Apple has released a slew of updates for several of its key platforms to fix a range of security issues including some related to the OpenSSL HeartBleed bug. According to the release notes for AirPort Base Station Firmware Update 7.7.3, the new software contains a fix for an out-of-bounds memory issue in the OpenSSL library when handling TLS heartbeat extension packets (i.e. the HeartBleed bug). Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected.
For iOS, Apple TV and OS X, Apple also released a set of patches one of which also applies to sessions protected by SSL. Known as a “triple handshake” attack, it was possible for an attacker to create two connections using the same keys and handshake. As a result an attacker could insert data into one connection and renegotiate so that the connections are forwarded to each other. To work around this scenario Apple has changed the SSL renegotiation code so that the same server certificate needs to be presented as in the original connection.
The update to OS X is called Security Update 2014-002 and has various changes for OS X 10.7 Lion, OS X 10.8 Mountain Lion and OS X 10.9 Mavericks. The changes are as follows:
- Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie.
- A format string issue existed in the CoreServicesUIAgent’s handling of URLs.
- A buffer underflow existed in the handling of fonts in PDF files.
- A reachable abort existed in the Heimdal Kerberos’ handling of ASN.1 data. This meant that a remote attacker could cause a denial of service.
- A buffer overflow issue existed in ImageIO’s handling of JPEG images.
- A validation issue existed in the Intel Graphics Driver’s handling of a pointer from userspace. As a result a malicious application could take control of the system.
- A set of kernel pointers stored in an IOKit object could be retrieved from userland.
- A kernel pointer stored in a XNU object could be retrieved from userland.
- If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep.
- An integer overflow issue existed in LibYAML’s handling of YAML tags as used by Ruby.
- A heap-based buffer overflow issue existed in Ruby when converting a string to a floating point value.
- WindowServer sessions could be created by sandboxed applications.
Apple has also updated iOS 7 with the release of iOS 7.1.1. It patches the same Set-Cookie HTTP headers bug as found in OS X plus it updates WebKit (the HTML rendering engine used by mobile Safari) to fix a number of issues, many of which were found by Google (for its Chrome browser). The new Apple TV 6.1.1 firmware has the same changes as iOS 7.1.1 and addresses the Set-Cookie HTTP headers bug and also patches WebKit.
You can get more information on Apple’s security updates here: http://support.apple.com/kb/