Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

Apple Releases Wave of Security Updates

Apple updates software for nearly every hardware platform, though one new feature almost steals the security show.

Apple has released a set of updates to its operating system across its range of hardware, from the Apple Watch to the Mac. While the updates cover a number of issues, a USB attack and its prevention may be the most important among them.

The mass release isn't unusual behavior for Apple, says Thomas Reed, director of Mac and mobile at Malwarebytes Labs. "When Apple releases these updates, they tend to release one for each of their products," Reed says. "They'll release a whole bunch of these on the same date."

Apparent from an inspection of the issues addressed in the MacOS update is that companies continue to deal with fallout from the Meltdown and Spectre vulnerabilities. On the website announcing the updates, Apple describes one vulnerability in which " ... one process may infer register values of other processes through a speculative execution side channel that infers their value." This could be the broad description of the entire family of Meltdown vulnerabilities.

Reed describes most of the remaining updates as important but not particularly unusual. One, though, has seen a great deal of attention from analysts and law enforcement officials: USB Restricted Mode.

USB Restricted Mode is a new feature that prevents data from being downloaded from an iOS device unless the device has been unlocked within the past hour. The new restriction seems targeted against devices like the GreyLock, which law enforcement agencies have purchased and used to conduct forensic analysis on iPhones and iPads.

"Companies don't want to make things harder specifically for law enforcement, but we've seen these devices being used by bad actors or bad governments," Reed says. At the same time, he notes a limitation in the restriction: "I don't understand why they didn't just make it so you have to unlock the device every time, rather than having the one-hour limit."

That one-hour window in which data can be downloaded from the device has been seized on by analysts and journalists as a significant flaw in the protection. Oleg Afonin, who blogs at Elcomsoft.com, explains that plugging an accessory (just about any accessory, at that) into the Lightning jack during the one-hour window can easily extend the window of vulnerability indefinitely.

While Afonin's tests showed that USB Restricted Mode operates as planned in most cases – holding the ports closed through reboots and protecting the device from unauthorized data exfiltration – the ability to work around the mode with a simple accessory is a critical weakness.

Even with this limitation, Reed says that applying the updates and patches is critical for the security of all affected Apple devices. "The more important thing for people to know about the updates is just how important it is to install them," he says. And the reason is one of the paradoxical qualities of software patching.

"Just as soon as they're out there, the information on what was patched is published, and hackers have a clue about how they could hack people with the older systems," Reed explains. "It's almost like the update makes the older systems even more vulnerable."

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
johnsmith2679
50%
50%
johnsmith2679,
User Rank: Apprentice
9/17/2018 | 8:13:13 AM
Apple ID Support Number
Apple products come with a lot of security apps which encrypt the photo, videos, messages, emails, contacts, etc

In apple product, it is too difficult to break the security passwords. Its security system updated from time to time and the virus definition is also updated from time to time, For more security apple uses Apple ID for each and every single product of Apple like iPhone iPad etc. If you forget your Apple ID and if you lost your password contact to Apple ID Support Number To recover your Apple ID and Password
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9892
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbit...
CVE-2019-10066
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment i...
CVE-2019-10067
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context...
CVE-2019-6513
PUBLISHED: 2019-05-21
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
CVE-2019-12270
PUBLISHED: 2019-05-21
OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configure excessive permissions by default on Windows. During installation, a displaylistcache file share is created on the Windows server with full read and write permissions for the Everyone group at both the NTFS and Share levels. The ...