Multiple Vulnerabilities in Apple Mac OS X Could Allow Remote Code Execution

ITS Advisory Number: 
2015-020
Date(s) Issued: 
Tuesday, March 10, 2015
Date Updated: 
Monday, March 23, 2015
Subject: 
Multiple Vulnerabilities in Apple Mac OS X Could Allow Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Apple MAC OS X. Mac OS X is an operating system for Apple computers. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage, or opens a specially crafted file, including an email attachment, using a vulnerable version of OS X.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and bypass of security systems. Failed attacks may cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Apple Mac OS X Yosemite v10.10.2
  • Apple Mac OS X Mavericks v10.9.5          
  • Apple Mac OS X Mountain Lion v10.8.5
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Multiple remote code execution vulnerabilities have been discovered in Mac OS X that could allow remote code execution. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file. Details of these vulnerabilities are as follows:

  • Apple Mac OS X Yosemite v10.10.2 is prone to multiple buffer overflows resulting from the handling of data during iCloud Keychain recovery (CVE-2015-1065).
  • Apple Mac OS X Yosemite v10.10.2 is prone leaked kernel addresses and heap permutation values resulting from the match_port_kobject kernel interface (CVE-2015-1066).
  • Apple OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2 are prone to an off by one issue in the IOAcceleratorFamily (CVE-2015-1061).
  • Apple OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2 are prone to a type confusion issue with IOSurface's handling of serialized objects (CVE-2014-4496).
  • Apple OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2 are prone accepting short ephemeral RSA keys, also known as FREAK attack (CVE-2015-1067).

MARCH 23 - UPDATED DESCRIPTION:

Apple noted that multiple vulnerabilities for Apple OS X Yosemite v10.10.2 were not addressed in Apple Security Update 2015-002. The following vulnerabilities were addressed in Apple Security Update 2015-003:

  • Apple Mac OS X Yosemite v10.10.2 is prone to multiple buffer overflows resulting from the handling of data during iCloud Keychain recovery (CVE-2015-1065).
  • Apple OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2 are prone to an off by one issue in the IOAcceleratorFamily (CVE-2015-1061).
Actions: 

We recommend the following actions be taken:

  • Apply appropriate updates provided by Apple to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

MARCH 23 - UPDATED RECOMMENDATION:

We recommend the following action be taken:

  • Apply updates from Apple Security Update 2015-003 to vulnerable systems immediately after appropriate testing.