This Week in Security: Apple’s Mountain of Vulnerabilities, Certificates, and Privacy

Apple Goes Spelunking Through “YoCVEte” National Park and Unearths a Mountain of Vulnerabilities

macOS Sierra 10.12.4, along with security updates for El Capitan and Yosemite, was released this week alongside iOS 10.3, tvOS 10.2, and watchOS 3.2. The update for macOS (and prior OS X versions) addresses an astounding 126 CVEs and 88 CVEs for iOS.

A significant number of patched CVEs (Common Vulnerabilities and Exposures) are attributed to third-party programs bundled with macOS: the tcpdump utility is responsible for 41 CVEs on its own.

It’s interesting to note the vulnerabilities that are shared across all of Apple’s various operating systems. Vulnerabilities in WebKit and ImageIO date back to 2016 and affect all Apple operating systems (macOS, iOS, watchOS, tvOS).

As always, consumers should apply patches as they are released to protect themselves against discovered vulnerabilities. Automatic updates are a fantastic feature to make sure you’re up to date—just make sure you’re not delaying those system reboots indefinitely for updates to apply.

Certifiably Unidentifiable

Let’s Encrypt is a free certificate authority (CA) run by the Internet Security Research Group (ISRG) with an admirable mission to provide everybody with the ability to deploy HTTPS (SSL/TLS) services. Unfortunately, malicious actors are also included in the definition of ‘everybody,’ and over 14,000 certificates were issued for PayPal phishing sites.

Let’s Encrypt issues domain-validated (DV) certificates which only require the requester to prove he/she has control over a domain as opposed to extended-validation (EV) certificates which undergoes a more rigorous verification process.

At the other end of the spectrum, Google has initiated a process to deprecate certificates issued by Symantec (GeoTrust, Thawte, Verisign, and Equifax are all brands owned and operated by Symantec) due to mis-issuing 30,000 extended-validation certificates. Chrome will effectively downgrade Symantec issued EV certificates to (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Research and Intelligence Team. Read the original post at: https://threatmatrix.cylance.com/en_us/home/this-week-in-security-3-31-2017.html