OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Critical updates for nearly all Apple devices

Published April 23rd, 2014 at 7:50 AM EDT , modified April 23rd, 2014 at 7:50 AM EDT

Yesterday, Apple released updates for nearly all their devices. Mac OS X, iOS 7, Apple TV and Apple’s AirPort Extreme and Time Capsule base stations all received updates. All users are advised to do two things immediately: 1) back up your devices, and then 2) install all available updates.

Mac OS X 10.7 and later are covered by Security Update 2014-002, which provides a number of very important fixes, including one that could allow a maliciously-crafted JPEG file to cause remote code execution – in other words, a hacker could create a JPEG file that would, when opened, execute malicious code on your computer. This update also fixes an SSL bug that could allow someone on the same network to capture data that should be secured. There are some other very serious issues fixed by this update as well. Further, if you haven’t installed Safari 7.0.3 yet, you will be prompted to do that as well. You should do so, as Safari 7.0.3, released earlier this month, fixed a massive number of very serious issues.

Mac OS X 10.6 (aka Snow Leopard) did not receive any updates, yet again. This has led to further speculation that Snow Leopard is now unsupported, but Apple has not made any statements to this effect. Many of the fixes in recent security updates have fixed things that may not apply to Snow Leopard, but there have been some fixes that have seemed like they should.

In my opinion, Apple’s famous silence is not helping them here. Snow Leopard is the most recent system capable of running older PowerPC apps, which some people still need to use. Apple needs to make a public statement about the status of Snow Leopard, so that people running this older system will know for sure whether they are still protected or not. This is one of those rare moments where Apple could actually learn something from Microsoft, who announced the specific data after which Windows XP would officially become unsupported.

iOS 7.1.1 also provides some important security fixes, including a fix for the same SSL bug fixed on Mac OS X and a Webkit bug that could allow remote code execution.

The updates found in Apple TV 6.1.1 are important, but only really fix issues that could result from a malicious user on the same network as the Apple TV. I always have trouble prioritizing Apple TV updates for this reason… my wifi network is well-protected, and my location makes it very unlikely that anyone can get close enough to snoop on the network anyway. Still, for folks who have to keep an Apple TV on an unprotected wifi network, or who live in an area with greater population density (and thus may reasonably expect to have a hacker in range), this is an important update.

AirPort Base Station Firmware Update 7.7.3 doesn’t have many fixes, but one of them is for CVE-2014-0160 – the Common Vulnerabilities and Exposures code that has been assigned to the Heartbleed bug. Presumably, this means that the affected base stations were vulnerable to Heartbleed attacks, which could potentially give an attacker access to the network, or any data on the network.

Users of any of these affected devices would be well-advised to update immediately… but be sure to back up first, just in case you run into a problem.

Tags: , , , ,

6 Comments

  • Al says:

    Note that the Airport Base Station Firmware Update only applies to AirPort Extreme and AirPort Time Capsule base stations with 802.11ac, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue. Use Airport Utility to update.

    • Thomas says:

      Yup, I missed those two little letters… that’s what comes of trying to roll out an article too early in the morning! 🙂 Thanks for the clarification.

  • Kate/bentkitty100 says:

    Wow, I am really disappointed in Apple for not talking about Snow Leopard at all. Like you said, a lot of people run SL. However, most people running a Snow Leopard machine can upgrade to Mavericks for free. I know the PowerPC issue is… an issue… but there are still alternatives for that (and in a lot of cases, those older PowerPC apps aren’t supported either and could be vulnerable).

    The bigger problem in my opinion is the lack of support for Leopard users. Leopard users CAN’T upgrade to Mavericks without upgrading to SL first, and those upgrades, unlike the Mavericks one, are not free to install legally. I mean, you could borrow an SL disk but the likelihood of a person actually having a disk is very small. A lot of users still run Leopard machines, and have never upgraded, and the fact that Apple is giving these users NO support angers me, ESPECIALLY since those machines come with both Java and Flash preinstalled.

  • xxxx says:

    Snow Leopard is most probably unsupported and will no longer receive updates.
    I am glad that someone pointed out that Apple needs to announce when they drop the support

  • Kevin says:

    I left MS and moved to Apple when XP support dropped, but there was plenty of warning. I am surprised that Apple doesn’t do this, too. During this last update I discovered that a ‘standard’ user can download and install OS changes (from the app store at least. No answer given when asked if same was true at support site) with only and apple id/pw needed instead of of admin user/pw. This I truly find disappointing but a chat with support this morning confirmed this fact. It was suggested that this could be circumvented using parental controls. Only other user is an adult but yrs of experience have shown that this person should not be allowed to make system changes, lol. Don’t care about her personal apps. She doesn’t like it if i treat her like a child but what can I do, lol.

This post is more than 90 days old and has been locked. No further comments are allowed.