Huge Number Of Critical Flaws Revealed In Apple, Android, Linux And Oracle Systems

Now would be a good time to update your smartphones, PCs and servers. Hundreds of vulnerabilities, many of them critical, have been revealed this week affecting millions of devices, including Apple iPhones, Google Android smartphones, Linux machines and Oracle business systems.

An iOS 9.2.1 update sent out yesterday included fixes for nine flaws, uncovered by researchers from Yahoo !, Google, Trend Micro and a handful of smaller security companies. Two of the vulnerabilities, one in the WebKit software that powers the Safari browser and another in a software library called ‘libxslt’, could have allowed malicious code to execute on the device when the user visited a specially-crafted website. Users can learn more about the various issues in Apple’s official advisory.

Apple Mac owners can find out about flaws affecting their PCs in a separate update, also released yesterday. A number of the same problems affecting iPhones, including that libxslt weakness, also reside on Mac OS X El Capitan. Apple still hasn't provided a full fix for the Gatekeeper flaws detailed by researcher Patrick Wardle last week.

A number of Linux bugs are also being patched this week, including one said to affect 66 per cent of Google Android phones. The weakness lies at the heart of the operating system, the kernel, and has existed since 2012, according to researchers from startup Perception Point, who claimed tens of millions of Linux PCs and servers were also in danger. Anyone running version 3.8 and higher should either get a patch, like the one issued by the Debian distribution team, or use a workaround, as RedHat has released.

FORBES is unaware of any fixes for Android phones. The flaw, affecting phones running versions from KitKat onwards, could be abused by a malicious app with low privileges to get root access on the device, allowing a hacker to pilfer private information or install more malware. Typically, Android phones take some time to receive updates, due to the vast number of devices running the software. Google had not responded to a request for comment at the time of publication.

Meanwhile, Oracle has issued a mammoth set of patches, fixing an eye-watering 248 security issues. Software affected includes the perennially broken Java, Oracle Database and the E-Business Suite. An astonishing 68 bugs in the latter are remotely exploitable without authentication, making them a priority for IT teams. In an official advisory, Oracle recommended customers download the patches as soon as they can, due to the “threat posed by a successful attack”.

Anyone expecting the increased focus on security to lower the number of vulnerabilities in 2016 is going to be sorely disappointed...

UPDATE: Google has confirmed a patch is one the way. Head of Android security Adrian Ludwig said in a Google+ post: "We have prepared a patch, which has been released to open source and provided to partners today. This patch will be required on all devices with a security patch level of March 1 2016 or greater.

"In addition, since this issue was released without prior notice to the Android Security Team, we are now investigating the claims made about the significance of this issue to the Android ecosystem. We believe that the number of Android devices affected is significantly smaller than initially reported."