With the introduction of the latest iPhone release, yesterday was a big day for Apple and its fans. It was also a big day for Apple security updates, though the issue went virtually unnoticed in the frenzy that accompanies the launch of new Apple products.
While fanboys were buzzing about the merits of the new phone, Apple's security personnel quietly unloaded one of the biggest Apple software patch updates in the company's history.
Apple's iTunes 10.7 update for Windows provides patches for no less than 163 security vulnerabilities. All of the flaws are related to the open source WebKit rendering engine.
"The sheer number of bugs Apple fixed in this patch is almost overwhelming," said Andrew Storms, director of security operations for nCircle. "Apple is notorious for monster patches, but this one goes immediately to the top of the list."
Digging through the long list of WebKit flaws reveals that many of them have been known for some time. Apple's security advisory lists the flaws by their respective CVE (Common Vulnerabilities and Exposures) nomenclature, which identifies when the issue was first reported. As an example, the first bug listed in Apple's iTunes 10.7 patch update is CVE-2011-3016, a flaw that was first reported in 2011.
"Use-after-free vulnerability in Google Chrome before 17.0.963.56 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving counter nodes, related to a read-after-free issue," the CVE entry states.
Apple's WebKit Woes
WebKit is the underlying rendering engine used by Google Chrome and Apple's Safari Web browser, as well as iTunes. Google fixed the use-after-free issue in February with the Chrome 17 update. Apple updated the Safari Web browser for this same flaw in July with the Safari 6.0 update, yet failed to update iTunes at the same time.
"WebKit has long been a source of bugs for Apple," Storms said. "A WebKit bug was root of the very first iPhone vulnerability, and it clearly continues to be a source of problems today."
In 2007, security researcher Charlie Miller attacked the iPhone by looking for out-of-date open source packages. Five years later, it would appear as though Apple has not learned from its past mistakes.
WebKit isn't the only technology where Apple has been slow to patch, leaving its millions of users at risk from known flaws. Apple's delay in patching known vulnerabilities has got it into lots of trouble in the recent past.
The Flashback malware that hit Macs earlier this year was an indirect result of Apple not updating to the latest version of Java. Apple has since accelerated its Java update cycle to more closely match the mainline Java release dates.
With the new iTunes update, the risk has extends beyond Apple's iOS and Mac user base to the wider base of Windows PC users.
"Unfortunately, iTunes and Apple software have become a necessary evil in the enterprise," Storms said. "It’s too bad Apple continues to ignore enterprise requirements to centrally manage, secure and control their devices and software. It’s definitely not winning them any friends in the IT community."