Naked Security Naked Security

Apple fixes FREAK in iOS, OS X and Apple TV – and numerous other holes besides

Apple's latest security fixes are out. The FREAK bug is now fixed, but so are numerous other holes worth patching in their own right.

Apple has just announced its latest round of security updates.

OS X in its 10.8, 10.9 and 10.10 flavours (Mountain Lion, Mavericks and Yosemite) gets Security Update 2015-002.

iOS goes to version 8.2; Apple TV gets 7.1.

In particular, the fix that we advised you to “watch for” is here.

For users of all the platforms mentioned above, the TLS FREAK bug is patched.

FREAK is the security flaw that could allow an attacker to trick you into making what you think it is a secure TLS connection, but with downgraded security using legacy, insecure, crackable cryptographic keys.

The bug, which was found by a team of researchers including three from Microsoft, was originally thought to apply only to OpenSSL and to Apple’s Secure Transport system library.

That made Apple’s Safari browser the most widespread one to have this bug – until, in a sort of irony, Microsoft realised that its own Schannel TLS library was at risk too, and with it Internet Explorer.

IOSurface RCE

But don’t grab these updates for the FREAK patch alone.

All three platforms (Apple TV, iOS and OS X) shared the same Remote Code Execution (RCE) vulnerability, found by Google’s Project Zero.

That bug existed in the Apple IOSurface programming framework.

IOSurface is a way for two processes to share a video rendering buffer, for example so that movie frames might be decompressed by a rendering process, but displayed by a separate movie player.

Ironically, as Apple explains, IOSurface is “commonly used to allow applications to move complex image decompression and draw logic into a separate process to enhance security.”

Presuambly, the idea is that a process like a movie player or a web browser is therefore shielded from potentially dangerous rendering bugs in the code that actually takes apart the complex data structures inside the average image file.

If a booby-trapped image or movie file should crash the rendering process and gain control over process execution, it would not automatically get access to information such as browser data or already-active internet connections as a result.

Unfortunately, in the case of CVE-2015-1061, the IOSurface framework itself opened up a security hole.

Other security holes

Various other RCE holes are patched in iOS and OS X; any one of these would make the updates worth applying without delay on their own.

Intriguingly, Apple TV and iOS share a security bypass bug in a component called MobileStorageMounter.

The impact of this bug is stated as:

A malicious application may be able to create folders in trusted locations in the file system.

That sounds like just the sort of security hole that would be terribly handy for jailbreaking: the ability to tweak otherwise locked-down system files. (Of course, that sort of hack is great for crooks with brief physical access to your iPhone, too.)

And, indeed, this vulnerability, designated CVE-2015-1062, is credited to TaiG Jailbreak Team.

Any known problems?

Unfortunately, I can’t give you any first hand advice.

As a keen Apple user [Did you mean “fanbuoy”? – Ed], I went straight from Apple’s advisory emails to the OS X App Store, and to the official downloads page.

The OS X advisory assures me that:

Security Update 2015-002 may be obtained from the Mac App Store or Apple's Software Downloads web site.

But at 2015-03-09-22:42Z, in my part of the world at least, there’s still no sign of the updates.

Which makes me wonder if Apple is carefully waiting until after midnight UTC, which would officially make this into an Update Tuesday?