Apple Updates Everything (again) ... and fixes a "911 DoS bug" in iOS

Published: 2000-01-01
Last Updated: 2017-03-28 02:12:12 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)

Apple today released yet again one of its well known "surprise patch days" that update everything.

Apple iWork: This is Apple's Office suite. I do not remember seeing a lot of updates for it so far, and this release fixes a single flaw. Until now, Apple used RC4 to encrypt password protected iWork documents. RC4 is of course no longer adequate, and going forward iWork will use AES 128.

Safari: The Safari update addresses a number of WebKit issues and various other typical browser flaws. Some of the vulnerabilities can lead to arbitrary code execution. Based on the "Credits" given to researchers, it appears that some of the flaws came from the pwn2own contest.

macOS Sierra / OS X El Capitan and Yosemite: This update fixes vulnerabilities for open source software included in Apple's operating system (libressl, php, tcpdump , OpenSSH, OpenSSL and others). In particular, the tcpdump issues are interesting as they are quite old by now. This update also fixes (yet again) and EFI issue that would allow an attacker to retrieve the FielVaul 2 encryption password if the attacker can connect to the Thunderbolt port during boot. 

iOS: Lots of overlap with the OS X and Safari updates due to the shared code base. An interesting iOS specific vulnerability that is addressed here allows attackers to use third party apps to make phone calls without user permission. Problems like this have been abused by pranksters to trick users into dialing 911 which in some cases lead to DoS attacks against 911 call centers.

watchOS/tvOS: A lot of overlap here with the other updates, so nothing special to mention. Still: Patch!

There has been a lot of interest in exploiting Apple products. I highly recommend updating expeditiously. So far I haven't heard of any issues with these updates (if you know of any: please leave a comment below)

[1] https://support.apple.com/en-us/HT201222

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|LinkedIn

Keywords:
0 comment(s)

Happy New Year 2011!!!

Published: 2000-01-01
Last Updated: 2011-01-01 04:39:36 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
0 comment(s)

We wish all our readers and their families a wonderful and amazing 2011. Thanks for your support, contributions and for being part of this infosec community.

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

Keywords: new year 2011
0 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives