Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2016-182
Date(s) Issued: 
Monday, October 24, 2016
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in OS X, Safari, watchOS, tvOS, and iOS. OS X is an operating system for Apple computers. Apple Safari is a web browser available for OS X and Microsoft Windows. watchOS is the mobile operating system of the Apple Watch. tvOS is an operating system for Apple TV digital media player. Apple iOS is an operating system for iPhone, iPod touch, and iPad. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted webpage or opens a specially crafted file, including an email attachment.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user, arbitrary code execution within the context of the application, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • tvOS prior to 10.0.1 for Apple TV (4th generation)
  • iOS prior to 10.1 for iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
  • watchOS prior to 3.1 for All Apple Watch models
  • OS X prior to 10.12.1 for OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12
  • Safari prior to 10.0.1 for OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in OS X, Safari, tvOS, watchOS, and iOS. Successful exploitation of the most severe of these vulnerabilities could lead to arbitrary code execution. Details of all vulnerabilities are as follows:

  • A phishing issue existed in the handling of proxy credentials (CVE-2016-7579).
  • An access control issue in the Address Book was addressed through improved file-link validation (CVE-2016-4686).
  • A memory corruption issue was addressed through improved memory handling (CVE-2016-4673).
  • User interface inconsistencies existed in the handling of relayed calls (CVE-2016-4635).
  • An out-of-bounds read was addressed through improved bounds checking (CVE-2016-4660).
  • A validation issue was addressed through improved input sanitization (CVE-2016-4680).
  • An issue existed within the path validation logic for symlinks (CVE-2016-4679).
  • A logic issue was addressed through additional restrictions (CVE-2016-4675).
  • An access issue was addressed through additional sandbox restrictions on third party applications (CVE-2016-4664).
  • An access issue was addressed through additional sandbox restrictions on third party applications (CVE-2016-4665).
  • A logging issue existed in the handling of passwords (CVE-2016-4670).
  • Multiple input validation issues existed in MIG generated code (CVE-2016-4669).
  • Multiple memory corruption issues were addressed through improved memory handling (CVE-2016-4677).
  • A memory corruption issue was addressed through improved lock state checking (CVE-2016-4662).
  • A null pointer dereference was addressed through improved locking (CVE-2016-4678).
  • A memory corruption issue was addressed through improved memory handling (CVE-2016-4667).
  • A memory corruption issue was addressed through improved memory handling (CVE-2016-4674).
  • A phishing issue existed in the handling of proxy credentials (CVE-2016-7579).
  • A memory corruption issue was addressed through improved memory handling (CVE-2016-4673).
  • User interface inconsistencies existed in the handling of relayed calls (CVE-2016-4635).
  • An out-of-bounds read was addressed through improved bounds checking (CVE-2016-4660).
  • An out-of-bounds write was addressed through improved bounds checking (CVE-2016-4671).
  • An out-of-bounds read issue existed in the SGI image parsing (CVE-2016-4682).
  • An issue existed within the path validation logic for symlinks (CVE-2016-4679).
  • A logic issue was addressed through additional restrictions (CVE-2016-4675).
  • An issue existed in the parsing of disk images (CVE-2016-4661).
  • A memory corruption issue was addressed through improved input validation (CVE-2016-4663).
  • A logging issue existed in the handling of passwords (CVE-2016-4670).
  • Multiple input validation issues existed in MIG generated code (CVE-2016-4669).
  • Multiple memory corruption issues were addressed through improved memory handling (CVE-2016-4666).
  • A cross-origin issue existed with location attributes (CVE-2016-4676).
  • Multiple memory corruption issues were addressed through improved memory handling (CVE-2016-4677).
  • A phishing issue existed in the handling of proxy credentials (CVE-2016-7579).
  • A memory corruption issue was addressed through improved memory handling (CVE-2016-4673).
  • An out-of-bounds read was addressed through improved bounds checking (CVE-2016-4660).
  • A validation issue was addressed through improved input sanitization (CVE-2016-4680).
  • An issue existed within the path validation logic for symlinks (CVE-2016-4679).
  • A logic issue was addressed through additional restrictions (CVE-2016-4675).
  • An access issue was addressed through additional sandbox restrictions on third party applications (CVE-2016-4664).
  • An access issue was addressed through additional sandbox restrictions on third party applications (CVE-2016-4665).
  • Multiple input validation issues existed in MIG generated code (CVE-2016-4669).
  • Multiple memory corruption issues were addressed through improved memory handling (CVE-2016-4677).

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user, arbitrary code execution within the context of the application, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, apply updates provided by Apple to vulnerable systems immediately.
  • Run all software as a non-privileged user to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
References: 

Apple:

https://support.apple.com/en-us/HT207269

https://support.apple.com/en-us/HT207270

https://support.apple.com/en-us/HT207271

https://support.apple.com/en-us/HT207272

https://support.apple.com/en-us/HT207275

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4635

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4660

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4661

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4662

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4663

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4664

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4665

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4666

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4667

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4669

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4670

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4671

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4673

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4674

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4675

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4676

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4677

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4678

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4679

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4680

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4682

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4686

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7579