Apple patches dozens of security flaws in iOS 8.4, OS X 10.10.4

The updates fix vulnerabilities including flaws which allow both remote code execution and man-in-the-middle attacks to occur.

1302143rdstpromhero.jpg
Roy Zipstein | Apple

Apple has released new versions of iOS and OS X with patches for dozens of security flaws.

The Cupertino, Calif-based firm said in a security advisory version 8.4 of the iOS mobile operating system contains over 20 fixes for vulnerabilities which could lead to remote code execution, application termination and the interception of encrypted traffic, among other issues.

Within the update, the iPad and iPhone maker has tackled the Logjam flaw, a cryptographic weakness in algorithms used by the Diffie-Hellman key exchange, a popular way for Internet protocols to agree on shared encryption keys and create secure communication channels.

As Diffie-Hellman is used in a number of protocols which rely on TLS as well as HTTPS, SSH, IPsec and SMTPS, tens of thousands of HTTPS websites and servers were made vulnerable to eavesdropping and the interception of secure communication, which in turn could lead to man-in-the-middle (MITM) attacks.

In order to prevent hackers from exploiting Logjam, Apple has modified the coreTLS component of both operating systems. Apple says:

"coreTLS accepted short ephemeral Diffie-Hellman (DH) keys, as used in export-strength ephemeral DH cipher suites. This issue, also known as Logjam, allowed an attacker with a privileged network position to downgrade security to 512-bit DH if the server supported an export-strength ephemeral DH cipher suite.

The issue was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits."

See also: Logjam security flaw leaves top HTTPS websites, mail servers vulnerable

An interesting security problem now patched by Apple relates to Mobile Installation. An issue existed in the install logic for universal provisioning profile apps on the Apple Watch wearable, which in turn created a collision to occur with existing bundle IDs. A malicious app could then prevent a Watch app from launching.

Certificate trust policy problems, memory corruption flaws, buffer overflow vulnerabilities and a host of WebKit, kernel and CoreText flaws were also patched in the latest iOS update.

As for OS X Yosemite 10.10.4 and the latest 2015-005 security update, Apple's security advisory details the same patches for a number of issues -- as well as a swathe of additional vulnerabilities.

An interesting flaw reported by Google Project Zero's Ian Beer relates to the NVIDIA graphics driver used by Apple. An out-of-bounds write issue which may allow malicious applications to execute arbitrary code with system privileges was patched through improved bounds checking.

User authentication exploits, remote code execution flaws, apache compatibility issues, CoreText problems and multiple buffer flow vulnerabilities were also addressed.

Both updates also addressed Certificate Trust Policy problems. An intermediate certificate was incorrectly issued by the certificate authority CNNIC which could allow for the interception of network traffic.

FireEye, Yahoo Pentest and Google Project Zero were some of the research teams which submitted vulnerabilities for review to Apple.

Read on: Top picks