Apple releases tons of security updates for recent flaws and exploits

While the world's focus on Apple today might be on the release of its new streaming music service, the company also pushed out a host of security fixes for exploits, flaws, and--shall we say--politically difficult situations of the last few months. iOS 8.4 and OS X 10.10.4 should make users safer, pending testing by outside researchers.

You can find the full list of security issues on pages for iOS 8.4 and OS X 10.10.4, which also includes items in Security Update 2015-005 for older OS X releases.

EFI update patch fixed

In June, a researcher revealed a problem with Apple's version of EFI (Extensible Firmware Interface), the bootstrapping software--like BIOS once was for PCs--that activates on power-up or restart to perform hardware tests and then loads the operating system. On awaking his Mac from sleep, the researcher found he could potentially modify the EFI firmware, which is otherwise cryptographically protected. The modified firmware could carry out all sorts of insidious behavior and evade detection and easy removal.

The researcher said he believed this affected Macs made only in mid-2014 or earlier, and that it was possible Apple had fixed it in newer models. Apple's Mac EFI Security Update 2015-001 is available for Mountain Lion (10.8.5) and Mavericks (10.9.5) as well as Yosemite. Specific models aren't noted, and Yosemite can run on some Mac models released as far back as 2007, so the update would be required on older Macs even if newer hardware had improved firmware.

The update also mitigates the Rowhammer bug, in which malware could compromise the integrity of values stored in DRAM, and gain access to all memory and thus take over a system. Apple solved the problem through the relatively obscure matter of increasing the rate at which memory is refreshed.

According to Net Applications, about 14 percent of Macs in April 2015 were using a version of OS X older than Mountain Lion. While that's still millions of Macs, the number is declining every day, and it's unlikely attackers would focus on a smaller and shrinking user base, especially one that requires carefully crafted and remotely delivered malware or physical proximity to a computer.

Mail's refresh ability

A seeming bug in iOS's Mail app allowed a specially crafted HTML message to force Mail to load an arbitrary Internet-hosted webpage. While Mail filters many kinds of behavior, a researcher found that it didn't restrict the use of a "refresh" command in a Meta tag used in the header portion of an HTML email. This led to a proof-of-concept in which an email message pulled in a page that display a formatted prompt that looked like an iCloud login.

Apple acknowledged this at the time as something it would fix in the future, although it said it hadn't had any accounts of phishing that relied on this approach. The ability to refresh a mail message has been removed in both iOS 8.4 and in the Yosemite 10.10.4 update.

The tricky issue of a Chinese certificate authority

In March, Google revealed that CNNIC, a Chinese agency that handles the root .cn domain and acts as a certificate authority (CA) for issuing digital credentials for secure web connections, had violated the rules for CAs included in the root trust stores of the major operating system makers and browsers. Its action, in short, allowed a third party to create certificates that would let it spoof any secure website in the world. Fortunately, Google and others monitor for this, and an alarm went off.

Google and Mozilla, the makers of the Firefox browser, quickly reacted. CNNIC was kicked out of the trusted list of CAs for Android, Chrome, Chrome OS, Firefox, Firefox OS, and Thunderbird. Microsoft removed only the certificate issued by CNNIC against the rules. Apple to date had done nothing. I noted in late April that Apple and Microsoft's extensive dealings in China may have lead to an uncomfortable situation that put Apple at odds with its commitment to customer security and privacy.

In today's OS X and iOS updates, Apple remedies this problem. While it downplays CNNIC's behavior--"an intermediate certificate was incorrectly issued by the certificate authority CNNIC"--it's added a new mechanism called the "security partial trust allow list." This lets Apple only accept a subset of certificates from a given certificate authority, rather than all certificates that the CA signed off on.

Apple's revised Trust Store, its set of trusted root CAs, now excludes certificates that CNNIC produced after its "incorrect" event. By disallowing only newer certificates, Apple prevents its Chinese customers and those connecting to Chinese sites from outside the country from receiving security error messages. Sites backed by newly issued certificates will now fail in Firefox, Android, Chrome, and Safari browsers, but not Internet Explorer, according to Microsoft's last actions.

(I'll have more details on this, the Trust Store webpages, and what you can do in OS X in this week's Private I column.)

Downgraded encryption keys

Apple also patched an obscure but problematic encryption issue known for months in which a malicious party that could insert itself into a connection and intercept a secure negotiation for an encryption session--for email and websites typically--could force a browser or server to downgrade to an outdated encryption algorithm that can be broken.

This attack, called Logjam, can be fixed on either side of a connection: either with improved browsers and email clients or, in the case of Apple, improved core software (coreTLS, in this case) that handles encryption; or with upgrades to servers.

While websites have been fixing their end, Apple removes this vulnerability from hundreds of millions of devices and computers at one go.

Cross-application exploits

It's not surprising that this release coming so close on the heels of the inter-application exploits disclosed June 17 lacks any fixes for them, but Apple said that it had already closed down some behavior on the server side.

The exploits also require the ability to submit malicious software to the App Store, which Apple is obviously now scanning for. A future update will conceivably address the flaws more comprehensively.

Join the CSO newsletter!

Error: Please check your email address.

Tags ApplesecurityOS X Yosemite21

More about AppleGoogleLionMacsMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts