A series of software updates released by Apple address vulnerabilities in iOS, OS X, Safari, iTunes, Xcode, watchOS and OS X Server.
OS X El Capitan v10.11.1 patches 60 vulnerabilities affecting components such as SecurityAgent, Script Editor, Sandbox, OpenSSH, OpenGL, Net-SNMP, libarchive, the kernel, IOAcceleratorFamily, ImageIO, the NVIDIA graphics driver, Grand Central Dispatch, FontParser, bookmarks, Disk Images, CoreText, CoreGraphics, configd, CFNetwork, Bom, Audio, ATS, PHP, and the Accelerate Framework.
The holes El Capitan 10.11.1 plugged could end up leveraged for arbitrary code execution, denial-of-service (DoS), information disclosure, privilege elevation, overwriting arbitrary files, and bypassing restrictions.
Apple also released EFI updates for OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11 to patch a flaw that allows attackers to “exercise unused EFI functions” (CVE-2015-7035).
Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam Cornwell discovered the issue.
While most of the issues patched in the latest version of OS X ended up discovered by Apple’s own security team, John Villamil of the Yahoo Pentest Team found vulnerabilities.
Researcher Luca Todesco also found three of the resolved flaws, one of which is the OS X Zero Day he released in August.
With the release of iOS 9.1, Apple fixed nearly 50 vulnerabilities. One of the issues patched in iOS and OS X is an information leakage flaw.
The latest version of Apple’s mobile operating system also resolves two vulnerabilities used by Pangu Team for jailbreaks, and a lock screen weakness that causes phone and message notifications to appear on the screen even when the option is disabled.
Since watchOS, the operating system powering the Apple Watch, is similar to iOS, some of the issues addressed in iOS 9.1 also ended up fixed in watchOS 2.0.1. The only vulnerability specific to watchOS is an Apple Pay security bug that exposes recent transaction information.
Safari 9.0.1 brings a series of WebKit fixes that could allow an attacker to execute arbitrary code by tricking the victim into visiting a malicious website. The same flaws also ended up addressed in iTunes 12.3.1 for Windows, along with three memory corruption issues found by Yahoo’s Villamil.