CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2014-069

DATE(S) ISSUED:
08/14/2014

SUBJECT:
Multiple Vulnerabilities in WebKit Could Allow for Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in the WebKit browser engine, which is used to power the Apple Safari browser. Successful exploitation of these vulnerabilities could result in remote code execution; potentially allowing for an attacker to gain control of a host and have the same privileges as the user running the affected application. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:
At this time, there is no known proof-of-concept code available.

SYSTEMS AFFECTED:

  • Apple Mac OS X 10.2.0 to 10.2.8
  • Apple Mac OS X 10.3.0 to 10.3.7 and 10.3.9
  • Apple Mac OS X 10.4.0 to 10.4.2
  • Apple Mac OS X Server 10.2.0 to 10.2.8
  • Apple Mac OS X Server 10.3.0 to 10.3.7
  • Apple Mac OS X Server 10.4.0 to 10.4.2
  • Apple Safari 6.1.5 and Safari 7.0.5 and earlier

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

TECHNICAL SUMMARY:

Multiple memory corruption vulnerabilities exist in WebKit that could allow remote code execution. These issues were addressed through improved memory handling.

WebKit is an open source browser engine that is used by multiple applications, and is used to power the Apple Safari web browser. In addition to Safari, older versions of the Google Chrome browser, prior to version 27, also use WebKit.

The vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Successful exploitation of these vulnerabilities could result in remote code execution; potentially allowing for an attacker to gain control of a host and have the same privileges as the user running the affected application. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Currently no working exploits have been reported, and Apple has released updates to resolve the issues for the Safari browser.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Update vulnerable products immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Do not open email attachments or click on URLs from unknown or un-trusted sources.

REFERENCES:
Apple:
http://support.apple.com/kb/HT6367

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1390

SecurityFocus:
http://www.securityfocus.com/bid/69223