Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2017-049
Date(s) Issued: 
Tuesday, May 16, 2017
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, macOS, iCloud for Windows, and iTunes for Windows and Safari, the most severe of which could allow for arbitrary code execution. watchOS is the mobile operating system for the Apple Watch and is based on the iOS operating system. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch. tvOS is an operating system for the fourth-generation Apple TV digital media player. macOS is Apple's desktop and server operating system for Macintosh computers. iCloud is a cloud storage and cloud computing service from Apple. iTunes for Windows is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple. Safari is a web browser available for OS X and Microsoft Windows.

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • watchOS Versions prior to 3.2.2
  • iOS Versions prior to 10.3.2
  • tvOS Versions prior to 10.2.1
  • macOS Versions prior to 10.12.5, 10.11.6 Security Update 2017-002 El Capitan, 10.10.5 Security Update 2017-002 Yosemite
  • Safari Versions prior to 10.1.1
  • iCloud for Windows Versions prior to 6.2.1
  • iTunes for Windows versions prior to 12.6.1
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, macOS, iCloud for Windows, and iTunes for Windows, and Safari. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • Multiple memory corruption issues were addressed with improved memory handling. (CVE-2017-2494, CVE-2017-2496, CVE-2017-2499, CVE-2017-2503, CVE-2017-2505, CVE-2017-2506, CVE-2017-2512, CVE-2017-2514, CVE-2017-2515, CVE-2017-2519, CVE-2017-2521, CVE-2017-2524, CVE-2017-2525, CVE-2017-2526, CVE-2017-2530, CVE-2017-2531, CVE-2017-2536, CVE-2017-2537, CVE-2017-2538, CVE-2017-2539, CVE-2017-2541, CVE-2017-2542, CVE-2017-2543, CVE-2017-2544, CVE-2017-2545, CVE-2017-2546, CVE-2017-2547, CVE-2017-2548, CVE-2017-6977, CVE-2017-6978, CVE-2017-6979, CVE-2017-6980, CVE-2017-6984, CVE-2017-6985, CVE-2017-6986, CVE-2017-6989)
  • Multiple validation issues were addressed with improved input sanitization. (CVE-2017-2502, CVE-2017-2507, CVE-2017-2509, CVE-2017-2516, CVE-2017-2540, CVE-2017-6987, CVE-2017-6990)
  • A certificate validation issue existed in EAP-TLS when a certificate changed. This issue was addressed through improved certificate validation. (CVE-2017-6988)
  • A certificate validation issue existed in the handling of untrusted certificates. This issue was addressed through improved user handling of trust acceptance. (CVE-2017-2498)
  • A denial of service issue was addressed through improved memory handling. (CVE-2017-6982)
  • A logic issue existed in frame loading. This issue was addressed with improved state management. (CVE-2017-2549)
  • A logic issue existed in the handling of pageshow events. This issue was addressed with improved state management. (CVE-2017-2510)
  • A logic issue existed in the handling of WebKit cached frames. This issue was addressed with improved state management. (CVE-2017-2528)
  • A logic issue existed in the handling of WebKit container nodes. This issue was addressed with improved state management. (CVE-2017-2508)
  • A logic issue existed in the handling of WebKit Editor commands. This issue was addressed with improved state management. (CVE-2017-2504)
  • A memory consumption issue was addressed through improved memory handling. (CVE-2017-2527)
  • A race condition was addressed through improved locking. (CVE-2017-2501)
  • A race condition was addressed with additional filesystem restrictions. (CVE-2017-2533)
  • A resource exhaustion issue was addressed through improved input validation. (CVE-2017-2535)
  • A URL handling issue was addressed through improved state management. (CVE-2017-2497)
  • A use after free issue was addressed through improved memory management. (CVE-2017-2513)
  • An access issue was addressed through additional sandbox restrictions. (CVE-2017-2534)
  • An inconsistent user interface issue was addressed with improved state management. (CVE-2017-2500, CVE-2017-2511)
  • An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization. (CVE-2017-6981)
  • An issue in Safari's history menu was addressed through improved memory handling. (CVE-2017-2495)
  • Multiple buffer overflow issues were addressed through improved memory handling. (CVE-2017-2518, CVE-2017-2520)
  • Multiple memory corruption issues were addressed with improved input validation. (CVE-2017-6983, CVE-2017-6991)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, apply patches provided by Apple to vulnerable systems immediately.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially those from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services. 
References: 

Apple:

https://support.apple.com/en-us/HT201222

https://support.apple.com/en-us/HT207797

https://support.apple.com/en-us/HT207798

https://support.apple.com/en-us/HT207800

https://support.apple.com/en-us/HT207801
https://support.apple.com/en-us/HT207803

https://support.apple.com/en-us/HT207804

https://support.apple.com/en-us/HT207805

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2494

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2495

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2496

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2497

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2498

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2499

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2500

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2501

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2502

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2503

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2504

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2505

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2506

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2507

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2508

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2509

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2510

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2511

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2512

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2513

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2514

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2515

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2516

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2518

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2519

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2520

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2521

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2524

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2525

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2526

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2527

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2528

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2530

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2531

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2533

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2534

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2535

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2536

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2537

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2538

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2539

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2540

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2541

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2542

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2543

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2544

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2545

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2546

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2547

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2548

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2549

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6977

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6978

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6979

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6980

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6981

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6982

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6983

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6984

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6985

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6986

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6987

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6988

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6989

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6990

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6991