Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2017-007
Date(s) Issued: 
Wednesday, January 25, 2017
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in iOS, tvOS, watchOS, macOS Sierra, iCloud for Windows, Safari, and iTunes for Windows, which could allow for arbitrary code execution. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch. tvOS is an operating system for the fourth-generation Apple TV digital media player. watchOS is the mobile operating system of the Apple Watch and is based on the iOS operating system. macOS Sierra is the thirteenth major release of macOS (previously OS X), Apple's desktop and server operating system for Macintosh computers. iCloud for Windows is a service developed by Apple that keeps Apple devices in sync with each other. Safari is a web browser developed by Apple. iTunes for Windows is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple.

Systems Affected: 
  • iOS Versions prior to 10.2.1

  • tvOS Versions prior to 10.1.1

  • watchOS Versions prior to 3.1.3

  • macOS Sierra Versions prior to 10.12.3

  • iCloud for Windows Versions prior to 6.1.1

  • Safari Versions prior to 10.0.3

  • iTunes for Windows Versions prior to 12.5.5

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, macOS Sierra, iCloud for Windows, Safari, and iTunes for Windows. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of the vulnerabilities are as follows:

  • An arbitrary code execution vulnerability that affects a feature called 'FontParser' when processing a maliciously crafted font file. (CVE-2016-4691)

  • An arbitrary code execution vulnerability caused by opening a maliciously crafted file due to an input validation issue existing in modelines. (CVE-2016-1248)

  • A security vulnerability which may allow an attacker to exploit weaknesses in the 3DES cryptographic algorithm. (CVE-2016-4693)

  • An arbitrary code execution vulnerability that affects the 'CoreMedia Playback' module when processing a maliciously crafted .mp4 file. (CVE-2016-7588)

  • An arbitrary code execution vulnerability caused by processing maliciously crafted web content. (CVE-2016-7589)

  • An arbitrary code execution with kernel privileges vulnerability that affects a feature called 'IOHIDFamily'. (CVE-2016-7591)

  • An arbitrary code execution vulnerability that affects a feature called 'ICU' when processing maliciously crafted web content. (CVE-2016-7594)

  • An arbitrary code execution vulnerability that affects the 'CoreText' module when processing a maliciously crafted font file. (CVE-2016-7595)

  • An insufficient initialization vulnerability allowing an application to read kernel memory was addressed by properly initializing memory returned to user space. (CVE-2016-7607)

  • Multiple memory corruption vulnerabilities allowing an application to execute arbitrary code with kernel privileges were addressed through improved input validation. (CVE-2016-7606, CVE-2016-7612)

  • A denial of service vulnerability allowing local user to cause a system denial of service was addressed through improved memory handling. (CVE-2016-7615)

  • An arbitrary code execution with kernel privileges vulnerability that affects a feature called 'Disk Images' due to input validation errors. (CVE-2016-7616)

  • A 'symlink' validation vulnerability allowing a local attacker to overwrite existing files. (CVE-2016-7619)

  • An arbitrary code execution vulnerability allowing a local user to cause an unexpected system termination or arbitrary code execution in the kernel was addressed through improved memory management. (CVE-2016-7621)

  • A denial of service vulnerability that affects the 'CoreGraphics' module when processing a maliciously crafted font file. (CVE-2016-7627)

  • A denial of service vulnerability that affects the handling of OCSP responder URLs. (CVE-2016-7636)

  • A memory corruption vulnerability allowing a user to gain root privileges was addressed through improved input validation. (CVE-2016-7637)

  • A security vulnerability that affects a feature called 'ImageIO' which may allow for a remote attacker to leak memory. (CVE-2016-7643)

  • An arbitrary code execution vulnerability may allow a local application with system privileges the ability to execute arbitrary code with kernel privileges. (CVE-2016-7644)

  • An issue existed which did not reset the authorization settings on app uninstall. This issue was addressed through improved sanitization. (CVE-2016-7651).

  • A memory corruption vulnerability which may allow an application to read kernel memory was addressed through improved input validation. (CVE-2016-7657)

  • Memory corruption issues caused by processing maliciously crafted files leading to arbitrary code execution was addressed through improved input validation. (CVE-2016-7658, CVE-2016-7659)

  • A privilege escalation vulnerability in mach port name references which may allow a local user to gain root privileges. (CVE-2016-7660)

  • A memory-corruption vulnerability in the 'CoreFoundation' module when processing strings may lead to an unexpected application termination or arbitrary code execution. (CVE-2016-7663)

  • Multiple issues in PHP were addressed by updating to PHP version 5.6.28. (CVE-2016-8670, CVE-2016-9933, CVE-2016-9934)

  • An arbitrary code execution vulnerability exists when unpacking a maliciously crafted archive was addressed through improved memory handling. (CVE-2016-8687)

  • A data exfiltration vulnerability exists in a prototype access issue by processing maliciously crafted web content was addressed through improved exception handling. (CVE-2017-2350)

  • A security-bypass vulnerability with handling user input that causes a device to present the home screen even when locked. (CVE-2017-2351)

  • A logic issue which may unlock an Apple Watch when it is off the user's wrist was addressed through improved state management. (CVE-2017-2352)

  • An arbitrary code execution vulnerability exists in the Bluetooth feature was addressed through improved memory management. (CVE-2017-2353)

  • An arbitrary code execution vulnerability caused by a memory initialization issue exists when processing maliciously crafted web content. (CVE-2017-2355)

  • A security vulnerability may allow an application to determine kernel memory layout due to an uninitialized memory issue. (CVE-2017-2357)

  • An arbitrary code execution with kernel privileges vulnerability caused by a memory corruption issue was addressed through improved input validation. (CVE-2017-2358)

  • A state management vulnerability in the address bar caused by visiting a malicious website was addressed through improved URL handling. (CVE-2017-2359)

  • An arbitrary code execution vulnerability may allow an application to execute arbitrary code with kernel privileges. (CVE-2017-2360)

  • A data exfiltration vulnerability caused by a validation issue when processing maliciously crafted web content. (CVE-2017-2365)

  • A denial of service vulnerability when processing a maliciously crafted contact card may lead to unexpected application termination. (CVE-2017-2368)

  • An arbitrary code execution with kernel privileges vulnerability due to a buffer overflow issue was addressed through improved memory handling. (CVE-2017-2370)

  • An arbitrary code execution vulnerability exists when processing maliciously crafted web content. (CVE-2017-2354, CVE-2017-2362, CVE-2017-2373)

  • Multiple arbitrary code execution vulnerabilities caused by multiple memory corruption issues exist when processing maliciously crafted web content. (CVE-2017-2356, CVE-2017-2369, CVE-2017-2366)

  • Multiple data exfiltration vulnerabilities are caused by processing maliciously crafted web content due to a validation issue existing in the handling of page loading. (CVE-2017-2363, CVE-2017-2364)

Actions: 
  • After appropriate testing apply patches provided by Apple to vulnerable systems immediately.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.

  • Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.

References: 

Microsoft:

https://support.apple.com/en-us/HT201222

https://support.apple.com/en-us/HT207486

https://support.apple.com/en-us/HT207484

https://support.apple.com/en-us/HT207481

https://support.apple.com/en-us/HT207483

https://support.apple.com/en-us/HT207482

https://support.apple.com/en-us/HT207485

https://support.apple.com/en-us/HT207487

 

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1248

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4688

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4691

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4693

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7588

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7589

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7591

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7594

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7595

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7606

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7607

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7612

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7615

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7616

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7619

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7621

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7626

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7627

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7636

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7637

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7643

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7644

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7651

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7657

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7658

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7659

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7660

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7662

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7663

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8670

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8687

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9933

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9934

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2350

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2351

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2352

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2353

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2354

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2355

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2356

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2357

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2358

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2359

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2360

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2361

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2362

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2363

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2364

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2365

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2366

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2368

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2369

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2370

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2371

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2373