Patch/Configuration Management, Vulnerability Management

Apple addresses bugs in OS X, iOS and more

Apple addressed a number of vulnerabilities in a variety of products on Wednesday when it released OS X El Capitan 10.11.1 and Security Update 2015-007, iOS 9.1, iTunes 12.3.1, Safari 9.0.1, watchOS 2.0.1, OS X Server 5.0.15, Xcode 7.1, and Mac EFI Security Update 2015-002.

Perhaps the most noteworthy patches are for a pair of bugs that reportedly enable users to jailbreak mobile devices running iOS 9.0 through iOS 9.0.2. In an iOS 9.1 notification, Apple credited PanguTeam – a group known to create jailbreak tools for iOS – with identifying the vulnerabilities.

The first vulnerability (CVE-2015-7015) is in configd – it enables a malicious application to elevate privileges and is also addressed in OS X El Capitan 10.11.1 and watchOS 2.0.1. The second vulnerability (CVE-2015-6979) is in GasGauge and it enables a malicious application to execute arbitrary code.

Other issues fixed in iOS 9.1 include multiple memory corruption bugs in ImageIO that can lead to arbitrary code execution when viewing a maliciously crafted image file, vulnerabilities in OpenGL and WebKit that could lead to arbitrary code execution when visiting a maliciously crafted website, and a flaw in telephony that could enable a malicious application to leak sensitive user information.

The OS X El Capitan 10.11.1 update addresses a number of bugs in Apple's latest computer operating system, and Security Update 2015-007 includes fixes for systems running OS X Mavericks 10.9.5 and OS X Yosemite 10.10.5, according to a notification.

Some of the bugs affecting all aforementioned versions of Apple's operating system include a memory corruption vulnerability in Accelerate Framework that could lead to arbitrary code execution upon visiting a maliciously crafted website, and flaws in CoreText and FontParser that could lead to arbitrary code execution when processing a maliciously crafted font file.

The Safari 9.0.1 update is available for OS X Mavericks 10.9.5, OS X Yosemite 10.10.5 and OS X El Capitan 10.11.1 and it addresses nine vulnerabilities in WebKit, which could lead to arbitrary code execution upon visiting a maliciously crafted website.

The iTunes 12.3.1 update is only for Windows 7 and later and it addresses multiple memory corruption issues that can lead to unexpected application termination or arbitrary code execution. Some of the bugs are in WebKit and others are in the processing of text files.

Among the issues addressed in the watchOS 2.0.1 update are a vulnerability in Bom that could lead to arbitrary code execution when unpacking a maliciously crafted archive, two bugs in CoreGraphics that could lead to arbitrary code execution when processing a maliciously crafted image, and a memory corruption bug in IOHIDFamily that could enable a malicious application to execute arbitrary code with kernel privileges.

The OS X Server 5.0.15 update is for OS X Yosemite 10.10.5, OS X El Capitan 10.11.1 or later and addresses a few bugs, the Xcode 7.1 update is for OS X Yosemite 10.10.5 or later and addresses one flaw, and Mac EFI Security Update 2015-002 is for OS X Mavericks 10.9.5 and addresses one vulnerability.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.