Apple releases security fixes for iOS, OS X, Safari and Apple TV

One of the bugs fixed in iOS and Apple TV was first reported a year ago and fixed in OS X in May of this year.

Apple has released new versions of iOS, OS X, Safari and Apple TV, and disclosed the vulnerabilities fixed in those new versions. A total of 60 unique vulnerabilities are addressed in the products. As is common with Apple, some of the vulnerabilities are quite old.

iOS 7.1.2 fixes 44 vulnerabilities in the previous version. These include two lock screen bugs and two which could allow bypass of Find My iPhone and Activation Lock, the new anti-theft measures. The new version also adds encryption of attachments in the Mail app,  a problem first reported two months ago . The usual long list of WebKit bugs is fixed and the list of trusted root certificates was updated.

OS X Mavericks v10.9.4 and Security Update 2014-003 fix 19 vulnerabilities in earlier versions. Several privilege escalation bugs are listed here; in combination with an arbitrary code execution bug, which is also readily available, an attacker could take complete control of the system.

Safari 6.1.5 and Safari 7.0.5 fix 12 vulnerabilities in earlier versions. The most interesting is CVE-2014-1345, by which an attacker could spoof the domain name in the address bar, an excellent phishing tool. Nearly all of these bugs were also patched in iOS, of which Safari is considered an integral part.

Finally, Apple TV 6.1.2 fixes 35 vulnerabilities in earlier versions, many of them the same as those fixed in OS X and iOS.

Apple is famous for taking a long time to patch disclosed vulnerabilities. The oldest in this batch, CVE-2013-2875 (an SVG bug in Safari on iOS), was first fixed by Google in Chrome almost a year ago and was patched by Apple in Safari on OS X in MayCVE-2013-2927 is similar, although not quite as old. Finally, an authentication bug in cURL, fixed by the authors in January, was just fixed in the OS X version.

Apple credits several outside researchers for reporting these vulnerabilities. Various teams and individuals at Google are credited for 18 of the 60 vulnerabilities.