International Mac Podcast

We haven’t had a security update in quite some time from Apple, and now we get two important ones at once, a bit like busses I guess! If you have an iPhone, an iPod Touch, or a Mac, you should probably update your software as soon as possible. Some of the vulnerabilities which have been patched are rather nasty. If you’re interested in all the gory details you can see the details of both updates here and here. For a short summary and some analysis (I use the word loosely), keep reading.

On the iPhone front the most obvious fix is the resolution of key code bypass vulnerability. This was easy enough to work around by changing the meaning of double-tapping the home button to anything other than “go to favourites”, but since most people wouldn’t be aware of that workaround it’s important that this was fixed. However, there are some less obvious but more scary vulnerabilities patched too, I want to mention two of them. The first is a flaw in WebKit that allows an attacker to execute arbitrary code on an iPhone or iPod Touch simply by getting you to visit their web page, and the second is a flaw on the networking implementation that allows attackers to spoof network connections. This second one is the most interesting because the error here is so fundamental that it implies to me that the networking code for the iPhone did not come from OS X, or at the very least that some core parts of it were re-written from scratch for the iPhone. This is worrying. It’s very important to have a stable networking stack and it takes years to get one. OS X inherited it’s stack from FreeBSD, so it got a well tested stack from the off, the iPhone does not appear to have been so lucky. Granted, I’m extrapolating quite a bit here, but to see so fundamental an error in such a core system is very disconcerting. If this is a new stack expect many more security problems with it before it gets stable.

Bottom line, if you use your iPhone or iPod Touch on the network at all, particularly if you use Mobile Safari, you’d be wise to update ASAP.

Moving on to OS X we get a much bigger list of issues that have been patched. It’s mostly just the usual stuff, but a few do stand out. Firstly, the DNS flaw has finally been properly patched. This took Apple far too long, but at least it’s done now. They also patched the same problem in their custom DNS system which is technically referred to as mDNS, but which most users know as Bonjour. OS X has now been properly secured against the DNS flaw with updated BIND, LibResolver, and mDNS packages.

The second thing I noticed is a cluster of image library flaws, particularly in the code for processing and rendering TIFF images. These flaws include ones that allow arbitrary code execution. This is worrying for two reasons, firstly, attackers can place image files in web pages, and secondly, Safari considers image files “safe” so it will automatically open them after download unless you go into your settings and un-check the open "safe" files after downloading option in the General tab. When you combine this default behaviour with the so-called carpet bombing attack you end up with a really scary situation. Security experts have been urging Apple to remove that feature, or at the very least turn it off by default, for years now, but Apple are just not listening. There have been critical flaws in just about every file type Apple considers “safe” within the last few years. Just off the top of my head the list includes PNGs, JPEGs, TIFFs PIC files, DMGs, PDFs, and QuickTime Videos. So, while there are no known vulnerabilities in the safe file types if you apply this update the fact remains that there have been many in the past and that there is no reason for there to be any fewer in the future! Hence, if you haven’t disabled this option yet, I’d urge you to do so right now this minute, before you forget!

Just like with the iPhone update, I’d strongly recommend updating OS X as soon as possible. Now that the bugs are public it’s much easier for the bad guys to start using them to attack you!