Apple fixed hundreds of bugs, 223 to be exact, across a slate of products including macOS Sierra, iOS, Safari, watchOS, and tvOS on Monday.
More than a quarter of the bugs, 40 in macOS Sierra, and 30 in iOS, could lead to arbitrary code execution – in some instances with root privileges, Apple warned.
The lion’s share of the vulnerabilities patched Monday, 127 in total, were fixed in the latest version of macOS Sierra, 10.12.4.
Ian Beer, a researcher with Google’s Project Zero group, uncovered seven of the vulnerabilities, including six that could have enabled an application to execute arbitrary code with kernel privileges. South Korean hacker Jung Hoon Lee, perhaps better known in hacking circles by his handle Lokihardt, is credited for finding two vulnerabilities as well – one in the kernel and one in WebKit. Lokihardt, a veteran of Pwn2Own competitions, joined Project Zero in December 2016.
The update also fixed a memory corruption issue that stemmed from how certificates were parsed. The bug, technically a use-after-free vulnerability, existed in the X.509 certificate validation functionality present in macOS and iOS. According to Aleksandar Nikolic, a researcher with Cisco’s Talos Security Intelligence and Research Group who found the bug, an attacker with a specially crafted X.509 certificate could have triggered it and carried out remote code execution. Nikolic claims a victim could either be tricked several ways – a user could get served a malicious cert via a website, by the Mail app connecting to a mail server that contains a malicious cert, or by opening a malicious cert to import into the keychain.
Talos claims it verified the most recent versions of macOS Sierra, 10.12.3, and iOS, 10.2.1, are vulnerable. Older versions of the operating systems are likely affected too, the firm claims.
Per usual, a large chunk of vulnerabilities in the OS were addressed by updating open source software implementations that macOS uses to the next version. Forty-one different bugs were fixed by updating tcpdump, a free packet analyzer, to version 4.9.0. 11 vulnerabilities were fixed by updating LibreSSL and PHP to versions 2.4.25 and 5.6.30 respectively. Four vulnerabilities were addressed by updating OpenSSH in macOS to version 7.4.
One of the vulnerabilities fixed in iOS pertains to how the mobile version of Safari handled JavaScript pop ups. Researchers with Lookout Security found the bug and claim it was being leveraged by attackers to trick victims into thinking they were locked out of browser. Code created by the attackers creates a popup window, which infinitely loops until the victim pays money in the form of iTunes gift cards.
Code used in the attack was previously published on a Russian website and reused to essentially perform a denial of service (DOS) attack on the browser, Lookout claims.
According to the iOS advisory, the update also does away with the DES cryptographic algorithm for Profiles. In its place Apple has added support for the 3DES algorithm. While its been superseded by AES in some systems, 3DES is viewed as secure enough for most purposes today. DES, now widely considered insecure, was approved for withdrawal by the National Institute of Standards and Technology back in 2005.