Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2017-069
Date(s) Issued: 
Thursday, July 20, 2017
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, macOS, iCloud for Windows, and iTunes for Windows and Safari, the most severe of which could allow for arbitrary code execution. watchOS is the mobile operating system for the Apple Watch and is based on the iOS operating system. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch. tvOS is an operating system for the fourth-generation Apple TV digital media player. macOS is Apple's desktop and server operating system for Macintosh computers. iCloud is a cloud storage and cloud computing service from Apple. iTunes for Windows is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple. Safari is a web browser available for OS X and Microsoft Windows.

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • watchOS Versions prior to 3.2.3

  • iOS Versions prior to 10.3.3

  • tvOS Versions prior to 10.2.2

  • macOS Versions prior to Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite

  • Safari Versions prior to 10.1.2

  • iCloud for Windows Versions prior to 6.2.2

  • iTunes for Windows versions prior to 12.6.2

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Additional Notes: 
THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited in the wild.
Description: 

Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, macOS, iCloud for Windows, and iTunes for Windows, and Safari. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • A buffer overflow issue was addressed through improved memory handling. (CVE-2017-7062)
  • A memory corruption issue was addressed with improved bounds checking. (CVE-2017-7008)
  • Multiple memory corruption issues were addressed with improved memory handling. (CVE-2017-7009, CVE-2017-7012, CVE-2017-7014, CVE-2017-7015, CVE-2017-7017, CVE-2017-7018, CVE-2017-7019, CVE-2017-7020, CVE-2017-7021, CVE-2017-7022, CVE-2017-7023, CVE-2017-7024, CVE-2017-7025, CVE-2017-7026, CVE-2017-7027, CVE-2017-7030, CVE-2017-7032, CVE-2017-7033, CVE-2017-7034, CVE-2017-7035, CVE-2017-7037, CVE-2017-7039, CVE-2017-7040, CVE-2017-7041, CVE-2017-7042, CVE-2017-7043, CVE-2017-7044, CVE-2017-7046, CVE-2017-7047, CVE-2017-7048, CVE-2017-7049, CVE-2017-7050, CVE-2017-7051, CVE-2017-7052, CVE-2017-7054, CVE-2017-7055, CVE-2017-7056, CVE-2017-7061, CVE-2017-7069, CVE-2017-8248, CVE-2017-9417)
  • A validation issue was addressed with improved input sanitization. (CVE-2017-7028, CVE-2017-7029, CVE-2017-7036, CVE-2017-7045, CVE-2017-7067)
  • A buffer overflow was addressed through improved bounds checking. (CVE-2017-7068)
  • An out-of-bounds read was addressed through improved bounds checking. (CVE-2017-7010, CVE-2017-7013)
  • Processing maliciously crafted web content may allow cross-origin data to be exfiltrated by using SVG filters to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered. (CVE-2017-7006)
  • A logic issue existed in the handling of DOMParser. This issue was addressed with improved state management. (CVE-2017-7038, CVE-2017-7059)
  • An access issue was addressed with additional restrictions. (CVE-2017-7053)
  • A memory initialization issue was addressed through improved memory handling. (CVE-2017-7064)
  • An issue existed where a malicious or compromised website could show infinite print dialogs and make users believe their browser was locked. The issue was addressed through throttling of print dialogs. (CVE-2017-7060)
  • A state management issue was addressed with improved frame handling. (CVE-2017-7011)
  • Memory corruption issues were addressed through improved input validation. (CVE-2017-7016, CVE-2017-7031)
  • Multiple issues were addressed by updating to version 7.54.0. (CVE-2017-2629, CVE-2017-7468, CVE-2016-9586, CVE-2016-9594)
  • A resource exhaustion issue was addressed through improved input validation. (CVE-2017-7007)
  • A memory consumption issue was addressed through improved memory handling. (CVE-2017-7063)
  • A lock screen issue was addressed with improved state management. (CVE-2017-7058)
  • An inconsistent user interface issue was addressed with improved state management. (CVE-2017-2517)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, immediately apply patches provided by Apple to the vulnerable systems.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially those from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services. 
References: 

Apple:

https://support.apple.com/en-us/HT207921

https://support.apple.com/en-us/HT207922

https://support.apple.com/en-us/HT207923

https://support.apple.com/en-us/HT207924

https://support.apple.com/en-us/HT207925

https://support.apple.com/en-us/HT207927

https://support.apple.com/en-us/HT207928

 

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9586

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9594

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2517

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2629

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7006

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7007

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7008

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7009

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7010

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7011

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7012

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7013

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7014 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7015

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7016

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7017

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7018  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7019

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7020

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7022

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7023  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7024  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7025

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7026

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7027

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7028

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7029

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7030

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7031  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7032  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7033

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7034

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7035

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7036

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7037

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7038

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7039

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7040

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7041

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7042

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7043

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7044

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7045

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7046

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7047

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7048

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7049

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7050

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7051

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7052  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7053  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7054

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7055

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7056

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7058  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7059  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7060

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7061

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7062  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7063

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7064   

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7067

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7068

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7069

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7468

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8248

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9417