Multiple Vulnerabilities in Apple Mac OS X, Apple Safari and Apple iOS Could Allow for Local or Remote Code Execution

ITS Advisory Number: 
2014-060
Date(s) Issued: 
Wednesday, July 2, 2014
Subject: 
Multiple Vulnerabilities in Apple Mac OS X, Apple Safari and Apple iOS Could Allow for Local or Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Apples Mac OS X, Apple Safari and iOS that could allow for local or remote code execution. Mac OS X is the operating system for Apple computers. Apple Safari is a web browser available for Mac OS X, iOS and Microsoft Windows. iOS is the operating system for the Apple iPhone, iPod Touch and iPad. Some of these vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment, using a vulnerable version of OS X, Apple Safari, or iOS or by having physical access to an iOS device.

Successfully exploiting some of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

'
Systems Affected: 
  • Apple Mac OS X 10.9.4 and earlier
  • Apple Safari before 6.1.5 and 7.x before 7.0.5
  • Apple iOS 7.1.1 and earlier
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Multiple vulnerabilities have been discovered in Apples Mac OS X, Apple iOS and Apple Safari. Some of these vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file. Details of these and other vulnerabilities are as follows:

Mac OS X
Certificate Trust Policy
Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3
Impact:  Update to the certificate trust policy
Description:  The certificate trust policy was updated. The complete list of certificates may be viewed by the link provided in the References section of this advisory.

Copyfile (CVE-2014-1370)
Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3
Impact:  Opening a specially crafted zip file may lead to an unexpected application termination or arbitrary code execution
Description:  An out of bounds byte swapping issue existed in the handling of AppleDouble files in zip archives. This issue was addressed through improved bounds checking.

cURL (CVE-2014-0015)
Available for:  OS X Mavericks 10.9 to 10.9.3
Impact:  A remote attacker may be able to gain access to another user's session
Description:  cURL re-used NTLM connections when more than one authentication method was enabled, which allowed an attacker to gain access to another user's session.

Dock (CVE-2014-1371)
Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3
Impact:  A sandboxed application may be able to circumvent sandbox restrictions
Description:  An unvalidated array index issue existed in the Dock's handling of messages from applications. A specially crafted message could cause an invalid function pointer to be dereferenced, which could lead to an unexpected application termination or arbitrary code execution.

Graphics Driver (CVE-2014-1372)
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3
Impact:  A local user can read kernel memory, which can be used to bypass kernel address space layout randomization
Description:  An out-of-bounds read issue existed in the handling of a system call. This issue was addressed through improved bounds checking.

iBooks Commerce (CVE-2014-1317)
Available for:  OS X Mavericks 10.9 to 10.9.3
Impact:  An attacker with access to a system may be able to recover Apple ID credentials
Description:  An issue existed in the handling of iBooks logs. The iBooks process could log Apple ID credentials in the iBooks log where other users of the system could read it. This issue was addressed by disallowing logging of credentials.

Intel Graphics Driver (CVE-2014-1373)
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3
Impact:  A specially crafted application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of an OpenGL API call. This issue was addressed through improved bounds checking.

Intel Graphics Driver (CVE-2014-1375)
Available for:  OS X Mavericks 10.9 to 10.9.3
Impact:  A local user can read a kernel pointer, which can be used to bypass kernel address space layout randomization
Description:  A kernel pointer stored in an IOKit object could be retrieved from userland. This issue was addressed by removing the pointer from the object.

Intel Compute (CVE-2014-1376)
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3
Impact:  A specially crafted application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of an OpenCL API call. This issue was addressed through improved bounds checking.

IOAcceleratorFamily (CVE-2014-1377)
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3
Impact:  A specially crafted application may be able to execute arbitrary code with system privileges
Description:  An array indexing issue existed in IOAcceleratorFamily.
This issue was addressed through improved bounds checking.

IOGraphicsFamily (CVE-2014-1378)
Available for:  OS X Mavericks 10.9 to 10.9.3
Impact:  A local user can read a kernel pointer, which can be used to bypass kernel address space layout randomization
Description:  A kernel pointer stored in an IOKit object could be retrieved from userland. This issue was addressed by using a unique ID instead of a pointer.

IOReporting (CVE-2014-1355)
Available for:  OS X Mavericks 10.9 to 10.9.3
Impact:  A local user could cause an unexpected system restart
Description:  A null pointer dereference existed in the handling of IOKit API arguments. This issue was addressed through additional validation of IOKit API arguments.

launchd (CVE-2014-1359)
Available for:  OS X Mavericks 10.9 to 10.9.3
Impact:  A specially crafted application may be able to execute arbitrary code with system privileges
Description:  An integer underflow existed in launchd. This issue was addressed through improved bounds checking.

launchd (CVE-2014-1356)
Available for:  OS X Mavericks 10.9 to 10.9.3
Impact:  A specially crafted application may be able to execute arbitrary code with system privileges
Description:  A heap buffer overflow existed in launchd's handling of IPC messages. This issue was addressed through improved bounds checking.

launchd (CVE-2014-1357)
Available for:  OS X Mavericks 10.9 to 10.9.3
Impact:  A specially crafted application may be able to execute arbitrary code with system privileges
Description:  A heap buffer overflow existed in launchd's handling of log messages. This issue was addressed through improved bounds checking.

Launchd (CVE-2014-1358)
Available for:  OS X Mavericks 10.9 to 10.9.3
Impact:  A specially crafted application may be able to execute arbitrary code with system privileges
Description:  An integer overflow existed in launchd. This issue was addressed through improved bounds checking.

Graphics Drivers (CVE-2014-1379)
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3
Impact:  A specially crafted application may be able to execute arbitrary code with system privileges
Description:  Multiple null dereference issues existed in kernel graphics drivers. A specially crafted 32-bit executable may have been able to obtain elevated privileges.

Security - Keychain (CVE-2014-1380)
Available for:  OS X Mavericks 10.9 to 10.9.3
Impact:  An attacker may be able to type into windows under the screen lock
Description:  Under rare circumstances, the screen lock did not intercept keystrokes. This could have allowed an attacker to type into windows under the screen lock. This issue was addressed through improved keystroke observer management.

Security - Secure Transport (CVE-2014-1361)
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3
Impact:  Two bytes of memory could be disclosed to a remote attacker
Description:  An uninitialized memory access issue existing in the handling of DTLS messages in a TLS connection. This issue was addressed by only accepting DTLS messages in a DTLS connection.

Thunderbolt (CVE-2014-1381)
Available for:  OS X Mavericks 10.9 to 10.9.3
Impact:  A specially crafted application may be able to execute arbitrary code with system privileges
Description:  An out of bounds memory access issue existed in the handling of IOThunderBoltController API calls. This issue was addressed through improved bounds checking.

Safari
WebKit (CVE-2014-1325, CVE-20140-1340, CVE-2014-1362, CVE-2014-1363, CVE-2014-1364, CVE-2014-1365, CVE-2014-1366, CVE-2014-1367, CVE-2014-1368, CVE-2014-1382)
Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3
Impact:  Visiting a specially crafted website may lead to an unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.

WebKit (CVE-2014-1369)
Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3
Impact:  Dragging a URL from a specially crafted website to another window could lead to the disclosure of local file content
Description:  Dragging a URL from a specially crafted website to another window could have allowed the specially crafted site to access a file:// URL. This issue was addressed through improved validation of dragged resources.

WebKit (CVE-2014-1345)
Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3
Impact:  A specially crafted website may be able to spoof its domain name in the address bar
Description:  A spoofing issue existed in the handling of URLs. This issue was addressed through improved encoding of URLs.

iOS
Certificate Trust Policy
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  Update to the certificate trust policy
Description:  The certificate trust policy was updated. The complete list of certificates may be viewed by the link provided in the References section of this advisory.

CoreGraphics (CVE-2014-1354)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a specially crafted XBM file may lead to an unexpected application termination or arbitrary code execution
Description:  An unbounded stack allocation issue existed in the handling of XBM files. This issue was addressed through improved bounds checking.

Kernel (CVE-2014-1355)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  An application could cause the device to unexpectedly restart
Description:  A null pointer dereference existed in the handling of IOKit API arguments. This issue was addressed through additional validation of IOKit API arguments.

launchd (CVE-2014-1356)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  A specially crafted application may be able to execute arbitrary code with system privileges
Description:  A heap buffer overflow existed in launchd's handling of IPC messages. This issue was addressed through improved bounds checking.

launchd (CVE-2014-1357)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  A specially crafted application may be able to execute arbitrary code with system privileges
Description:  A heap buffer overflow existed in launchd's handling of log messages. This issue was addressed through improved bounds checking.

launchd (CVE-2014-1358)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  A specially crafted application may be able to execute arbitrary code with system privileges
Description:  An integer overflow existed in launchd. This issue was addressed through improved bounds checking.
launchd (CVE-2014-1359)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  A specially crafted application may be able to execute arbitrary code with system privileges
Description:  An integer underflow existed in launchd. This issue was addressed through improved bounds checking.

Lockdown (CVE-2014-1360)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  An attacker possessing an iOS device could potentially bypass Activation Lock
Description:  Devices were performing incomplete checks during device activation, which made it possible for attackers to partially bypass Activation Lock. This issue was addressed through additional client-side verification of data received from activation servers.

Lock Screen (CVE-2014-1352)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  An attacker in possession of a device may exceed the maximum number of failed passcode attempts
Description:  In some circumstances, the failed passcode attempt limit was not enforced. This issue was addressed through additional enforcement of this limit.

Lock Screen (CVE-2014-1353)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to a locked device may be able to access the application that was in the foreground prior to locking
Description:  A state management issue existed in the handling of the telephony state while in Airplane Mode. This issue was addressed through improved state management while in Airplane Mode.

Mail (CVE-2014-1348)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  Mail attachments can be extracted from an iPhone 4
Description:  Data protection was not enabled for mail attachments, allowing them to be read by an attacker with physical access to the device. This issue was addressed by changing the encryption class of mail attachments.

Safari (CVE-2014-1349)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a specially crafted website may lead to an unexpected application termination or arbitrary code execution
Description:  A use after free issue existed in Safari's handling of invalid URLs. This issue was addressed through improved memory handling.

Settings (CVE-2014-1350)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to disable Find My iPhone without entering an iCloud password
Description:  A state management issue existed in the handling of the Find My iPhone state. This issue was addressed through improved handling of Find My iPhone state.

Secure Transport (CVE-2014-1361)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  Two bytes of uninitialized memory could be disclosed to a remote attacker
Description:  An uninitialized memory access issue existed in the handling of DTLS messages in a TLS connection. This issue was addressed by only accepting DTLS messages in a DTLS connection.

Siri (CVE-2014-1351)
Available for:  iPhone 4S and later, iPod touch (5th generation) and later, iPad (3rd generation) and later
Impact:  A person with physical access to the phone may be able to view all contacts
Description:  If a Siri request might refer to one of several contacts, Siri displays a list of possible choices and the option 'More...' for a complete contact list. When used at the lock screen, Siri did not require the passcode before viewing the complete contact list. This issue was addressed by requiring the passcode.

WebKit (CVE-2013-2875, CVE-2013-2927, CVE-2014-1325, CVE-2014-1326, CVE-2014-1327, CVE-2014-1329, CVE-2014-1330, CVE-2014-1331, CVE-2014-1333, CVE-2014-1334, CVE-2014-1335, CVE-2014-1336, CVE-2014-1337, CVE-2014-1338, CVE-2014-1339, CVE-2014-1341, CVE-2014-1342, CVE-2014-1343, CVE-2014-1362, CVE-2014-1363, CVE-2014-1364, CVE-2014-1365, CVE-2014-1366, CVE-2014-1367, CVE-2014-1368, CVE-2014-1382, CVE-2014-1731)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a specially crafted website may lead to an unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.

WebKit (CVE-2014-1346)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  A specially crafted site can send messages to a connected frame or window in a way that might circumvent the receiver's origin check
Description:  An encoding issue existed in the handling of unicode characters in URLs. A specially crafted URL could have led to sending an incorrect postMessage origin. This issue was addressed through improved encoding/decoding.

WebKit (CVE-2014-1345)
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  A specially crafted website may be able to spoof its domain name in the address bar
Description:  A spoofing issue existed in the handling of URLs. This issue was addressed through improved encoding of URLs.

'
Actions: 
  • Apply appropriate patches provided by Apple to affected systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download or open files from un-trusted websites, unknown users, or suspicious emails.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Avoid leaving Apple iOS devices unattended.
References: 
Apple:
http://support.apple.com/kb/HT1222
http://support.apple.com/kb/HT6005
(Security Trust Policy Update)
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1340
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1362
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1366
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1367
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1369
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1317
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1375
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1359
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1357
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1358
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1361
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1381
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2875
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2927
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1323
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1326
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1327
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1329
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1330
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1331
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1341
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1362
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1363
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1366
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1367
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1731
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1354
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1360
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1353
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1348
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1349
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1350
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1351