Apple Patches Critical Kernel Vulnerabilities

Apple today released new versions of iOS and macOS Sierra and addressed some overlapping code execution vulnerabilities in both its mobile and desktop operating systems.

The updates were part of a bigger release of security updates from Apple that also included Safari, iCloud for Windows, and watchOS.

The most critical of the bugs were a pair of kernel vulnerabilities, CVE-2017-2370 and CVE-2017-2360, which could allow a malicious application to execute code with the highest kernel privileges. The two bugs, a buffer overflow and use-after-free vulnerability, were reported by Google Project Zero’s Ian Beer and were patched in iOS 10.2.1 and macOS Sierra 10.12.3.

A critical libarchive buffer overflow vulnerability, CVE-2016-8687, was also patched in iOS and macOS Sierra.

“Unpacking a maliciously crafted archive may lead to arbitrary code execution,” Apple said.

Apple also patched 11 vulnerabilities in the iOS implementation of WebKit, a half-dozen of which lead to arbitrary code execution, while three others attackers could abuse with crafted web content to exfiltrate data cross-origin.

Many of the same Webkit vulnerabilities were also patched in Safari, which was updated to version 10.0.3.

Rounding out the iOS update, Apple patched a flaw in Auto Unlock that could unlock when Apple Watch is off the user’s wrist, along with an issue that could crash the Contacts application, and another Wi-Fi issue that could show a user’s home screen even if the device is locked.

The macOS Sierra update also patched code execution vulnerabilities in other components, including its Bluetooth implementation and Graphics Drivers (code execution with kernel privileges), Help Viewer, and the Vim text editor.

The Safari update also patched a vulnerability in the address bar, CVE-2017-2359, that could be exploited if visiting a malicious website, allowing an attacker to spoof the URL.

tvOS was updated to version 10.1.1, and the same kernel, libarchive and webkit vulnerabilities present in iOS were patched in the Apple TV OS (4th generation).

The watchOS update, 3.1.3, was a sizable one as well with patches for 33 CVEs, including 17 code execution vulnerability.

The iCloud for Windows 6.1.1 update, for Windows 7 and later, also patched four Webkit vulnerabilities addressed in other product updates, all off which lead to arbitrary code execution.