MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-163

DATE(S) ISSUED:
10/28/2016

SUBJECT:
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Xcode, iTunes, and iCloud. Xcode is an integrated development environment containing a suite of software development tools developed by Apple Inc. for developing software for macOS, iOS, WatchOS and tvOS. iTunes is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple Inc. iCloud is a cloud storage and computing service from Apple Inc. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted webpage or opens a specially crafted file, including an email attachment.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user, arbitrary code execution within the context of the application, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • iCloud for Windows prior to version 6.0.1
  • iTunes for Windows prior to version 12.5.2
  • Xcode prior to version 8.1
  • Adobe Flash Player for Linux prior to version 11.2.202.643

RISK:

    Government

  • Large and medium government entities: High
  • Small government entities: Medium

    Businesses:

  • Large and medium business entities:High
  • Small business entities:Medium

    Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Xcode, iTunes and iCloud. Successful exploitation of the most severe of these vulnerabilities could lead to arbitrary code execution. Details of all vulnerabilities are as follows:

Multiple vulnerabilities in Node.js in the Xcode Server could lead to arbitrary code execution or denial of service (CVE-2016-1669, CVE-2016-0705, CVE-2016-0797, CVE-2016-0702, CVE-2016-2086, CVE-2016-2216, CVE-2015-8027, CVE-2015-3193, CVE-2015-3194, CVE-2015-6764).
An input validation vulnerability in WebKit could allow for information disclosure (CVE-2016-4613).
Multiple memory corruption issues in WebKit could allow for arbitrary code execution (CVE-2016-7578)

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user, arbitrary code execution within the context of the application, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Apple to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Apple:

https://support.apple.com/en-us/HT207268

https://support.apple.com/en-us/HT207273

https://support.apple.com/en-us/HT207274

 

 

CVE:


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6764

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8027

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0702

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0797

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1669

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2086

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2216

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4613

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7578