Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2016-186
Date(s) Issued: 
Friday, October 28, 2016
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Xcode, iTunes, and iCloud. Xcode is an integrated development environment containing a suite of software development tools developed by Apple Inc. for developing software for macOS, iOS, WatchOS and tvOS. iTunes is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple Inc. iCloud is a cloud storage and computing service from Apple Inc. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted webpage or opens a specially crafted file, including an email attachment.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user, arbitrary code execution within the context of the application, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • iCloud for Windows prior to version 6.0.1
  • iTunes for Windows prior to version 12.5.2
  • Xcode prior to version 8.1
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Xcode, iTunes and iCloud. Successful exploitation of the most severe of these vulnerabilities could lead to arbitrary code execution. Details of all vulnerabilities are as follows:

  • Multiple vulnerabilities in Node.js in the Xcode Server could lead to arbitrary code execution or denial of service (CVE-2016-1669, CVE-2016-0705, CVE-2016-0797, CVE-2016-0702, CVE-2016-2086, CVE-2016-2216, CVE-2015-8027, CVE-2015-3193, CVE-2015-3194, CVE-2015-6764).
  • An input validation vulnerability in WebKit could allow for information disclosure (CVE-2016-4613).
  • Multiple memory corruption issues in WebKit could allow for arbitrary code execution (CVE-2016-7578)

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user, arbitrary code execution within the context of the application, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, apply updates provided by Apple to vulnerable systems.
  • Run all software as a non-privileged user to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.