X

Apple patches security flaws with new versions of iOS, OS X

The updates fix flaws that would allow both remote code execution and man-in-the-middle attacks to occur.

Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
Charlie Osborne
2 min read

Apple has packed patches for dozens of security flaws into the new versions of its iOS and OS X operating systems.

The company noted Tuesday in a security advisory that just-released version 8.4 of the iOS mobile operating system contains more than 20 fixes for vulnerabilities that could lead to remote code execution, application termination and the interception of encrypted traffic, among other issues.

Within the updates, the iPad and iPhone maker has tackled the Logjam flaw, a cryptographic weakness in algorithms used by the Diffie-Hellman key exchange, which is a popular way for Internet protocols to agree on shared encryption keys and create secure communication channels. Because of this weakness, tens of thousands of HTTPS websites and servers were vulnerable to eavesdropping and the interception of secure communication, which in turn could lead to man-in-the-middle attacks.

Certificate trust policy problems, memory corruption flaws, buffer overflow vulnerabilities and a host of WebKit, kernel and CoreText flaws were also patched in the latest iOS update.

At least one of the problems affected the Apple Watch directly. An issue existed in the install logic for universal provisioning profile apps on the wearable, which in turn created a collision with existing bundle IDs. A malicious app could use this issue to prevent a Watch app from launching.

As for OS X Yosemite 10.10.4, a security advisory details the same patches for a number of issues -- as well as a swathe of additional vulnerabilities such as user authentication exploits, remote code execution flaws, Apache compatibility issues, CoreText problems and buffer flow vulnerabilities.

Both updates also addressed Certificate Trust Policy problems. An intermediate certificate was incorrectly issued by the certificate authority CNNIC that could allow for the interception of network traffic.

This story originally published as "Apple patches dozens of security flaws in iOS 8.4, OS X 10.10.4" on ZDNet.