Microsoft reflexively releases patches for its product one Tuesday of every month to much fanfare. Apple does not, but on occasion, the Cupertino, Calif.-based company issues what SophosLabs in a Naked Security bulletin calls “Update Surprisedays.”
Wednesday was one of those days with Apple unleashing seven updates designed to plug holes and boost security in iOS 8 and OS 10.9.5 (Maverick), as well as Apple TV7, OS X Server 3.2.1, OS X Server 2.2.3, Apple’s development environment Xcode and Safari 6.2 and 7.1.
The company fixed more than 40 separate vulnerabilities, “covered by 55 CVEs,” 10 of which “could allow remote code execution, including three inside the kernel,” the blog said, noting a “laundry list of holes fixed,” such as lock screen bugs, incorrectly implemented address book encryption, deprecated and insecure Wi-Fi authentication and Safari’s password manager leaking passwords. Saying the iOS updates added more features than security patches, the Sophos blog noted that the updates contained enough significant security fixes to make updating worthwhile for Apple users.
Of note, one of the patches made good on Apple’s promises to “stop its iDevices giving you away automatically to any Wi-Fi access point you walked past,” the Sophos blog said. The devices transmit their Media Access Code addresses in every packet sent over Wi-Fi, which, although it doesn’t identify the user, can tell a marketer “that the same person who just bought cotton trousers in menswear is not browsing near the organic yogurt section in the food department,” the blog said.
The updates also cover “Remote Code Execution (RCE), Information Disclosure that allows attackers to bypass Address Space Layout Randomization (ASLR), and Elevation of Privilege (EoP),” SophosLabs said.
Shaun Murphy, CEO of PrivateGiant, told SCMagazine.com in a Friday email correspondence that he wasn’t surprised by the updates. “Bugs creep up in software depending on how much quality assurance you go through,” he said. “iOS 8 has a lot of new capability that is a departure of Apple’s sandboxing (extensions, widgets) so we’ll see how well they can balance security, convenience and elegance.”
He added that the Heartbleed/Open SSL vulnerability demonstrated that “even critical pieces of software can have major problems creep up” for even major vendors, so the industry must “keep looking for all possible attack vectors, obvious or not.”
Update: On Wednesday, September 24, Apple pulled iOS 8.0.1 after iPhone 6 users complained that the update knocked out their cell service and use of Touch ID.