MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-180

DATE(S) ISSUED:
12/14/2016 - Updated

SUBJECT:
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

ORIGINAL OVERVIEW:

Multiple vulnerabilities have been discovered in iOS, tvOS, and watchOS which could allow for arbitrary code execution. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.tvOSis anoperating system for the fourth-generation AppleTVdigital media player. watchOSis the mobileoperating systemof the AppleWatch and is based on the iOS operating system. Attackers can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code andperform unauthorized actions or obtain sensitive information.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user, arbitrary code execution within the context of the application, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

December 14 - UPDATED OVERVIEW:

Additional vulnerabilities have been reported affecting additional Apple Products. The most severe of which could allow for remote code execution.

THREAT INTELLIGENCE:                                                                    
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEM AFFECTED:

• iOS Versions prior to 10.2

• tvOS Versions prior to 10.1

• watchOS Versions prior to 3.1.1

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in iOS, tvOS, and watchOS. The most severe of the vulnerabilities could allow for arbitrary code execution. Details of all vulnerabilities are as follows:

· An information-disclosure vulnerability that affects the 'Accessibility' component. Specifically, this issue occurs in the handling of passwords (CVE-2016-7634).

· A security-bypass vulnerability that affects the 'Accessibility' component. Successful exploits may allow an attackers to access photos and contacts from the lock screen (CVE-2016-7664).

· A security-bypass vulnerability due to a state management issue. Specifically, this issue affects the 'Find My iPhone' component (CVE-2016-7638).

· A denial of service vulnerability because it fails to properly sanitize user-supplied input. Specifically, this issue affects the 'Graphics Driver' (CVE-2016-7665).

· An arbitrary code-execution vulnerability because it fails to properly handle USB image devices. Specifically, this issue affects the 'Image Capture' component (CVE-2016-4690).

· A security vulnerability that occurs due to a logic issue exist in the handling of the idle timer when the Touch ID prompt is shown. Specifically, this issue affect the Local Authentication (CVE-2016-7601).

· A security-bypass vulnerability that affects the 'Mail' component. Specifically, this issue occurs because S/MIME policy failed to check if a certificate was valid (CVE-2016-4689).

· A security-bypass vulnerability that affects the 'Media Player' component. Successful exploits may allow an attackers to view photos and contacts from the lockscreen (CVE-2016-7653).

· A security-bypass vulnerability that affects the 'SpringBoard' component. Specifically, this issue occurs in the handling of passcode attempts when resetting the passcode (CVE-2016-4781).

· A security-bypass vulnerability that affects the 'SpringBoard' component (CVE-2016-7597).

· A memory corruption vulnerability which by opening a maliciously crafted certificate may lead to arbitrary code execution (CVE-2016-7626).

· A security-bypass vulnerability which does not reset authorization settings on app uninstall (CVE-2016-7651).

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user, arbitrary code execution within the context of the application, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

December 14- UPDATED TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Safari, iTunes, iCloud, and macOS Sierra. The most severe of the vulnerabilities could allow for remote code execution. Details of all vulnerabilities are as follows:

· A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. (CVE-2016-4688)

· Multiple memory-corruption vulnerabilities exists because it fails to properly handle font files. Specifically, these issues affect the FontParser component. (CVE-2016-4691).

· Multiple memory-corruption vulnerabilities exist because it fails to properly handle the memory. Specifically, these issues affect the 'WebKit' component. (CVE-2016-4692, CVE-2016-7635, CVE-2016-7652)

· A security weakness exists because it uses insecure 3DES as default cipher. Specifically, this issue affects the Security component. (CVE-2016-4693)

· A memory-corruption vulnerability exists because it fails to properly validate the user supplied input. Specifically, this issue affect the 'WebKit' component. An attacker can exploit this issue to obtain sensitive information. (CVE-2016-4743)

· A security-bypass vulnerability due to a state management issue. Specifically, this issue affect the 'WebKit' component. (CVE-2016-7586)

· Multiple memory-corruption vulnerabilities due to the state management issues. Specifically, these issues affect the 'WebKit' component. (CVE-2016-7587)(CVE-2016-7610)(CVE-2016-7611)(CVE-2016-7639)(CVE-2016-7640)(CVE-2016-7641)(CVE-2016-7642)(CVE-2016-7645)(CVE-2016-7646)(CVE-2016-7648)(CVE-2016-7649)(CVE-2016-7654)

· A memory-corruption vulnerability exists because it fails to properly handle the memory. Specifically, this issue affects the CoreMedia Playback component. (CVE-2016-7588)

· A memory corruption vulnerability exists because it fails to properly handle the certificate profiles. Specifically, this issue affects the profile component. (CVE-2016-7589)

· A local privilege-escalation vulnerability exists due to a use-after-free error. Specifically, this issue affects the IOHIDFamily component. (CVE-2016-7591)

· A memory-corruption vulnerability exists because it fails to properly handle the memory. Specifically, this issue affects the ICU component. (CVE-2016-7594)

· Multiple memory-corruption vulnerabilities exist because it fails to properly handle font files. Specifically, these issues affect the CoreText component. (CVE-2016-7595)

· A memory-corruption vulnerability. Specifically, this issue affects the 'Bluetooth' component. (CVE-2016-7596)

· An information-disclosure vulnerability exists due to an uninitialized memory access issue. Specifically, this issue affect the 'WebKit' component. (CVE-2016-7598)

· A security-bypass vulnerability exists because it fails to handle HTTP redirects. Specifically, this issue affect the 'WebKit' component. (CVE-2016-7599)

· A local privilege-escalation vulnerability. Specifically, this issue affects the 'OpenPAM'. (CVE-2016-7600)

· A memory-corruption vulnerability. Specifically, this issue affects the 'Intel Graphics Driver' component. (CVE-2016-7602)

· A local denial-of-service vulnerability because of an null pointer dereference error. Specifically, this issue affects the 'CoreStorage'. (CVE-2016-7603)

· A local denial-of-service vulnerability because of an null pointer dereference error. Specifically, this issue affects the 'CoreCapture'. (CVE-2016-7604)

· A denial-of-service vulnerability because of an null pointer dereference error. Specifically, this issue affects the 'Bluetooth' component. (CVE-2016-7605)

· Multiple memory-corruption vulnerabilities exists because it fails to properly handle font files. Specifically, this issue affects the Kernel component. (CVE-2016-7606)(CVE-2016-7612)

· An information-disclosure vulnerability exists because it fails to properly initialize the memory returned to user space. Specifically, this issue affects the Kernel component. (CVE-2016-7607)

· A memory-corruption vulnerability. Specifically, this issue affects the 'IOFireWireFamily' component. (CVE-2016-7608)

· A local denial-of-service vulnerability because of an null pointer dereference error. Specifically, this issue affects the 'AppleGraphicsPowerManagement'. (CVE-2016-7609)

· A local information-disclosure vulnerability because it fails to clear the memory. Specifically, the issue occurs in 'Windows Security'. (CVE-2016-7614)

· A local denial-of-service vulnerability exists because it fails to properly handle memory. Specifically, this issue affect Kernel component. (CVE-2016-7615)

· A memory-corruption vulnerability exists because it fails to properly validate the user supplied input. Specifically, this issue affects the Disk Images component. (CVE-2016-7616)

· A remote code-execution vulnerability because of a type confusion error. Specifically, this issue affects the 'Bluetooth' component. (CVE-2016-7617)

· A memory-corruption vulnerability. An attacker can exploit this issue by sending specially crafted '.gcx' file. (CVE-2016-7618)

· A local arbitrary code-execution vulnerability exists because it fails to properly handle symlinks. Specifically, this issue affects libarchive component. (CVE-2016-7619)

· An local information-disclosure vulnerability that affects the 'IOSurface' component. An attacker can exploit this issue to determine kernel memory layout. (CVE-2016-7620)

· A local arbitrary code-execution vulnerability exists due to a use-after-free error. Specifically, this issue affects Kernel component. (CVE-2016-7621)

· A memory-corruption vulnerability. Specifically, this issue affects the 'Grapher'. (CVE-2016-7622)

· A local information-disclosure vulnerability that affects the 'IOAcceleratorFamily' component. An attacker can exploit this issue to determine kernel memory layout. (CVE-2016-7624)

· An local information-disclosure vulnerability that affects the 'IOKit' component. An attacker can exploit this issue to determine kernel memory layout. (CVE-2016-7625)

· A denial-of-service vulnerability exists due to a null pointer dereference error. Specifically, this issue affects the CoreGraphics component. (CVE-2016-7627)

· A local security-bypass vulnerability because it fails to properly protect downloaded mobile assets. Specifically, this issue occurs in the 'Assets'. (CVE-2016-7628)

· A memory-corruption vulnerability. Specifically, this issue affects the 'kext tools' component. (CVE-2016-7629)

· A memory-corruption vulnerability exists due to a state management issue. Specifically, this issue affect the 'WebKit' component. (CVE-2016-7632)

· A local privilege-escalation vulnerability because of an use-after-free error. Specifically, this issue affects the 'Directory Services'. (CVE-2016-7633)

· A denial-of-service vulnerability exists because it fails to properly handle OCSP responder URLs. Specifically, this issue affects the Security component. (CVE-2016-7636)

· A local privilege-escalation vulnerability exists because it fails to properly sanitize user supplied input. Specifically, this issue affects the Kernel component. (CVE-2016-7637)

· An information-disclosure vulnerability exists due to an out-of-bounds read error. Specifically, this issue affects the ImageIO component. (CVE-2016-7643)

· A remote code-execution vulnerability due to a use-after-free error. Specifically, this issue affects the 'Kernel' component. (CVE-2016-7644)

· A cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Specifically, this issue affects the Safari Reader component. (CVE-2016-7650)

· An arbitrary code-execution vulnerability exists due to a type-confusion error. Specifically, the issue occurs in the 'mediaserver daemon' of CoreMedia External Displays. (CVE-2016-7655)

· A memory-corruption vulnerability exists due to a state management issue. Specifically, these issues affect the 'WebKit' component. (CVE-2016-7656)

· A memory-corruption vulnerability exists because it fails to properly validate user supplied input. Specifically, this issue affects the IOKit component. (CVE-2016-7657)

· Multiple memory-corruption vulnerabilities exist because it fails to properly validate user supplied input. Specifically, these issues affect the Audio component. (CVE-2016-7658)(CVE-2016-7659)

· A local privilege-escalation vulnerability exists because it fails to properly validate mach port name references. Specifically, this issue affects the syslog component. (CVE-2016-7660)

· A privilege-escalation issue due to improper validation. Specifically, the issue occurs in 'Power Management'. (CVE-2016-7661)

· A security-bypass vulnerability exists because it fails to properly validate certificates. Specifically, this issue affects the Security component. (CVE-2016-7662)

· A memory-corruption vulnerability exists because it fails to properly bounds check the user supplied input. Specifically, this issue affects the CoreFoundation component. (CVE-2016-7663)

RECOMMENDATIONS:
We recommend the following actions be taken:

· Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.

· Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

· Remind users not to download, accept, or execute files from un-trusted or unknown sources.

· Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Apple:
https://support.apple.com/en-us/HT207422

https://support.apple.com/en-us/HT207425

https://support.apple.com/en-us/HT207426

CVE:

 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4688

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4691

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4692

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4693

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4743

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7586

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7587

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7588

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7589

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7591

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7594

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7595

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7596

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7598

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7599

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7600

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7602

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7603

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7604

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7605

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7606

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7607

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7608

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7609

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7610

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7611

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7612

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7614

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7615

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7616

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7617

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7618

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7619

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7620

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7621

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7622

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7624

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7625

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7627

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7628

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7629

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7632

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7633

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7635

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7636

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7637

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7639

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7640

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7641

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7642

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7643

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7644

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7645

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7646

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7648

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7649

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7650

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7652

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7654

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7655

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7656

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7657

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7658

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7659

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7660

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7661

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7662

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7663