Security News

Apple Releases macOS High Sierra, iOS 11 and more with Security Fixes

Posted on September 26th, 2017 by

Apple software security updates

Yesterday Apple released macOS High Sierra, which apart from new security and privacy features also includes several security fixes. While iOS 11, Safari 11 and other updates were released a week ago, Apple had not released all of the details about the security fixes these updates included until yesterday. Now that all the details are available, it's time to recap.

macOS 10.13 High Sierra

A combined 43 security vulnerabilities were addressed with the macOS 10.13 upgrade, which, according to Apple's documentation, affect OS X versions as far back as 10.8 Mountain Lion. Vulnerabilities were addressed in Mail, Firewall, FireWire drivers and other areas of the system.

  • 1 Kernel fix preventing applications from executing arbitrary code.
  • 3 issues that allowed an attacker in a privileged network position to intercept traffic or impersonate a service.
  • 3 issues that allowed an application to cause a denial of service.

Of particular importance is a fix in Mail that allowed the sender of an email to determine the recipients IP address. Senders can put content in their emails that your Mail app is forced to download from a remote server. This will be your Mac doing so and not your Mail server that the message was routed through. Because it is your Mac loading that content, a sender can see your home or office IP address in their server logs. The IP address can then be used for port scans and other nefarious purposes.

Mail has had a defense against this in the Preferences > Viewing tab, called "Load remote content in messages." When this is turned off, Mail will only display the contents that were in the Mail message itself (text, formatting and attached files). This will prevent a sender from seeing your IP address, but it unfortunately also breaks most emails as almost everything these days is sent with remotely loaded content in it. Loading or not loading that content can be the difference between an email being readable and making sense, or not. In this case, it's definitely a trade-off between security and usability. High Sierra fixes an issue that prevented this setting in preferences from working correctly.

For the full list of security issues that were addressed, have a look here.

macOS High Sierra can be downloaded through the App Store.

iOS 11

Initially after release, the security updates documentation only listed 8 issues fixed. Later that day this was updated to list 15 and yesterday, after High Sierra was released, this was updated again to now list 62 issues addressed. Of note are the following fixes:

MobileBackup
Impact: Backup may perform an unencrypted backup despite a requirement to perform only encrypted backups
Description: A permissions issue existed. This issue was addressed with improved permission validation.

Phone
Impact: A screenshot of secure content may be taken when locking an iOS device
Description: A timing issue existed in the handling of locking. This issue was addressed by disabling screenshots while locking.

Wi-Fi
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.

Wi-Fi
Impact: Malicious code executing on the Wi-Fi chip may be able to execute arbitrary code with kernel privileges on the application processor
Description: A memory corruption issue was addressed with improved memory handling.

Wi-Fi
Impact: Malicious code executing on the Wi-Fi chip may be able to read restricted kernel memory
Description: A validation issue was addressed with improved input sanitization.

Location Framework
Impact: An application may be able to read sensitive location information
Description: A permissions issue existed in the handling of the location variable. This was addressed with additional ownership checks.

As you can see, these are not minor issues. A large portion of the addressed issues were for WebKit. Twenty-two issues in total where processing maliciously crafted web content that may lead to arbitrary code execution and universal cross site scripting.

The full list of security issues that were addressed can be found here.

iOS 11 can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.

Safari 11

Listed as an update that:

  • Stop media with audio from automatically playing on most websites
  • Adds the ability to configure Reader, content blockers, page zoom, and auto-play settings on a per-website basis, or for all websites
  • Improves AutoFill accuracy from Contacts cards
  • Includes updated media controls for HTML video and audio
  • Enhances performance and efficiency

Upon release, the security update documentation only listed 3 fixed issues. After High Sierra was released, Apple updated the documentation to now reflect a total of 24 fixed issues. All but one are WebKit related and, just like iOS 11, these focused on scenarios in which processing maliciously crafted web content may lead to arbitrary code execution and universal cross site scripting. The other issue was for the Safari App itself, which was vulnerable to address bar spoofing when visiting a maliciously crafted website.

The full list of security issues that were addressed can be found here.

The update can be downloaded by going to the App Store > Updates tab or by downloading macOS High Sierra, which should have it included.

watchOS 4

Many of the same security issues that were addressed in iOS 11 were also addressed in watchOS 4. Twenty-three security fixes in total were addressed with watchOS 4.

The full list of security issues that were addressed can be found here.

watchOS 4 can be installed by connecting the watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.

tvOS 11

tvOS 11 focused mostly on new features, such as Home Screen Sync, Automatic Appearance Switching, support for AirPods and 4K support for the new Apple TV hardware. The security fixes in tvOS 11, 45 total, are some of the same as those covered in iOS 11.

The full list of security issues that were addressed can be found here.

The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

Not only does these updates offer flashy new features, but a lot of important security fixes under the hood as well! We recommended that you update to the latest system and application versions as soon as you can to take advantage of all the new features, enhancements and fixes. Of course, make sure your data is backed up before doing so!

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}