nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

It's 2017 – and your Mac, iPad, iPhone can all be pwned by an e-book

Seven Apple updates, because it's not like you had anything else to patch today

By Shaun Nichols, 16 May 2017

Apple has released security updates for both of its main operating systems, along with iTunes, Apple Watch, and Apple TV. All should be installed as soon as possible before they are exploited by miscreants.

The updates, numbering seven in total, include fixes for security vulnerabilities in the Safari browser and WebKit engine.

For iPhone and iPad, Apple has kicked out iOS 10.3.2. The update addresses a total of 41 CVE-listed vulnerabilities in the mobile OS, with 23 of those being flaws in WebKit, including 17 that allow for remote code execution through malicious webpages and five that enable cross-site scripting attacks.

Other holes addressed in iOS 10.3.2 include CVE-2017-2498, which Apple termed "a certificate validation issue existed in the handling of untrusted certificates" and a pair of flaws in iBooks (CVE-2017-2497, CVE-2017-6981) that allow ebooks to open arbitrary websites and execute code with root privilege.

Mac owners will want to install macOS Sierra 10.12.5 (or Security Update 2017-002 for El Capitan and Yosemite). The update addresses 37 vulnerabilities, including the two iBook flaws and a Wi-Fi networking hole (CVE-2017-6988) that allows the theft of network credentials.

Also addressed were elevation of privilege flaws in both the Intel (CVE-2017-2503) and Nvidia (CVE-2017-6985) graphics drivers, as well as four different arbitrary code execution holes (CVE-2017-2513,CVE-2017-2518,CVE-2017-2520, CVE-2017-2519) in SQLite.

A separate update for Safari looks to patch up three holes in the browser itself and 23 vulnerabilities in WebKit, many of which are also addressed in the iOS updates.

Those using the Apple Watch should install watchOS 3.2.2, patching a total of 12 CVE-listed vulnerabilities, four of which could be targeted for remote code execution.

Apple TV, meanwhile, has been sent tvOS 10.2.1 to patch 23 flaws, including 12 holes in the WebKit engine that allow cross-site scripting and remote code execution attacks.

Finally, for Windows users there is iTunes 12.6.1, an update that patches a single (CVE-2017-6984) remote code execution flaw, and iCloud 6.2.1, which handles the CVE-2017-2530 remote code execution flaw in WebKit. ®

Sign up to our Newsletter

Get IT in your inbox daily

The Register - Independent news, views and opinion for the tech sector. Part of Situation Publishing