Yesterday, Apple had a busy day rolling out new updates across its software product lines. Most noticeably we got updates to macOS and iOS, but Apple also jam-packed a ton of security fixes into all its software. Totaling nearly 350 known vulnerabilities, Apple has pushed to make all its software more secure.
Starting with iOS 10.3, Apple’s latest version includes Find My AirPods, Apple’s new file system, CarPlay, and a few other small visual tweaks. With nearly every update Apple does, they also include a handful of security fixes that easily go unnoticed by the user. iOS 10.3 is no exception with over 85 different common vulnerabilities and exposures (CVEs) listed.
For example, iOS 10.3 fixes a security hole that allowed attackers to spam Safari with a ‘Cannot Open Page’ dialog. Lookout, a cybersecurity company, learned of the attack after one of their users complained of losing control over their browsing experience. The dialog was meant to trick users into eventually paying money to “unlock” their Safari browser.
Another update for both iOS and macOS is a fix to a vulnerability where connecting to what appears to be a secure server actually opens the door for remote code execution. Talos, a threat intelligence organization, shared details on their CVE-2017-2485. The vulnerability discovered showed that when a Safari browser navigated to a HTTPS site, macOS and iOS would validate the invalid and malicious certificate leaving the user open to attack. Talos also mentioned that the vulnerability existed within Chrome as well.
It’s important to understand that just because these vulnerabilities have been discovered and eventually fixed, proof that they were used in the wild is hard if not impossible to track. When companies release details of discoveries, as Lookout did, it can help to better understand real-world scenarios.
Just in the past few weeks alone, WikiLeaks has released reports from previous exploits that the CIA used on iOS and Mac devices. While the reports were aged and shared outdated exploits, the sheer number of fixes that Apple released this week alone shows that many vulnerabilities still exist.
In a world where cybersecurity is taking the front seat, remember to back up and secure your devices.
The full list of Apple’s fixed CVEs from yesterday’s updates can be found over at their security updates page.