Apple Releases Series of Patches for All Operating Systems
If you haven’t updated your Apple devices in the past month, now would be a good time. On May 16th, Apple unveiled security patches for not just one of its operating systems, but for all of them. Last Monday, Apple unveiled security patches for not just one of its operating systems, but for all of them. The patches represented the first across-the-board updates that Apple has released for its operating systems since March 21st.
These patches apply to OS X El Capitan and iOS, as well as to the Apple Watch operating system (watchOS) and the Apple TV operating system (tvOS). In addition to these operating system fixes, Apple also unveiled a new version of iTunes for Windows (iTunes 12.4, available for Windows 7 and later) and a new version of Safari (version 9.1.1, available for OS X Mavericks, Yosemite, and El Capitan).
According to Threatpost, Apple’s roundup of patches included 67 different patches for OS X. The update, OS X El Capitan v10.11.5, fixed 25 different code execution vulnerabilities and six vulnerabilities related to application termination.
The DROWN Vulnerability
The most significant of the fixes, per the Threatpost report, saw Apple rectifying what is known as the “DROWN” vulnerability. This particular patch is the biggest reason to update to the latest version of OS X El Capitan.
DROWN was discovered in early March when a Johns Hopkins University professor and cryptographer revealed a transport layer security (TLS) and SSL (secure sockets layer) problem. Unlike many of the issues that Apple has now patched thanks to this latest round of updates, DROWN wasn’t just isolated to Apple machines. Rather, the vulnerability applied (and continues to apply) to the internet as a whole. The DROWN vulnerability is an HTTPS problem that made it possible for hackers to break TLS and SSL encryption and steal information from the users accessing HTTPS services.
Originally, web security experts estimated that DROWN affected about a third of all HTTPS servers. Researchers also warned that users trying to access the vulnerable servers could be opening themselves up to password theft and loss of other sensitive data like credit card numbers, bank account information, and more. Apple says that this particular “protocol security issue was addressed by disabling SSLv2.”
In any case, avoiding the possibility of a DROWN attack is reason enough to download and install Apple’s latest update for El Capitan. The iOS, watchOS, and tvOS updates also patch vulnerabilities that could have led to code execution or information leakage. In other words, while you’re at it with the OS X v10.11.5 update, you might as well update your other Apple device operating systems too.
Sources:
https://support.apple.com/en-us/HT201222
https://threatpost.com/apple-patches-drown-lockscreen-bypass-vulnerability-with-latest-round-of-updates/118135/
https://threatpost.com/drown-flaw-exposes-33-percent-of-https-connections-to-attack/116533/
https://drownattack.com/