Month in Review: Apple Security in January 2017

Posted on January 25th, 2017 by Joshua Long

The year has only just begun, and there’s already plenty to talk about with regard to Apple user security and privacy!

Here are some of the highlights from this past month’s security news relevant to users of Macs, iPhones, iPads, and other Apple products.

ClientCapture (Fruitfly, Quimitchin) Malware Discovered

Two weeks ago, Intego analyzed malware samples discovered by a university IT administrator, found after some strange network traffic had been observed on a Mac Pro. The malware (the components of which Intego VirusBarrier detects as OSX/ClientCapture, Perl/ClientCapture, and Java/ClientCapture) appears to have been part of a targeted attack, and may have existing on the university’s computer for years before being discovered and submitted to Intego and other companies for analysis.

Apple calls the threat “Fruitfly,” and it is also known as “Quimitchin.” See Intego’s writeup for further details: Targeted Malware Attacks and the Importance of Layered Protection.

“Meitu” Mobile App Has Privacy Risks

It was reported last week that an iOS and Android app called Meitu, which morphs selfies into anime characterizations, contains a number of privacy risks. The app, which was developed in China and has been in the App Store for several years, has recently gained popularity.

Security researcher Jonathan Zdziarski took to Twitter to offer his take on Meitu:

Summary: Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it.

— Jonathan Zdziarski (@JZdziarski) January 19, 2017

Wired reported Zdziarski had identified “at least half a dozen” analytics and tracking packages within the app, and noted, “You don’t generally need that many unless you’re selling data.”

Another security researcher, Will Strafach, published a brief technical writeup of Meitu for iOS.

Is it really worth sacrificing your privacy for this?

Apple Security Updates

Apple has released security updates for the following software this month:

macOS Sierra 10.12.3 (the latest version of “OS X” for compatible Macs) fixes vulnerabilities described in 11 CVE (Common Vulnerabilities and Exposures) IDs related to PHP, Bluetooth, Help Viewer, Vim, archive file handling, graphics and audio drivers, and the kernel (the operating system’s core)
Safari 10.0.3 (available for Macs running Sierra, El Capitan, or Yosemite) fixes vulnerabilities described in 12 CVEs, 11 of which are related to the WebKit browser engine, and one of which is specific to Safari and prevents an issue where a malicious site could spoof Safari’s address bar
iOS 10.2.1 (for iPhone, iPad, and iPod touch) fixes vulnerabilities described in 18 CVEs, including 12 related to the WebKit browser engine, two related to the kernel, and one each related to archive file handling, Contacts (preventing a maliciously crafted contact card from causing application termination), Wi-Fi (preventing an activation-locked device from being manipulated to briefly present the home screen), and Auto Unlock (preventing a device from becoming unlocked while an Apple Watch is off of a user’s wrist)
watchOS 3.1.3 (for Apple Watch) fixes vulnerabilities described in 33 CVEs, including nine related to the kernel, two related to font file parsing, two related to audio file processing, two related to WebKit, two related to archive file handling, and a variety of others, the most severe of which could allow a local user to gain root privileges (full administrative rights) on an Apple Watch
tvOS 10.1.1 (for Apple TV) fixes vulnerabilities described in 12 CVEs, including nine related to WebKit, two related to the kernel, and one related to archive file processing
iTunes for Windows 2.5.5 and iCloud for Windows 6.1.1 fix vulnerabilities related to WebKit browser engine, described in four CVEs (all of which are fixed for Macs via the Safari 10.0.3 update)
Earlier this month, GarageBand 10.1.5 and Logic Pro X 10.3 were released, both of fix a vulnerability described in a single CVE; these updates prevent maliciously crafted files from causing arbitrary code execution (i.e. doing bad stuff to your Mac)
Apple also released Security Update 2016-003 Supplemental (10.11.6) for El Capitan users, an update to a December patch, fixing a kernel issue that could cause the OS to become unresponsive (Apple did not identify any additional vulnerabilities patched by this supplemental update)

Intego has written more about this week’s updates here: Apple Releases macOS Sierra 10.12.3 and More with Security Fixes.

The bottom line: be sure to check for and install updates on all of your Apple devices!

Scam Site Launched DoS Against Unpatched Macs

In early January, a scam site (which is no longer online) launched a denial-of-service attack (DoS) against Macs running Safari on older versions of macOS. The site would cause Mail to create a plethora of e-mail drafts with a subject line containing the words, “Warning! Virus Detected!” and eventually causing the Mac to crash. Users running the latest versions of macOS and Safari were not affected by this e-mail draft denial-of-service attack; instead, the scam site caused a single fake virus warning to appear in the Mac’s iTunes app. On iOS, the scam site would pop up a single e-mail draft at a time, but would continue presenting a new draft each time the draft window was closed. See Intego’s writeup for further details: Denial of Service Attack Targets Mac and iOS Users.

An important lesson here is that it’s critical to keep your Apple software updated to make it less susceptible to attacks—including, but not limited to, attacks by malicious sites.

Apple CareKit to Incorporate “ZeroKit” Security

Mashable reported that Apple’s open-source CareKit platform will soon incorporate technology called ZeroKit, developed by security firm Tresorit. According to the report, ZeroKit “will offer user authentication for patients and healthcare workers, end-to-end encryption of health data, and ‘zero knowledge’ sharing of health data,” meaning that data will not be accessible to any other party during transit. The goal of ZeroKit is to make it easier for developers of healthcare apps to provide better security for end users.

Stay Tuned! Subscribe to The Mac Security Blog

That’s it for this month’s security roundup! Be sure to subscribe to The Mac Security Blog to stay informed about Apple security.

You may also be interested in Intego’s recent in-depth coverage highlighting the top Apple security news of 2016:

The Year in Mac Security 2016

Image credits: Fruitfly image by arian.suresh (CC BY 2.0)

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →

Share