Critical updates for nearly all Apple devices
Published April 23rd, 2014 at 7:50 AM EDT , modified April 23rd, 2014 at 7:50 AM EDT
Yesterday, Apple released updates for nearly all their devices. Mac OS X, iOS 7, Apple TV and Apple’s AirPort Extreme and Time Capsule base stations all received updates. All users are advised to do two things immediately: 1) back up your devices, and then 2) install all available updates.
Mac OS X 10.7 and later are covered by Security Update 2014-002, which provides a number of very important fixes, including one that could allow a maliciously-crafted JPEG file to cause remote code execution – in other words, a hacker could create a JPEG file that would, when opened, execute malicious code on your computer. This update also fixes an SSL bug that could allow someone on the same network to capture data that should be secured. There are some other very serious issues fixed by this update as well. Further, if you haven’t installed Safari 7.0.3 yet, you will be prompted to do that as well. You should do so, as Safari 7.0.3, released earlier this month, fixed a massive number of very serious issues.
Mac OS X 10.6 (aka Snow Leopard) did not receive any updates, yet again. This has led to further speculation that Snow Leopard is now unsupported, but Apple has not made any statements to this effect. Many of the fixes in recent security updates have fixed things that may not apply to Snow Leopard, but there have been some fixes that have seemed like they should.
In my opinion, Apple’s famous silence is not helping them here. Snow Leopard is the most recent system capable of running older PowerPC apps, which some people still need to use. Apple needs to make a public statement about the status of Snow Leopard, so that people running this older system will know for sure whether they are still protected or not. This is one of those rare moments where Apple could actually learn something from Microsoft, who announced the specific data after which Windows XP would officially become unsupported.
iOS 7.1.1 also provides some important security fixes, including a fix for the same SSL bug fixed on Mac OS X and a Webkit bug that could allow remote code execution.
The updates found in Apple TV 6.1.1 are important, but only really fix issues that could result from a malicious user on the same network as the Apple TV. I always have trouble prioritizing Apple TV updates for this reason… my wifi network is well-protected, and my location makes it very unlikely that anyone can get close enough to snoop on the network anyway. Still, for folks who have to keep an Apple TV on an unprotected wifi network, or who live in an area with greater population density (and thus may reasonably expect to have a hacker in range), this is an important update.
AirPort Base Station Firmware Update 7.7.3 doesn’t have many fixes, but one of them is for CVE-2014-0160 – the Common Vulnerabilities and Exposures code that has been assigned to the Heartbleed bug. Presumably, this means that the affected base stations were vulnerable to Heartbleed attacks, which could potentially give an attacker access to the network, or any data on the network.
Users of any of these affected devices would be well-advised to update immediately… but be sure to back up first, just in case you run into a problem.