The May 2017 Apple Security Update Review
May 16, 2017 | Dustin ChildsOthers may be looking deeply into the latest ransomware attack, but while that is occurring, the regularly scheduled updates continue. As we did earlier with Adobe and Microsoft updates, let’s take a closer look at the latest security releases from Apple for the month of May 2017.
This month Apple released seven updates addressing 66 unique CVEs in macOS, iOS, watchOS, tvOS, iTunes for Windows, Safari, and iCloud for Windows. Of these 66 bugs, 35 percent were submitted to Apple via the ZDI program.
Many of the bugs patched with these updates should be considered critical as they could allow remote code execution. As with many Apple updates, CVEs are spread across multiple patches. To help better visualize which CVEs are attached to which products, refer to the following table:
| iOS | macOS | Safari | tvOS | watchOS | iCloud | iTunes |
| CVE-2017-2494 | ||||||
| CVE-2017-2495 | CVE-2017-2495 | |||||
| CVE-2017-2496 | CVE-2017-2496 | |||||
| CVE-2017-2497 | CVE-2017-2497 | |||||
| CVE-2017-2498 | ||||||
| CVE-2017-2499 | CVE-2017-2499 | CVE-2017-2499 | ||||
| CVE-2017-2500 | ||||||
| CVE-2017-2501 | CVE-2017-2501 | CVE-2017-2501 | CVE-2017-2501 | |||
| CVE-2017-2502 | CVE-2017-2502 | CVE-2017-2502 | CVE-2017-2502 | |||
| CVE-2017-2503 | ||||||
| CVE-2017-2504 | CVE-2017-2504 | CVE-2017-2504 | ||||
| CVE-2017-2505 | CVE-2017-2505 | CVE-2017-2505 | ||||
| CVE-2017-2506 | CVE-2017-2506 | |||||
| CVE-2017-2507 | CVE-2017-2507 | CVE-2017-2507 | CVE-2017-2507 | |||
| CVE-2017-2508 | CVE-2017-2508 | |||||
| CVE-2017-2509 | ||||||
| CVE-2017-2510 | CVE-2017-2510 | |||||
| CVE-2017-2511 | ||||||
| CVE-2017-2512 | ||||||
| CVE-2017-2513 | CVE-2017-2513 | CVE-2017-2513 | CVE-2017-2513 | |||
| CVE-2017-2514 | CVE-2017-2514 | |||||
| CVE-2017-2515 | CVE-2017-2515 | CVE-2017-2515 | ||||
| CVE-2017-2516 | ||||||
| CVE-2017-2518 | CVE-2017-2518 | CVE-2017-2518 | CVE-2017-2518 | |||
| CVE-2017-2519 | CVE-2017-2519 | CVE-2017-2519 | CVE-2017-2519 | |||
| CVE-2017-2520 | CVE-2017-2520 | CVE-2017-2520 | CVE-2017-2520 | |||
| CVE-2017-2521 | CVE-2017-2521 | CVE-2017-2521 | CVE-2017-2521 | |||
| CVE-2017-2524 | CVE-2017-2524 | CVE-2017-2524 | CVE-2017-2524 | |||
| CVE-2017-2525 | CVE-2017-2525 | CVE-2017-2525 | ||||
| CVE-2017-2526 | CVE-2017-2526 | |||||
| CVE-2017-2527 | ||||||
| CVE-2017-2528 | CVE-2017-2528 | |||||
| CVE-2017-2530 | CVE-2017-2530 | CVE-2017-2530 | CVE-2017-2530 | |||
| CVE-2017-2531 | CVE-2017-2531 | CVE-2017-2531 | ||||
| CVE-2017-2533 | ||||||
| CVE-2017-2534 | ||||||
| CVE-2017-2535 | ||||||
| CVE-2017-2536 | CVE-2017-2536 | CVE-2017-2536 | ||||
| CVE-2017-2537 | ||||||
| CVE-2017-2538 | CVE-2017-2538 | |||||
| CVE-2017-2539 | CVE-2017-2539 | |||||
| CVE-2017-2540 | ||||||
| CVE-2017-2541 | ||||||
| CVE-2017-2542 | ||||||
| CVE-2017-2543 | ||||||
| CVE-2017-2544 | CVE-2017-2544 | |||||
| CVE-2017-2545 | ||||||
| CVE-2017-2546 | ||||||
| CVE-2017-2547 | CVE-2017-2547 | |||||
| CVE-2017-2548 | ||||||
| CVE-2017-2549 | CVE-2017-2549 | CVE-2017-2549 | ||||
| CVE-2017-6977 | ||||||
| CVE-2017-6978 | ||||||
| CVE-2017-6979 | CVE-2017-6979 | CVE-2017-6979 | CVE-2017-6979 | |||
| CVE-2017-6980 | CVE-2017-6980 | CVE-2017-6980 | ||||
| CVE-2017-6981 | CVE-2017-6981 | |||||
| CVE-2017-6982 | ||||||
| CVE-2017-6983 | CVE-2017-6983 | |||||
| CVE-2017-6984 | CVE-2017-6984 | CVE-2017-6984 | CVE-2017-6984 | |||
| CVE-2017-6985 | ||||||
| CVE-2017-6986 | ||||||
| CVE-2017-6987 | CVE-2017-6987 | CVE-2017-6987 | CVE-2017-6987 | |||
| CVE-2017-6988 | ||||||
| CVE-2017-6989 | CVE-2017-6989 | CVE-2017-6989 | ||||
| CVE-2017-6990 | ||||||
| CVE-2017-6991 | CVE-2017-6991 |
Let’s take a closer look at each of the seven updates.
· macOS Sierra 10.12.5: Security Update 2017-002 El Capitan and Security Update 2017-002 Yosemite address 37 different CVEs. Included are several bug fixes in the kernel, which will likely require a restart once applied. Several of these issues – primarily sandbox escapes – were initially disclosed during the Pwn2Own contest earlier this year.
· iOS 10.3.2: This release addresses 41 total CVEs. The update includes several different fixes for WebKit, which of course also show up in the Safari update too. The most severe of these bugs could allow the processing of maliciously crafted web content to allow arbitrary code execution. Also included in the iOS fixes are updates to the certificate trust policy. According to the write-up, there was a validation issue in the handling of untrusted certificates. Similar issues on other platforms allowed malware to appear as legitimate software.
· watchOS 3.2.2: This addresses 12 different CVEs. All of these CVEs are shared with either the iOS update, the macOS update, or both. There are a few shared with tvOS, as well.
· tvOS 10.2.1: The patch addresses 23 CVEs. As with the watchOS update, there are no unique CVEs fixed by this patch. In addition to sharing bugs with the other OSes, the tvOS also has CVEs in common with the patch for Safari.
· Safari 10.1.1: While fixing 26 CVEs, this patch is similar to what is seen in the iOS update, the most severe issues are WebKit bugs that could allow remote code execution.
· iCloud for Windows 6.2.1: The update addresses a single CVE in WebKit that could allow arbitrary code execution.
· iTunes 12.6.1 for Windows: This patch also addresses a single CVE in WebKit that could allow arbitrary code execution.
And yes – these patches address a majority of the issues disclosed during the most recent Pwn2Own contest.
Apple doesn’t disclose if any of these issues are publicly known or under active attack, but as recently highlighted by real-world events, patching matters. It may not be the easiest task – especially when patches release with little fanfare. However, the consequences of not applying these updates could prove costly in the months to come.