Apple doesn’t have Patch Tuesdays, but it does have Update Surprisedays.
Wednesday 17 September 2014 was one of them.
Like Naked Security, you probably received notification of seven updates from Apple this week, spread over Wednesday, Thursday or both, depending on your timezone:
- iOS 8
- Apple TV 7
- OS X Mavericks 10.9.5 (Security Update 2014-004 for 10.7 and 10.8)
- OS X Server 3.2.1
- OS X Server 2.2.3
- Xcode (Apple’s development environment) 6.0.1
- Safari 6.2 and 7.1
Be warned – there’s a lot of updating in there: I’m a Mavericks user with Xcode and Safari, and those three updates totalled about 3.5GB.
Admittedly, I like to go for Apple’s OS X Combo updates when I can, which for OS X 10.9.5 includes all the files needed to update from any 10.9.x version, including the original 10.9 release.
The Combo updates are much larger (982MB this time, instead of 275MB for the package that can only update you from OS X 10.9.4), because they include files that were already part of previous point releases.
Combos are a handy insurance policy against needing or wanting to reinstall OS X from scratch.
You can go from an original OS X 10.9 installer straight to the latest-and-greatest version without having to apply and reboot into all the intermediate point releases along the way.
The updates for iOS and OS X differ inasmuch as they are pitched for features and security respectively:
That’s not surprising, because iOS 8 isn’t just a point release, but a major new operating system version.
Nevertheless, plenty of the security patches in OS X 10.9.5 are also part of iOS 8.
Even if you don’t want the new features in iOS (and there really are hundreds of them, from Camera to Siri and from a new Health App to slicker sharing on iCloud) you’re well advised to take the update for the security fixes alone.
The list of bugs isn’t so much an attractive reason to move forward as a compelling, almost disconcerting, reason not to lag behind.
More than 40 separate vulnerabilities have been fixed, covered by 55 CVEs; 10 of these could allow remote code execution, including 3 inside the kernel.
In fact, there is something of a laundry list (or a vulnerability glossary) of holes fixed, including:
- Remote code execution.
- Remote code execution in the kernel.
- Lock screen bugs allowing access to a supposedly-locked device.
- Information disclosure allowing address randomisation to be bypassed.
- Code execution risks due to booby-trapped PDF files.
- Deleted files never actually removed.
- Sensitive information written into system logs.
- Incorrectly-implemented address book encryption.
- Use of deprecated and insecure Wi-Fi authentication.
- Passwords leaked by Safari’s password manager.
New iOS Wi-Fi security
Happily, one of the “bugs” that was “patched” was to fix security holes in other people’s behaviour.
As we wrote back in June 2014, Apple decided to stop its iDevices giving you away automatically to any Wi-Fi access point you walked past.
If your phone is looking for an access point to connect to, it transmits its Media Access Code (MAC) address in every packet it sends out over Wi-Fi.
The MAC is a unique string of six bytes programmed into your network card; although it doesn’t necessarily identify you, it does tell an establishment like a shopping mall or a department store that the same person who just bought cotton trousers in Menswear is now browsing near the organic yoghurt section in the Food department.
Marketers love that sort of information, not least because it can be harvested without you realising, even if you never actually connect to any of the access points dotted around the store.
So, in iOS 8, the operating system uses random, made-up MAC addresses when searching for access points, switching to your real hardware identifier only when you actually decide to connect.
→ Apple will still know where you are, of course, and can use that information to target you with ads. But your relationship with Apple is much clearer cut, because you have already chosen an Apple device running Apple’s software.
Similar fixes in OS X
As we mentioned above, many of the iOS patches are also in the OS X Mavericks 10.9.5 update, because OS X and iOS share a great deal of source code.
→ Some of the iOS fixes don’t apply, of course – OS X doesn’t have the iPhone’s lock screen code, for example.
By the way, one important aspect of this batch of updates, if you have both OS X and iOS computers, is that the Safari update for Macs is delivered separately.
In contrast, the latest version of Safari is packaged right into the iOS update.
So, if you are like me and prefer to download the Combo update for OS X and install it yourself, remember that you still need to visit Apple Menu | Software Update to get hold of Safari 7.1.
In OS X Mavericks, Software Update is orchestrated by the App Store, which is the only place you can get Safari releases these days.
The bottom line
If you are an OS X user (as mentioned above, Mavericks, Lion, Mountain Lion and OS X Server all get official fixes), you really do want this update.
There are many serious and now-known security holes that are well worth closing.
This round of fixes covers Remote Code Execution (RCE), Information Disclosure that allows attackers to bypass Address Space Layout Randomisation (ASLR), and Elevation of Privilege (EoP).
In combination, those can make a deadly cocktail for attackers who want to get into your network.
If you are an iOS user, the security reasons to update are just as compelling, and we expect that most people will grab iOS 8 right away.
Just remember, though: in Apple’s modern world view, the iOS path runs forwards only, so there’s no going back if you don’t like iOS 8, at least not easily.
We therefore encourage you to update, but if you have corporate apps that are vital to your job, we also advise you to check with your IT guys first (or with the makers of the apps if you don’t have an IT team).
If in doubt, check your apps out.
Note. Sophos Mobile Control and Sophos Cloud Mobile both support iOS 8.
You might also like:
(Audio player not working? Download to listen offline, or listen on Soundcloud.)
5 comments on “Apple ships a sevenfold security surprise, including iOS 8 and OS X 10.9.5”
Telling our users not to update to the latest version of IOS is like telling a Bee not to produce honey….they just can’t help themselves but do it.
Word of warning for iPhone 4s and iPad 2 users: these devices are now at the bottom of the supported list, and some early installers have reported significant performance differences between iOS 7 and iOS 8. There have also been reports that a clean install of iOS 8 on these devices fares better than an upgrade, but this of course necessitates you purge such things as locally stored Game Center stats.
The iPad 2 situation is interesting in that this is the device rolled out to many educational users, so there is a very large user base still using them. The up side is that any performance or usability glitches should hopefully be ironed out in short order based on voluminous feedback, and the next point release of iOS 8 should come out before too long.
So it’s a toss-up between “upgrade and get the significant security patches and security upgrades, but you can’t go back” and “stick with what you’ve got, and hope that the now-published security holes don’t make you a victim”.
As per my testing random MAC addresses are still not implemented in IOS8 as of yet.
Anyone else with an iPhone and iOS 8 willing to cross check?
Remember that the randomisation only happens *before* you connect, when your Wi-Fi card is scanning for networks. When your iPhone finds an AP with a name that matches one of your known networks, it tries to connect. At that point, your real MAC address is used. In other words, the coffee shop chain you use regularly will always know it’s you, but the shopping mall you are merely walking through will not.
Is not implemented yet. Test on a Iphone 5s with ios8 (not beta). Always real mac before and after connect.