Apple iOS 9 Update Fixes Lock Screen Security Flaw
To exploit the flaw, an attacker would have to have physical access to the device, enter an incorrect PIN number several times, and then activate the Siri personal voice assistant. The hacker would then be able to access any contacts or photos stored on the device.
The vulnerability, which affects iPhone 4s and later, iPod touch 5th generation and later, and iPad 2 and later, has been addressed in the iOS 9.0.2 update, available for download now. Apple also released fixes for problems with iCloud backups, iMessage activation issues, and a problem with cellular data settings.
OS X Gets Some Much-Needed Patches
Flaws in iOS weren’t the only ones Apple addressed this week. The company also released the latest version of its laptop and desktop operating system, OS X El Capitan 10.11. Among the many new features included in El Capitan are a number of patches for security vulnerabilities that had been present in previous versions.
The list of security flaws fixed in the latest version of OS X is, well, huge and includes fixes for a number of potentially serious vulnerabilities, according to Apple’s security support page. The updated version is available for download now and users are encouraged to upgrade as soon as possible to protect their machines.
For example, multiple flaws exist in PHP versions prior to 5.5.27 that would allow an attacker to remotely execute code on a target machine. El Capitan comes with an upgraded version of PHP to address the issue. The bash Unix shell also contained a number of vulnerabilities that were fixed with security patches.
Protecting System Integrity
Other patches included in the upgraded OS were aimed at addressing privacy concerns and safe Web browsing. One flaw allowed malicious Web sites to track the behaviors of Safari users, even while in “private” mode. Another allowed a Web proxy to install malicious cookies for a Web site.
Apple also patched a security flaw that allowed attackers to decrypt private information to gain access to sensitive financial data sent through TLS-protected Web sites. The exploit worked by blocking TLS 1.0, forcing the system to fall back to the less secure SSL 3.0. Apple addressed the issue by removing the option of falling back to SSL encryption .
Besides patches and updates, El Capitan also comes with a new security feature called System Integrity Protection. The security measure seeks to block the sorts of attacks that exploit the amount of power available to someone with root access. System Integrity Protection will even prevent someone with administrator access from making changes to processes and directories that could compromise system security.