(LiveHacking.Com) – Following Google’s disclose of a number of zero day vulnerabilities in OS X, Apple has released a huge set of patches that fix a range of Critical security problems on OS X, iOS, Apple TV, and Safari.
Starting with OS X, Apple’s patches fix 54 separate CVEs including 11 from Google’s Project Zero. Among the fixes are patches for the 3 bugs which Google disclosed last week:
- An error existed in the Bluetooth driver that allowed a malicious application to control the size of a write to kernel memory.
- Multiple type confusion issues existed in coresymbolicationd’s handling of XPC messages.
- A memory access issue existed in the handling of IOUSB controller user client functions.
A security vulnerability in the Intel graphics driver is also credited to Google’s project zero. According to the release notes, multiple vulnerabilities existed in the Intel graphics driver, the most serious of could lead to arbitrary code execution with system privileges.
Another six CVE’s were reported to Apple from another of Google security groups, this time the Google Security Team. Among its catches are a bug in the kernel: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content.
The security update is available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1. You can read the full details here: http://support.apple.com/en-us/HT1222
Since iOS and OS X share much of the same code (certainly at the lower levels), Apple also released an update to its mobile operating system with many of the same fixes. The iOS update addresses 33 different CVEs and fixes some of the same vulnerabilities from Google’s Project Zero. You can read more about iOS 8.1.3 here: http://support.apple.com/kb/HT204245
Like iOS, Apple TV also uses lots of the same core technologies as OS X. In response to Google’s disclosures and in the light of other security issues, Apple has released Apple TV 7.0.3. It addresses 29 different CVEs including the disclosed problems with XPC: Multiple type confusion issues existed in networkd’s handling of interprocess communication. By sending a maliciously formatted message to networkd, it could be possible to execute arbitrary code as the networkd process.
Apple TV 7.0.3 is available for all 3rd generation and later Apple TV boxes. Full details can be found here: http://support.apple.com/kb/HT204246
To round off this huge security update, Apple has also updated Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3 on OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1 to fix a series of memory issues with WebKit. If exploited these vulnerabilities could allow an attacker to run arbitrary code on a victim’s Mac, if tricked into visiting a maliciously crafted website.
Apple has also updated its web plug-in blocking mechanism to disable all versions prior to Flash Player 18.104.22.1686 and 22.214.171.1244.