MS-ISAC CYBERSECURITY ADVISORIES
MS-ISAC ADVISORY NUMBER:
Multiple Vulnerabilities in Apple Products Could Allow For Arbitrary Code Execution
Multiple vulnerabilities have been discovered in iOS, watchOS, tvOS, iTunes, OS X El Capitan, and Safari which could allow for arbitrary code execution. Apple iOS is an operating system for iPhone, iPod touch, and iPad. watchOS is the mobile operating system of the Apple Watch. tvOS is an operating system for Apple TV digital media player. Apple iTunes is used to play media files on Microsoft Windows and MAC OS X platforms. OS X El Capitan is an operating system for Macintosh computers. Apple Safari is a web browser available for OS X and Microsoft Windows.
There are currently no reports of these vulnerabilities being exploited in the wild.
- tvOS prior to 9.2.1 for Apple TV (4th generation)
- iOS prior to 9.3.2 for iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later
- watchOS prior to 2.2.1 for Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
- OS X El Capitan prior to v10.11.5 and Security Update 2016-003 for OS X El Capitan v10.11and later
- Safari prior to 9.1.1 for OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.5
- iTunes prior to 12.4 for Windows 7 and later
- Large and medium government entities: High
- Small government entities: Medium
- Large and medium business entities: High
- Small business entities: Medium
Home users: Low
Multiple vulnerabilities have been discovered in Google Chrome. These vulnerabilities can be triggered by a user visiting a specially crafted web page. Details of these vulnerabilities are as follows:ebsite Data did not clear the history. The issue was addressed through improved data deletion (CVE-2016-1849).
- Website Data did not clear the history. The issue was addressed through improved data deletion (CVE-2016-1849).
- An insufficient taint tracking issue in the parsing of svg images was addressed through improved taint tracking (CVE-2016-1858).
- Multiple memory corruption issues were addressed through improved memory handling (CVE-2016-1792, CVE-2016-1795, CVE-2016-1804, CVE-2016-1810, CVE-2016-1815, CVE-2016-1817, CVE-2016-1818, CVE-2016-1819, CVE-2016-1822, CVE-2016-1823, CVE-2016-1824, CVE-2016-1825, CVE-2016-1827, CVE-2016-1828, CVE-2016-1829, CVE-2016-1830, CVE-2016-1831, CVE-2016-1833, CVE-2016-1834, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, CVE-2016-1840, CVE-2016-1841, CVE-2016-1846, CVE-2016-1847, CVE-2016-1848, CVE-2016-1850, CVE-2016-1854, CVE-2016-1855, CVE-2016-1856, CVE-2016-1857, CVE-2016-1859).
- A memory corruption issue existed in the parsing of disk images. This issue was addressed through improved memory handling (CVE-2016-1808).
- Multiple memory corruption issues were addressed through improved input validation (CVE-2016-1799, CVE-2016-1832).
- A memory corruption vulnerability was addressed through improved locking (CVE-2016-1819).
- A dynamic library loading issue existed in iTunes setup. This was addressed through improved path searching (CVE-2016-1742).
- An issue existed that led to the disclosure of kernel memory content. This issue was addressed through improved bounds checking (CVE-2016-1791).
- Multiple vulnerabilities existed in PHP versions prior to 5.5.34. These were addressed by updating PHP to version 5.5.34 (CVE-2015-8865, CVE-2016-3141, CVE-2016-3142, CVE-2016-4070, CVE-2016-4071, CVE-2016-4072, CVE-2016-4073).
- Multiple null pointer dereferences were addressed through improved validation (CVE-2016-1793, CVE-2016-1794, CVE-2016-1798, CVE-2016-1803, CVE-2016-1811, CVE-2016-1813, CVE-2016-1816, CVE-2016-1821).
- A null pointer dereference was addressed through improved locking (CVE-2016-1814).
- An out of bounds memory access issue was addressed through improved memory handling (CVE-2016-1796).
- An issue existed in the sandbox policy. This was addressed by sandboxing FontValidator (CVE-2016-1797).
- A custom URL scheme handling issue was addressed through improved input validation (CVE-2016-1800).
- An information leak existed in the handling of HTTP and HTTPS requests. This issue was addressed through improved URL handling (CVE-2016-1801).
- An issue existed in the handling of return values in CCCrypt. This issue was addressed through improved key length management (CVE-2016-1802).
- Multiple configuration issues were addressed through additional restrictions (CVE-2016-1805, CVE-2016-1806).
- A race condition was addressed through improved locking (CVE-2016-1807).
- Incorrect keys were being used to encrypt disk images. This issue was addressed by updating the encryption keys (CVE-2016-1809).
- Multiple buffer overflow vulnerabilities were addressed through improved bounds checking (CVE-2016-1812, CVE-2016-1820).
- A buffer overflow was addressed through improved size validation (CVE-2016-1790).
- An integer overflow existed in dtrace. This issue was addressed through improved bounds checking (CVE-2016-1826).
- Shared links were sent with HTTP rather than HTTPS. This was addressed by enabling HTTPS for shared links (CVE-2016-1842).
- A validation issue existed in roster changes. This issue was addressed through improved validation of roster sets (CVE-2016-1844).
- An encoding issue existed in filename parsing. This issue was addressed through improved filename encoding (CVE-2016-1843).
- An issue existed in the management of password profiles. This issue was addressed through improved password reset handling (CVE-2016-1851).
- A protocol security issue was addressed by disabling SSLv2 (CVE-2016-1853).
- A state management issue existed when accessing Siri results on the lock screen. This issue was addressed by disabling data detectors in Twitter results when the device is locked (CVE-2016-1852).
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions, or cause denial-of-service conditions.
We recommend the following actions be taken:
- Apply appropriate patches provided by Google to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.