improvements include:

• Ability to send and receive money with Apple Pay Cash in Messages or by asking Siri (US only)
• Adds support for HomeKit sprinklers and faucets in Home
• Adds support for a new workout type for third-party apps to track distance, average speed, number of runs, and elevation descended for downhill snow sports with Apple Watch Series 3
• Resolves an issue where Apple Watch would sometimes restart when asking Siri about the weather
• Fixes an issue where scrolling was disabled in Heart Rate for some users
• Resolves an issue that prevented simultaneous timers or alarms from being dismissed independently

The full list of security issues addressed can be found here. watchOS 4.2 can be installed by connecting the watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.

Safari 11.0.2

No release notes are currently available for this Safari update, but a safe assumption is that most, if not all, fixes involve WebKit.

It is recommended to update to the latest system and application versions as soon as you can to take advantage of all the new features, enhancements and fixes. And, of course, make sure your data is backed up before doing so!

About Jay Vrijenhoek