Macs and iPhones patched – including 23 kernel-level holes

Apple’ latest batch of updates is out, including macOS Sierra 10.12.4 and iOS 10.3.

There’s also an update to Safari 10.1, installed automatically if you update Sierra, but provided as a separate download for OS X El Capitan (10.11) and OS X Yosemite (10.10), which get Security Update 2017-001 rather than a full-on point release.

Lastly, the iWork suite, consisting of Pages, Keynote and Numbers (Apple’s equivalent of Word, Powerpoint and Excel), were updated too.

The iWork updates were mainly about form and function, but also included a security patch dealing with an intriguing vulnerability, about which more later.

Importantly, the iOS and macOS updates close a number of security holes revealed at the recent Pwn2Own contest held alongside the CanSecWest conference in Vancouver, Canada.

All software on the target computer is patched immediately before the contest, so even an attack that worked fine in the lab the week before might end up stymied on competition day

In other words, Pwn2Own isn’t just about spotting vulnerabilities that might be exploitable, but also about exploring exploitation techniques to come up with genuine zero-day security holes that will work even on properly-updated systems.

Prizes run to hundreds of thousands of dollars each.

Not everyone approves of the competitive “winner-takes-all” approach, in which vulnerabilities may be kept secret for weeks or even months until showtime arrives.

But whether you like it or not, high-stakes bug bounty contests like Pwn2Own have become part of today’s responsible disclosure scene.

The “responsibility” comes from the fact that to claim the prize, the bug finders have to give the affected vendor full details of the attack and keep those details confidential until the vendor has had time to fix the hole.

The high payout for many Pwn2Own bugs reflects that they would be similarly valuable if crooks were to find them instead, so fixes typically follow as quickly as is practicable.

The TL;DR version of this story is this: as Apple patches go, treat these as “first among equals” and make sure you get them as soon as you can.

If you wait for your turn to come around in Apple’s staggered autoupdate process, you might end up several days behind, so we recommend checking for updates manually right away.

On a Mac, click on Apple Menu | About This Mac | Software Update… and then click on the blue “update arrow” in the App Store app. On an iPhone or iPad, use Settings | General | Software Update to make sure you have the latest version. When we updated, the download sizes were about 1.5GB for macOS 10.12.4 and 650MB for iOS 10.3. As is typical for Apple security updates, a restart was required, and the update completed over a 15 to 20 minute period as part the reboot, during which time we couldn’t use our Mac or our phone. Just so you know.

If you’re still not convinced about the value of getting into the patch queue as early as you can, here are some statistics from Apple’s official Mac security announcement:

65 fixes listed.
127 CVE-numbered vulnerabilities listed.
23 fixes deal with arbitrary code execution with kernel privileges.
42 system components affected, from AppleGraphicsPowerManagement to tiffutil.

Some of the vulnerabilities can be triggered by viewing booby-trapped files as diverse as images, fonts and iBooks files, all of which can be unexceptionably embedded in or linked to from otherwise innocent-looking web pages.

And if that’s not enough, consider this one.

We’ve written about Thunderbolt-related memory probing and firmware hacks before; this time the flaw could theoretically allow an attacker with physical access to your Mac to find your hard disk decryption password in memory:

Component:     EFI (macOS Sierra 10.12.3)
Impact:        A malicious Thunderbolt adapter may be able to 
               recover the FileVault 2 encryption password
Description:   An issue existed in the handling of DMA. 
               This issue was addressed by enabling VT-d in EFI.
CVE-2016-7585: Ulf Frisk (@UlfFrisk)

One way to mitigate memory-probing attacks against your Mac, or any other computer for that matter, is to shut down your computer completely instead of relying on hibernation or sleep mode. When powered off, the decryption password is lost from RAM, so there’s nothing to recover until you’ve booted up and typed the password in again. Especially if you travel a lot, when you can’t guarantee to have your computer in sight and under your own control at all times, get into the habit of doing a full shutdown instead of simply closing the lid. It requires a bit more discipline, and takes longer than simply ‘sleeping’ and ‘unsleeping’ your computer, but it’s an orderly thing to do, and breaks the risky habit of leaving loads of applications alive with interesting documents open in them.

Before we go…

We mentioned a security patch for iWork at the top of the article.

The iWork fix is small and simple, but nevertheless a serious reminder of how “forgotten history” can come back to bite us all.

According to Apple, the password protection feature in the Export To PDF… option of the Numbers, Pages and Keynote apps could sometimes leave you with a 40-bit RC4-encrypted file, instead of the 128-bit AES encryption that today’s encrypted PDFs are expected to use.

We’re guessing that this was a long-forgotten hangover from the days when the US regulated cryptographic exports as if they were munitions, requiring export versions of US software to use carefully weakened encryption versions so that US intelligence typically could crack selected files, but less well-funded adversaries couldn’t quite.

Of course, 40-bit keys that were “just about” crackable by the NSA 20 years ago are crackable by everyday computer hardware now…

…a reminder, given that the UK government this week called for deliberate cutbacks to the encryption strength used by services such as WhatsApp, that you can’t strengthen security by weakening it.