The May 2017 Apple Security Update Review

May 16, 2017 | Dustin Childs

Others may be looking deeply into the latest ransomware attack, but while that is occurring, the regularly scheduled updates continue. As we did earlier with Adobe and Microsoft updates, let’s take a closer look at the latest security releases from Apple for the month of May 2017.

This month Apple released seven updates addressing 66 unique CVEs in macOS, iOS, watchOS, tvOS, iTunes for Windows, Safari, and iCloud for Windows. Of these 66 bugs, 35 percent were submitted to Apple via the ZDI program.

Many of the bugs patched with these updates should be considered critical as they could allow remote code execution. As with many Apple updates, CVEs are spread across multiple patches. To help better visualize which CVEs are attached to which products, refer to the following table:

iOS macOS Safari tvOS watchOS iCloud iTunes
CVE-2017-2494
CVE-2017-2495 CVE-2017-2495
CVE-2017-2496 CVE-2017-2496
CVE-2017-2497 CVE-2017-2497
CVE-2017-2498
CVE-2017-2499 CVE-2017-2499 CVE-2017-2499
CVE-2017-2500
CVE-2017-2501 CVE-2017-2501 CVE-2017-2501 CVE-2017-2501
CVE-2017-2502 CVE-2017-2502 CVE-2017-2502 CVE-2017-2502
CVE-2017-2503
CVE-2017-2504 CVE-2017-2504 CVE-2017-2504
CVE-2017-2505 CVE-2017-2505 CVE-2017-2505
CVE-2017-2506 CVE-2017-2506
CVE-2017-2507 CVE-2017-2507 CVE-2017-2507 CVE-2017-2507
CVE-2017-2508 CVE-2017-2508
CVE-2017-2509
CVE-2017-2510 CVE-2017-2510
CVE-2017-2511
CVE-2017-2512
CVE-2017-2513 CVE-2017-2513 CVE-2017-2513 CVE-2017-2513
CVE-2017-2514 CVE-2017-2514
CVE-2017-2515 CVE-2017-2515 CVE-2017-2515
CVE-2017-2516
CVE-2017-2518 CVE-2017-2518 CVE-2017-2518 CVE-2017-2518
CVE-2017-2519 CVE-2017-2519 CVE-2017-2519 CVE-2017-2519
CVE-2017-2520 CVE-2017-2520 CVE-2017-2520 CVE-2017-2520
CVE-2017-2521 CVE-2017-2521 CVE-2017-2521 CVE-2017-2521
CVE-2017-2524 CVE-2017-2524 CVE-2017-2524 CVE-2017-2524
CVE-2017-2525 CVE-2017-2525 CVE-2017-2525
CVE-2017-2526 CVE-2017-2526
CVE-2017-2527
CVE-2017-2528 CVE-2017-2528
CVE-2017-2530 CVE-2017-2530 CVE-2017-2530 CVE-2017-2530
CVE-2017-2531 CVE-2017-2531 CVE-2017-2531
CVE-2017-2533
CVE-2017-2534
CVE-2017-2535
CVE-2017-2536 CVE-2017-2536 CVE-2017-2536
CVE-2017-2537
CVE-2017-2538 CVE-2017-2538
CVE-2017-2539 CVE-2017-2539
CVE-2017-2540
CVE-2017-2541
CVE-2017-2542
CVE-2017-2543
CVE-2017-2544 CVE-2017-2544
CVE-2017-2545
CVE-2017-2546
CVE-2017-2547 CVE-2017-2547
CVE-2017-2548
CVE-2017-2549 CVE-2017-2549 CVE-2017-2549
CVE-2017-6977
CVE-2017-6978
CVE-2017-6979 CVE-2017-6979 CVE-2017-6979 CVE-2017-6979
CVE-2017-6980 CVE-2017-6980 CVE-2017-6980
CVE-2017-6981 CVE-2017-6981
CVE-2017-6982
CVE-2017-6983 CVE-2017-6983
CVE-2017-6984 CVE-2017-6984 CVE-2017-6984 CVE-2017-6984
CVE-2017-6985
CVE-2017-6986
CVE-2017-6987 CVE-2017-6987 CVE-2017-6987 CVE-2017-6987
CVE-2017-6988
CVE-2017-6989 CVE-2017-6989 CVE-2017-6989
CVE-2017-6990
CVE-2017-6991 CVE-2017-6991

Let’s take a closer look at each of the seven updates.

·      macOS Sierra 10.12.5: Security Update 2017-002 El Capitan and Security Update 2017-002 Yosemite address 37 different CVEs. Included are several bug fixes in the kernel, which will likely require a restart once applied. Several of these issues – primarily sandbox escapes – were initially disclosed during the Pwn2Own contest earlier this year.

·      iOS 10.3.2: This release addresses 41 total CVEs. The update includes several different fixes for WebKit, which of course also show up in the Safari update too. The most severe of these bugs could allow the processing of maliciously crafted web content to allow arbitrary code execution. Also included in the iOS fixes are updates to the certificate trust policy. According to the write-up, there was a validation issue in the handling of untrusted certificates. Similar issues on other platforms allowed malware to appear as legitimate software.

·      watchOS 3.2.2: This addresses 12 different CVEs. All of these CVEs are shared with either the iOS update, the macOS update, or both. There are a few shared with tvOS, as well.

·      tvOS 10.2.1: The patch addresses 23 CVEs. As with the watchOS update, there are no unique CVEs fixed by this patch. In addition to sharing bugs with the other OSes, the tvOS also has CVEs in common with the patch for Safari.

·      Safari 10.1.1: While fixing 26 CVEs, this patch is similar to what is seen in the iOS update, the most severe issues are WebKit bugs that could allow remote code execution.

·      iCloud for Windows 6.2.1: The update addresses a single CVE in WebKit that could allow arbitrary code execution.

·      iTunes 12.6.1 for Windows: This patch also addresses a single CVE in WebKit that could allow arbitrary code execution.

And yes – these patches address a majority of the issues disclosed during the most recent Pwn2Own contest.

Apple doesn’t disclose if any of these issues are publicly known or under active attack, but as recently highlighted by real-world events, patching matters. It may not be the easiest task – especially when patches release with little fanfare. However, the consequences of not applying these updates could prove costly in the months to come.