apple · ios 11 · mac os x · security · update

Apple Issues ‘Meltdown’ and ‘Spectre’ Patches for iOS, macOS, Safari

apple_ios_1122_mealtdown_spectre_patch_20180108

Today, Apple has posted a set of updates that are designed to patch recently reported vulnerabilities found in Intel and ARM CPU processors. These are very important security updates. You should install them as soon as you can.

Apple Software Updates

apple_macos_high_sierra_mealtdown_spectre_cpu_patch_20180108

Ready for your downloading and installing pleasure are:
* iOS 11.2.2 for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
* macOS High Sierra 10.13.2 Supplemental Update
* Safari 11.0.2 for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6

The Apple support website always links to the latest security patch updates.

The Short Story

The vulnerability, which impacts all modern Intel and ARM CPUs, can be found in just about every PC, smartphone, and tablet on sale. Microsoft Windows, Linux distributions, and hardware vendors all need to update patches to prevent the “Meltdown” and “Spectre” vulnerabilities from being exploited and granting cyber-attackers access to highly sensitive data that is held in a computer’s protected memory space.

Confused about all of this processor vulnerabilities and patching? It’s totally understandable. If you really want to understand what’s going on, check out Rene Ritchie’s excellent Meltdown and Spectre FAQ at iMore.com.

 

airport · apple · ios · mac os x · security · tvos · watchos

With a Pair of AirPort Updates, Apple Completes Wi-Fi Vulnerability Patching

On December 12, Apple released a pair of AirPort firmware updates to close the WPA2 key reinstallation attack vulnerability. The vulnerability was first publicly announced in October, after alerting vendors of the vulnerability much earlier in the year.

Apple AirPort Extreme/AirPort Time Capsule base station firmware version 7.7.9 and AirPort Express firmware 7.6.9 both include the patch that protects against the WPA2 key reinstallation attack. The Common Vulnerabilities and Exposures (CVE) numbers that these patches address are CVE-2017-9417, CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080.

The AirPort firmware updates can be applied using the iOS AirPort Utility, available for free from the Apple iOS App Store. If you have an Apple AirPort running in your home or office, you need to update it right away to close this serious vulnerability.

About this time last year, I wrote about my doubling-down on Apple AirPort hardware in the face of media reports (aka: rumors) that Apple had abandoned the AirPort product line. I still hold that there are much better Wi-Fi solutions available today, even for die hard Apple fans like us. The Wirecutter (https://thewirecutter.com/reviews/best-wi-fi-mesh-networking-kits/) has a very good review of mesh network Wi-Fi devices from vendors such as Eero and Netgear. You really should be running them over Apple’s AirPort at this point. Still, despite Apple reportedly walking away from AirPort, as a customer, I am glad that Apple tool on the task of releasing a pair of security updates for the aging devices. It seems only fair to customers, since Apple is still selling the AirPort hardware online and in retail stores.

What About My Other Apple Gear?

Apple updated iOS 11, macOS, watchOS, and tvOS back in October. If you are running iOS 11.1, watchOS 4.1, tvOS 11.1, or the latest versions of macOS High Sierra 10.13, Sierra 10.12, or El Capitan 10.11 you have already installed the WAP2 patch.  Use the Software Update feature of these operating systems to verify that you are up-to-date or install the latest software releases if need be.

If you are still running macOS/OS X Mavericks 10.10, you should consider upgrading to High Sierra to gain the WPA2 patch. Mavericks and earlier versions of macOS will not be patched.

What About Everything Else?

The WPA2 key reinstallation vulnerability is not a flaw or vulnerability that is specific to Apple hardware and software. It is a flaw in the WAP2 system itself. Thankfully, the flaw can be fixed with software. What that means, though, is that to improve your chances of being protected against attacks using the WAP2 vulnerability, you must patch all of your Wi-Fi equipment, including routers/modems, smart devices (i.e.: light bulbs, switches, and cameras), TVs, Blu-ray player, and gaming consoles, for example.

Learning More About the WAP2 Vulnerability

To learn more about the KRACK WPA2 key reinstallation vulnerability, and to see just how catastrophic the vulnerability can be, see Mathy Vanhoef’s summary website and Krebs’ What You Should Know About the ‘KRACK’ WiFi Security Weakness blog post.

 

apple · mac · security

Apple Issues Security Update for ‘root’ Vulnerability

IMG_1167

Yesterday, an unusually dangerous security vulnerability in macOS 10.13.1 High Sierra was uncovered.  Less than 24-hours later, Apple has issued a patch to correct the situation.  The vulnerability allowed access to the Unix ‘root’ account – the most powerful ID on a Unix system – without the use of a password.

apple_macos_10_13_1_security_update_2017_001

Apple support article HT208315 gives you the specifics about this vulnerability.  If you haven’t already done so, go to the Mac App Store and install Security Update 2017-001.  It is a small update that does not require the Mac to be rebooted.

John Gruber over at Daring Fireball received a statement from Apple stating the company’s regret and apology for rolling out High Sierra 10.13.1 with this bug in it.  The statement to Daring Fireball also noted that “starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.”

It was later reported, again by Gruber, that the Security Update 2017-001 patch inadvertently breaks file sharing in macOS High Sierra.  If you experience the post Security Update 2017-001 file sharing bug, Apple has posted support article HT208317 on how to fix file sharing.  To apply the file sharing bug fix, open Terminal.app and issue the command:

sudo /usr/libexec/configureLocalKDC

There is no output from the command.  When you are done, quit Terminal.

apple · ios 9 · iphone 6 plus · iphone 6s · security

The Curious Case of the iOS 9.3.1 "Hey, Siri" Contacts, Photos Vulnerability

Late last night, my father of all people, tipped me off to a story making the rounds on the Internet about a security vulnerability with an iPhone 6s or iPhone 6s Plus running iOS 9.3.1.  The reported vulnerability allowed a malicious user to by-pass the iPhone’s lock screen using the hands free “Hey, Siri” command.  When successfully executed, an attacker would be able to see all of the contacts and photos on the device.

Quartz has an article up on their site that starts off with:

“You might want to wait before downloading the latest version of Apple’s operating system for iPhones.

If you own an iPhone 6S or 6S Plus and have upgraded to iOS 9.3.1, other people can access your contacts and photos without entering a passcode to unlock the phone. It’s an elaborate and finicky but nonetheless startling loophole.”

With my iPhone 6s Plus unlocked and running iOS 9.3.1, the “finicky” exploit worked.  However, if I repeated the process with my iPhone locked, the attack was stopped dead in it’s tracks.

This morning I tried to reproduce the attack, I received a notice from Siri that I needed to unlock my iPhone first.  I made this short video that was posted to YouTube this afternoon.

Oddly, the security settings that AppleInsider.com reported as needing to be turned off to prevent the attack were still enabled on my iPhone.  Curious.

So what happened?

This afternoon, Fortune.com has an article up that the Siri-related problem was corrected by Apple from Apple HQ.

“While initial reports and claims from the bug’s discoverers said that the issue was an iOS 9 glitch, it turns out it was a Siri problem. On Tuesday morning, after seeing the rash of reports on the issue, Apple issued an update to Siri fixing the problem. Therefore, users who were previously subject to the issue are now safe and do not require a software update to get the fix.”

Security and privacy conscious iPhone 6s and iPhone 6s Plus users can go back to their day without further worry.

apple · ios 8 · iphone · security · touch id

Apple To Enhance iPhone Unlock Security with iOS 8.3 [Updated]

Apple is further enhancing their iPhone unlock security with the upcoming release of iOS 8.3; which is currently in beta testing.
PIN code required when TouchID is not
used to unlock the device in 48 hours
Update

My pal, and fellow 1SRC Palm Podcast host, Jeff Kirvin, has informed me that iOS requires a PIN or passcode if not used for 48 hours right now with iOS 8.2.

I hate it when he’s right.  I still think this is a good feature.

In the future, if you have not unlocked your iPhone using Touch ID in the past 48 hours, you be required to reenter your PIN or passcode.  With iOS 8.0 up to and including iOS 8.2, Apple only required that you enter your PIN or passcode after restarting your iPhone.  

The above screen appeared after I left my iPhone 5S running a beta version of iOS 8.3 at home for two days.
I think that while this may generate a few help desk calls when iOS 8.3 is deployed to corporate iOS devices that get left at work or unused over the weekend, it is  a really good move for people who may accidentally lose their device.
Apple has not announced when iOS 8.3 will ship.  The pre-release software is being tested by registered developers (a $99 annual fee is required to join the program) and by select members of the iOS and OS X public beta testers.
Some bloggers believe that iOS 8.3 will ship next month at about the same time the Apple Watch is released.
adobe · flash · linux · security · windows

Upgrade to Adobe Flash Player 14.0.125 Now

Adobe has issued a security bulletin urging Flash users to upgrade to the latest release, version 14.0.125.  Windows PCs, Macs, and machines running Linux with unlatched versions of Flash are vulnerable that could allow an attacker to take control of the computer.

“Adobe has released security updates for Adobe Flash Player 13.0.0.214 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.359 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions[.]”

You can download the latest version of Adobe Flash Player for your Windows PC, Macintosh, or Linux machine from Adobe Flash Player download website.

Today’s full APSB14-16 security bulletin can be read on the Adobe website.

security · target

Target Had Warning of Security Risks

A new article by The Wall Street Journal says that officials at Target were made aware of the potential security risks that lead to the November 27 – December 18 attack last year.

“Target Corp.’s computer security staff raised concerns about vulnerabilities in the retailer’s payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, people familiar with the matter said.”

In Target’s defense, the Journal also reports:

“The sheer volume of warnings that retailers receive makes it hard to know which to take seriously. Target has an extensive cybersecurity intelligence team, which sees numerous threats each week and could prioritize only so many issues at its monthly steering committee meetings, the former employee said.”

As an IT professional, I find a report like this to be disappointing.  It’s a constant battle between setting business objectives and setting priorities and “good house keeping” such as installing infrastructure and security upgrades and patches.  Sometimes those priorities get muddy.
As a Target customer who had their personal data stolen in the breach, I’m more than annoyed to learn that the situation was preventable.  It is also my opinion that most of these types of breaches are preventable with frequent software updates.
I think security breaches, both large and small, along with the ever growing data stockpile that companies are amassing about their customers is a growing concern for customers and IT departments alike.  We all know that our online habits are being tracked and that companies are collecting an amazing amount of personal data about who we are so that this information can be used to either make more money from you with targeted advertising or by selling the collected information to third-parties.
While I don’t think that personal data collection will go away anytime soon, if ever, I would hope that as a society, we put new laws and limits on what businesses and clearing houses can do with the data they collect about us.
Click the source link below to read the full article online (login required).
[Via WSJ.com…]