CIS CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2015-039

DATE(S) ISSUED:
04/09/2015

SUBJECT:
Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple's Mac OS X, Safari, iOS, and Xcode products that could allow remote code execution. Apple Safari is a web browser available for Mac OS X and Microsoft Windows. iOS is the operating system used by Apple’s mobile devices. Xcode is a software development tool allowing for development for OS X and iOS. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment, using a vulnerable version of Mac OSX, Apple Safari, or iOS. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE

At this time there is no known proof-of-concept code available.

SYSTEM AFFECTED:

  • Apple TV Prior To 7.2
  • Apple iOS Prior To 8.3
  • Apple Safari 6 Prior To 6.2.5
  • Apple Safari 7 Prior To 7.1.5
  • Apple Safari 8 Prior To 8.0.5
  • Apple Mac OS X Prior To 10.10.3
  • Apple Xcode Prior To 6.3

RISK:

Government:

  • Large and medium government entities:High
  • Small government entities:High

Businesses:

  • Large and medium business entities:High
  • Small business entities:High

Home users: High

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Apple's Mac OS X, Safari, iOS, and Xcode. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file. Details of these vulnerabilities are as follows:

  • Users may be tracked by malicious websites using client certificates. [CVE-2015-1129]
  • Notifications preferences may reveal users' browsing history in private browsing mode [CVE-2015-1128]
  • Users' browsing history may not be completely purged [CVE-2015-1112]
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution [CVE-2015-1119, CVE-2015-1120, CVE-2015-1121, CVE-2015-1122, CVE-2015-1124]
  • Users' browsing history in private mode may be indexed [CVE-2015-1127]
  • Visiting a maliciously crafted website may lead to resources of another origin being accessed [CVE-2015-1126]
  • A process may gain admin privileges without properly authenticating [CVE-2015-1130]
  • Multiple vulnerabilities exist in Apache versions prior to 2.4.10 and 2.2.29, including one that may allow a remote attacker to execute arbitrary code. [CVE-2013-0118, CVE-2013-5704, CVE-2013-6438, CVE-2014-0098, CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, CVE-2014-3523]
  • A local user may be able to execute arbitrary code with system privileges [CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, CVE-2015-1134, CVE-2015-1135]
  • A cross-domain cookie issue exists in redirect handling. Cookies set in a redirect response could be passed on to a redirect target belonging to another origin. [CVE-2015-1089]
  • A cross-domain HTTP request headers issue exists in redirect handling. HTTP request headers sent in a redirect response could be passed on to another origin. [CVE-2015-1091]
  • Visiting a maliciously crafted website may lead to arbitrary code execution [CVE-2015-1088]
  • A use-after-free vulnerability exists in CoreAnimation, allowing maliciously crafted websites to potentially execute arbitrary code. [CVE-2015-1136]
  • Processing a maliciously crafted font file may lead to arbitrary code execution [CVE-2015-1093]
  • A local user may be able to execute arbitrary code with system privileges [CVE-2015-1137]
  • A local application may be able to cause a denial of service [CVE-2015-1138]
  • Processing a maliciously crafted .sgi file may lead to arbitrary code execution [CVE-2015-1139]
  • A malicious HID device may be able to cause arbitrary code execution [CVE-2015-1095]
  • A local user may be able to execute arbitrary code with system privileges [CVE-2015-1140]
  • A local user may be able to determine kernel memory layout [CVE-2015-1096]
  • A heap buffer overflow exists in IOHIDFamily's handling of key-mapping properties. Allowing a malicious application potentially execute arbitrary code with system privileges. [CVE-2014-4404]
  • A null pointer dereference exists in IOHIDFamily's handling of key-mapping properties. Allowing a user potentially execute arbitrary code with system privileges [CVE-2014-4405]
  • User may be able to execute arbitrary code with system privileges [CVE-2014-4380]
  • A local user may be able to cause unexpected system shutdown [CVE-2015-1141]
  • A race condition exists in the kernel's setreuid system call. Allowing a local user to potentially cause a system denial of service [CVE-2015-1099]
  • A local application may escalate privileges using a compromised service intended to run with reduced privileges [CVE-2015-1117]
  • An attacker with a privileged network position may be able to redirect user traffic to arbitrary hosts [CVE-2015-1103]
  • An attacker with a privileged network position may be able to cause a denial of service [CVE-2015-1102]
  • A local user may be able to cause unexpected system termination or read kernel memory [CVE-2015-1100]
  • A remote attacker may be able to bypass network filters [CVE-2015-1104]
  • A local user may be able to execute arbitrary code with kernel privileges [CVE-2015-1101]
  • A remote attacker may be able to cause a denial of service [CVE-2015-1105]
  • A local user may be able to cause the Finder to crash [CVE-2015-1142]
  • A local user may be able to execute arbitrary code with system privileges [CVE-2015-1143]
  • Processing a maliciously crafted configuration profile may lead to unexpected application termination [CVE-2015-1118]
  • A remote attacker may brute force ntpd authentication keys [CVE-2014-9298]
  • A remote unauthenticated client may be able to cause a denial of service [CVE-2015-1545, CVE-2015-1546]
  • Multiple vulnerabilities in OpenSSL [CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204]
  • A password might be sent unencrypted over the network when using Open Directory from OS X Server [CVE-2015-1147]
  • Multiple vulnerabilities exist in PHP versions prior to 5.3.29, 5.4.38, and 5.5.20, including one which may allow arbitrary code execution. [CVE-2013-6712, CVE-2014-0207, CVE-2014-0237, CVE-2014-0238, CVE-2014-2497, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3538, CVE-2014-3587, CVE-2014-3597, CVE-2014-3668, CVE-2014-3669, CVE-2014-3670, CVE-2014-3710, CVE-2014-3981, CVE-2014-4049, CVE-2014-4670, CVE-2014-4698, CVE-2014-5120]
  • Opening a maliciously crafted iWork file may lead to arbitrary code execution [CVE-2015-1098]
  • Viewing a maliciously crafted Collada file may lead to arbitrary code execution [CVE-2014-8830]
  • A user's password may be logged to a local file [CVE-2015-1148]
  • Tampered applications may not be prevented from launching [CVE-2015-1145, CVE-2015-1146]
  • A local user may be able to execute arbitrary code with system privileges [CVE-2015-1144]
  • Visiting a maliciously crafted website may lead to arbitrary code execution [CVE-2015-1069]
  • A malicious application may be able to guess the user's passcode [CVE-2015-1085]
  • A malicious application may be able to execute arbitrary code with system privileges [CVE-2015-1086]
  • An attacker may be able to use the backup system to access restricted areas of the file system [CVE-2015-1087]
  • A user may be unable to fully delete browsing history [CVE-2015-1090]
  • An application using NSXMLParser may be misused to disclose information [CVE-2015-1092]
  • A malicious application may be able to determine kernel memory layout [CVE-2015-1094, CVE-2015-1097]
  • QuickType could learn users' passcodes [CVE-2015-1106]
  • An attacker in possession of a device may prevent erasing the device after failed passcode attempts [CVE-2015-1107]
  • An attacker in possession of a device may exceed the maximum number of failed passcode attempts [CVE-2015-1108]
  • An attacker in possession of a device may be able to recover VPN credentials [CVE-2015-1109]
  • Unnecessary information may be sent to external servers when downloading podcast assets [CVE-2015-1110]
  • A user may be unable to fully delete browsing history [CVE-2015-1111]
  • Users' browsing history may not be completely purged [CVE-2015-1112]
  • A malicious application may be able to access phone numbers or email addresses of recent contacts [CVE-2015-1113]
  • Hardware identifiers may be accessible by third-party apps [CVE-2015-1114]
  • A malicious application may be able to access restricted telephony functions [CVE-2015-1115]
  • Sensitive data may be exposed in application snapshots presented in the Task Switcher [CVE-2015-1116]
  • Inconsistent user interface may prevent users from discerning a phishing attack [CVE-2015-1084]
  • Visiting a maliciously crafted website may lead to arbitrary code execution [CVE-2015-1068, CVE-2015-1069, CVE-2015-1070, CVE-2015-1071, CVE-2015-1072, CVE-2015-1073, CVE-2015-1074, CVE-2015-1076, CVE-2015-1077, CVE-2015-1078, CVE-2015-1079, CVE-2015-1080, CVE-2015-1081, CVE-2015-1082, CVE-2015-1119, CVE-2015-1120, CVE-2015-1121, CVE-2015-1122, CVE-2015-1123, CVE-2015-1124]
  • Visiting a maliciously crafted website may lead to a user invoking a click on another website [CVE-2015-1125]
  • A integer overflow issue exists in the simulator that could lead to conversions returning unexpected values. [CVE-2015-1149]

Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Apple to affected systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download or open files from un-trusted websites, unknown users, or suspicious emails.
  • Remind users not to click links from unknown sources, or to click links without verifying the intended destination.

REFERENCES:

Apple:

https://support.apple.com/en-us/HT204658

https://support.apple.com/en-us/HT204659

https://support.apple.com/en-us/HT204661

https://support.apple.com/en-us/HT204662

https://support.apple.com/en-us/HT204663

Security Focus:

http://www.securityfocus.com/bid/73972

http://www.securityfocus.com/bid/73974

http://www.securityfocus.com/bid/73976

http://www.securityfocus.com/bid/73977

http://www.securityfocus.com/bid/73978

http://www.securityfocus.com/bid/73980

http://www.securityfocus.com/bid/73981

http://www.securityfocus.com/bid/73982

http://www.securityfocus.com/bid/73983

http://www.securityfocus.com/bid/73984

http://www.securityfocus.com/bid/73985

http://www.securityfocus.com/bid/73986

http://www.securityfocus.com/bid/73988

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0118

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2497

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3523

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3597

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3668

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4380

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4404

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4405

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5120

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8830

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1068

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1069

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1069

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1070

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1071

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1072

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1073

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1074

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1076

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1077

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1078

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1079

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1080

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1081

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1082

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1084

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1085

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1086

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1087

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1088

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1089

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1090

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1091

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1092

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1093

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1094

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1095

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1096

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1097

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1098

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1099

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1100

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1101

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1102

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1103

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1104

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1105

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1106

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1107

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1108

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1109

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1110

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1111

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1112

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1112

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1113

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1114

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1115

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1116

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1117

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1118

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1119

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1119

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1120

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1120

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1121

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1121

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1122

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1122

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1123

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1124

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1124

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1125

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1126

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1127

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1128

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1129

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1130

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1131

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1132

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1133

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1134

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1135

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1136

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1137

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1138

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1139

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1140

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1141

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1142

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1143

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1144

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1145

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1146

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1147

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1148

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1149

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546