![\"Apple](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2013\/01\/Apple-Security-Update-Header.png\")
<\/p>\n<\/p>\n
Yesterday Apple released macOS High Sierra, which apart from new security and privacy features also includes several security fixes. While iOS 11, Safari 11 and other updates were released a week ago, Apple had not released all of the details about the security fixes these updates included until yesterday. Now that all the details are available, it’s time to recap.<\/p>\n
A combined\u00a043 security vulnerabilities\u00a0were addressed with the macOS 10.13 upgrade, which, according to Apple’s documentation, affect OS X versions as far back as 10.8 Mountain Lion. Vulnerabilities\u00a0were addressed in Mail, Firewall, FireWire drivers and other areas of the system.<\/p>\n
Of particular importance\u00a0is a fix in Mail that allowed the sender of an email to determine the recipients IP address. Senders can put content in their emails that your Mail app is forced to download from a remote server. This will be your Mac doing so and not your Mail server that the message was routed through. Because it is your Mac loading that content, a sender can see your home or office IP address in their server logs. The IP address can then be used for port scans and other nefarious purposes.<\/p>\n
Mail has had a defense against this in the Preferences<\/strong> > Viewing<\/strong> tab, called “Load remote content in messages.” When this is turned off, Mail will only display the contents that were in the Mail message itself (text, formatting and attached files). This will prevent a sender from seeing your IP address, but it unfortunately also breaks most emails as almost everything these days is sent with remotely loaded content in it. Loading or not loading that content can be the difference between an email being readable and making sense, or not. In this case, it’s definitely a trade-off between security and usability. High Sierra fixes an issue that prevented this setting in preferences from working correctly.<\/p>\n For the full list of security issues that were addressed, have a look here<\/a>.<\/p>\n macOS High Sierra can be downloaded through the App Store<\/strong>.<\/p>\n Initially after release, the security updates documentation only listed 8 issues fixed. Later that day this was updated to list 15 and yesterday, after High Sierra was released, this was updated again to now list 62 issues addressed. Of note are the following fixes:<\/p>\n MobileBackup<\/strong> Phone<\/strong> Wi-Fi Wi-Fi Wi-Fi Location Framework As you can see, these are not minor issues. A large portion of the addressed issues were for WebKit.\u00a0Twenty-two issues in total where processing maliciously crafted web content that may lead to arbitrary code execution and universal cross site scripting.<\/p>\n The full list of security issues that were addressed can be found here<\/a>.<\/p>\n iOS 11 can be downloaded over the air by going to Settings<\/strong> > General<\/strong> > Software Update<\/strong>. You can also connect your iOS device to your Mac and let iTunes do the update for you.<\/p>\n Listed as an update that:<\/p>\n Upon release, the security update documentation only listed 3 fixed issues. After High Sierra was released, Apple updated the documentation to now reflect a total of 24 fixed issues. All but one are WebKit related and, just like iOS 11, these focused on scenarios in which\u00a0processing maliciously crafted web content may lead to arbitrary code execution and universal cross site scripting. The other issue was for the Safari App itself, which was vulnerable to address bar spoofing when visiting a maliciously crafted website.<\/p>\n The full list of security issues that were addressed can be found here<\/a>.<\/p>\n The update can be downloaded by going to the App Store <\/strong>> Updates tab<\/strong> or by downloading macOS High Sierra, which should have it included. Many of the same security issues that were addressed in iOS 11 were also addressed in watchOS 4. Twenty-three\u00a0security fixes in total were addressed with watchOS 4.<\/p>\n The full list of security issues that were addressed can be found here<\/a>.<\/p>\n watchOS 4 can be installed by connecting the watch to its charger, then on the iPhone open the Apple Watch app<\/strong> > My Watch tab<\/strong> > General<\/strong> > Software Update<\/strong>.<\/p>\n tvOS 11 focused mostly on new features, such as Home Screen Sync, Automatic Appearance Switching, support for AirPods and 4K support for the new Apple TV hardware. The security fixes in tvOS 11, 45 total, are some of the same as those covered in iOS 11.<\/p>\niOS 11<\/h3>\n
\nImpact: Backup may perform an unencrypted backup despite a requirement to perform only encrypted backups
\nDescription: A permissions issue existed. This issue was addressed with improved permission validation.<\/p>\n
\nImpact: A screenshot of secure content may be taken when locking an iOS device
\nDescription: A timing issue existed in the handling of locking. This issue was addressed by disabling screenshots while locking.<\/p>\n
\n<\/strong>Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
\nDescription: A memory corruption issue was addressed with improved memory handling.<\/p>\n
\n<\/strong>Impact: Malicious code executing on the Wi-Fi chip may be able to execute arbitrary code with kernel privileges on the application processor
\nDescription: A memory corruption issue was addressed with improved memory handling.<\/p>\n
\n<\/strong>Impact: Malicious code executing on the Wi-Fi chip may be able to read restricted kernel memory
\nDescription: A validation issue was addressed with improved input sanitization.<\/p>\n
\n<\/strong>Impact: An application may be able to read sensitive location information
\nDescription: A permissions issue existed in the handling of the location variable. This was addressed with additional ownership checks.<\/p><\/blockquote>\nSafari 11<\/h3>\n
\n
\n<\/strong><\/p>\nwatchOS 4<\/h3>\n
tvOS 11<\/h3>\n