CIS CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2015-100

DATE(S) ISSUED:
08/14/2015

SUBJECT:
Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple iOS, OS X, and Safari. Apple iOS is an operating system for iPhone, iPod touch, iPad. OS X is an operating system for Apple computers. Apple Safari is a web browser available for OS X and Microsoft Windows. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and bypass of security restrictions. Failed attacks may still cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Apple OS X Yosemite prior to 10.10.5
  • Apple iOS prior to 8.4.1
  • Apple Safari 6 Prior To 6.2.8
  • Apple Safari 7 Prior To 7.1.8
  • Apple Safari 8 Prior To 8.0.8

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

TECHNICAL SUMMARY:
Multiple remote code execution vulnerabilities have been discovered in iOS, Safari, and OS X that could allow remote code execution. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file. Details of these vulnerabilities are as follows:

  • Multiple vulnerabilities affect the 'Kernel' component, which could allow an attacker to execute arbitrary code. (CVE-2015-3802, CVE-2015-3805, CVE-2015-3768, CVE-2015-3776, CVE-2015-3766, CVE-2015-3806, CVE-2015-3803, CVE-2015-5747, CVE-2015-5748, CVE-2015-3761)
  • Multiple vulnerabilities affect the 'libxml2' component when handling a specially-crafted XML document. An attacker can exploit these issues to gain access to user information or cause a denial of service. (CVE-2015-3807, CVE-2012-6685)
  • Multiple vulnerabilities affect the 'ImageIO' component due to an uninitialized memory access error in the ImageIO's handling of PNG and TIFF images, allowing access to process memory. (CVE-2015-5781, CVE-2015-5782, CVE-2015-5758)
  • Multiple memory-corruption vulnerabilities affect the 'CoreMedia Playback' component. An attacker can exploit these issues to terminate the application or execute arbitrary code. (CVE-2015-5777, CVE-2015-5778)
  • Multiple memory-corruption vulnerabilities affect the 'CoreText' component when handling specially-crafted font files. An attacker can exploit these issues to cause the application to terminate or execute arbitrary code. (CVE-2015-5755, CVE-2015-5761)
  • Multiple vulnerabilities affect the 'QL Office' component. An attacker can exploit these issues to cause the application to terminate or execute arbitrary code, or allow for information disclosure. (CVE-2015-5773, CVE-2015-3784)
  • Multiple memory-corruption vulnerabilities affect the 'Libc' component due to an error in the TRE library. An attacker can exploit this issue using a specially- crafted regular expression to cause the application to terminate or execute arbitrary code. (CVE-2015-3796, CVE-2015-3797, CVE-2015-3798)
  • A memory-corruption vulnerability affects the 'DiskImages' component when handling the specially-crafted DMG image files. An attacker can exploit this issue to cause the application to terminate or execute arbitrary code with system privileges. (CVE-2015-3800)
  • A memory-corruption vulnerability affects the 'Libinfo' component due to an error in the handling of AF_INET6 sockets. An attacker can exploit this issue to cause the application to terminate or execute arbitrary code. (CVE-2015-5776)
  • A memory-corruption vulnerability affects the 'libpthread' component when handling syscalls. An attacker can exploit this issue using a specially-crafted application to execute arbitrary code with system privileges. (CVE-2015-5757)
  • Multiple memory-corruption vulnerabilities affect the 'FontParser' component when handling specially-crafted font files. An attacker can exploit these issues to cause the application to terminate or execute arbitrary code. (CVE-2015-3804, CVE-2015-5775, CVE-2015-5756)
  • A memory-corruption vulnerability affects the 'libxpc' component when handling the specially-crafted XPC messages. An attacker can exploit this issue using a specially-crafted application to execute arbitrary code with system privileges. (CVE-2015-3795)
  • A local buffer-overflow vulnerability affects the 'IOHIDFamily' component when handling the specially-crafted XPC messages. A local attacker can exploit this issue to execute arbitrary code with system privileges. (CVE-2015-5774)
  • An access bypass vulnerability affects the 'CloudKit' component due to a state inconsistency when signing out users. An attacker can exploit this issue using a specially-crafted application to access the iCloud user record of a previously signed in user. (CVE-2015-3782)
  • A local authentication-bypass vulnerability exists due to a state management issue in the password authentication. An Attacker can exploit this issue to change the password of a local user. (CVE-2015-3799)
  • An information-disclosure vulnerability affects the 'AppleGraphicsControl' component. An attacker can exploit this issue to disclose the kernel memory layout using a specially-crafted application. (CVE-2015-5768)
  • Multiple vulnerabilities affect the 'Bluetooth' component. An attacker can exploit this issue to execute arbitrary code with system privileges. (CVE-2015-3779, CVE-2015-3780, CVE-2015-3786, CVE-2015-3787, CVE-2015-3777)
  • A security vulnerability affects the 'bootp' component. Specifically, this issue occurs because a malicious Wi-Fi network may be able to determine networks a device has previously accessed. (CVE-2015-3778)
  • A memory-corruption vulnerability affects the 'Data Detectors Engine' component. Specifically, this issue occurs when processing a sequence of unicode characters. This may lead to an unexpected application termination or arbitrary code execution. (CVE-2015-5750)
  • An authorization-bypass vulnerability affects the 'Date & Time pref pane' component. Specifically, this issue exists when modifying the system date and time preferences. (CVE-2015-3757)
  • A security-bypass affects the 'Dictionary Application' component. Specifically, this issue occurs because it fails to properly secure user communications. An attacker can exploit this issue to intercept users' Dictionary app queries. (CVE-2015-3774)
  • An arbitrary code-execution vulnerability affects the 'dyld' component. Specifically, this issue occurs due to a path validation issue existed in 'dyld'. (CVE-2015-3760)
  • Multiple arbitrary code-execution vulnerabilities affect the 'Install Framework Legacy' component. Specifically, this issue exists in how Install.framework's 'runner' binary dropped privileges. (CVE-2015-5784, CVE-2015-5754)
  • Multiple memory-corruption vulnerabilities affect the 'IOFireWireFamily' component. A local attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2015-3769, CVE-2015-3771, CVE-2015-3772)
  • Multiple memory-corruption vulnerabilities affect the 'IOGraphics' component. An attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2015-3770, CVE-2015-5783)
  • A security-bypass affects the 'Notification Center OSX' component. Specifically, this issue occurs because it fails to properly delete user notifications. An attacker can exploit this issue to access all notifications previously displayed to users. (CVE-2015-3764)
  • A memory-corruption vulnerability affects the 'ntfs' component. A local attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2015-5763)
  • A memory-corruption vulnerability affects the 'Quartz Composer Framework' component. An attacker can exploit this issue by sending a maliciously crafted QuickTime file. (CVE-2015-5771)
  • A security vulnerability affects the 'Quick Look' component. Specifically, this issue exists where 'QuickLook' had the capability to execute JavaScript. (CVE-2015-3781)
  • Multiple memory-corruption vulnerabilities affect the 'QuickTime 7' component. An attacker can exploit these issues by sending a maliciously crafted file. (CVE-2015-3772, CVE-2015-3779, CVE-2015-5753, CVE-2015-5779, CVE-2015-3765, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3791, CVE-2015-3792, CVE-2015-5751)
  • A heap-based buffer-overflow vulnerability affects the 'SceneKit' component. An attacker can exploit this issue by sending a maliciously crafted 'Collada' file. (CVE-2015-5772, CVE-2015-3783)
  • An authentication-bypass vulnerability affects the 'Security' component. Specifically, the issue occurs when handling user authentication. An Attacker can exploit this issue to to gain access to admin privileges without proper authentication. (CVE-2015-3775)
  • A memory-corruption vulnerability affects the 'SMBClient' component. An attacker can exploit this issue to cause unexpected application termination or arbitrary code execution. (CVE-2015-3773)
  • A memory-corruption vulnerability affects the 'Speech UI' component. An attacker can exploit this issue by sending maliciously crafted 'unicode' string. (CVE-2015-3794)
  • An XML External Entity injection vulnerability affects the 'Text Formats'. (CVE-2015-3762)
  • A memory-corruption vulnerability affects the 'udf' component. An attacker can exploit this issue by sending maliciously crafted 'DMG' file. (CVE-2015-3767)
  • Safari prone to multiple security-bypass vulnerabilities because it allows a malicious website to display an arbitrary URL when navigating to a specially-crafted URL. Specifically, these issues affect the 'WebKit Process Model' and 'Web' components. (CVE-2015-3755)
  • Webkit is prone multiple security-bypass an memory-corruption vulnerabilities, which could allow for arbitrary code execution. (CVE-2015-3730, CVE-2015-3731, CVE-2015-3732, CVE-2015-3733, CVE-2015-3734, CVE-2015-3735, CVE-2015-3736, CVE-2015-3737, CVE-2015-3738, CVE-2015-3739, CVE-2015-3740, CVE-2015-3741, CVE-2015-3742, CVE-2015-3743, CVE-2015-3744, CVE-2015-3745, CVE-2015-3746, CVE-2015-3747, CVE-2015-3748, CVE-2015-3749, CVE-2015-3750, CVE-2015-3751, CVE-2015-3752, CVE-2015-3753)

 

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and the ability to bypass the security systems. Failed attacks may still cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade to Apple OS X Yosemite 10.10.5 immediately after appropriate testing.
  • Apply appropriate updates provided by Apple to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

 

REFERENCES:
Apple:

https://support.apple.com/en-in/HT205030
https://support.apple.com/en-ie/HT205031
https://support.apple.com/en-in/HT205033

SecurityFocus:
http://www.securityfocus.com/advisories/35979
http://www.securityfocus.com/advisories/35980
http://www.securityfocus.com/advisories/35981

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6685
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3730
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3731
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3732
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3733
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3734
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3735
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3736
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3737
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3738
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3739
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3740
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3741
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3742
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3743
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3744
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3745
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3746
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3747
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3748
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3749
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3750
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3751
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3752
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3753
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3755
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3757
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3760
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3761
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3762
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3764
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3765
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3766
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3767
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3768
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3769
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3770
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3771
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3772
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3772
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3773
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3774
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3775
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3776
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3777
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3778
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3779
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3779
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3780
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3781
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3782
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3783
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3784
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3786
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3787
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3788
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3789
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3790
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3791
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3792
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3794
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3795
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3796
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3797
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3798
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3799
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3800
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3802
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3803
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3804
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3805
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3806
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3807
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5747
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5748
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5750
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5751
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5753
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5754
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5755
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5756
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5757
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5758
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5761
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5763
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5768
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5771
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5772
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5773
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5774
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5775
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5776
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5777
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5778
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5779
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5781
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5782
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5783
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5784