Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2016-206 - UPDATED
Date(s) Issued: 
Tuesday, December 13, 2016
Date Updated: 
Thursday, December 15, 2016
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in iOS, tvOS, and watchOS which could allow for arbitrary code execution. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch. tvOS is an operating system for the fourth-generation Apple TV digital media player. watchOS is the mobile operating system of the Apple Watch and is based on the iOS operating system. Attackers can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code and perform unauthorized actions or obtain sensitive information.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user, arbitrary code execution within the context of the application, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

December 14 - UPDATED OVERVIEW:

Additional vulnerabilities have been reported affecting additional Apple Products. The most severe of which could allow for remote code execution.

Systems Affected: 
  • iOS Versions prior to 10.2
  • tvOS Versions prior to 10.1
  • watchOS Versions prior to 3.1.1

December 14 - UPDATED SYSTEMS AFFECTED :

  • Safari Versions prior to 10.0.2

  • iTunes for Windows Versions prior to 12.5.4

  • iCloud for Windows Versions prior to 6.1

  • macOS Sierra Versions prior to 10.12.2

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in iOS, tvOS, and watchOS. The most severe of the vulnerabilities could allow for arbitrary code execution. Details of all vulnerabilities are as follows:

  • An information-disclosure vulnerability that affects the 'Accessibility' component. Specifically, this issue occurs in the handling of passwords (CVE-2016-7634).
  • A security-bypass vulnerability that affects the 'Accessibility' component. Successful exploits may allow an attackers to access photos and contacts from the lock screen (CVE-2016-7664).
  • A security-bypass vulnerability due to a state management issue. Specifically, this issue affects the 'Find My iPhone' component (CVE-2016-7638).
  • A denial of service vulnerability because it fails to properly sanitize user-supplied input. Specifically, this issue affects the 'Graphics Driver'  (CVE-2016-7665).  
  • An arbitrary code-execution vulnerability because it fails to properly handle USB image devices. Specifically, this issue affects the 'Image Capture' component (CVE-2016-4690).
  • A security vulnerability that occurs due to a logic issue exist in the handling of the idle timer when the Touch ID prompt is shown.  Specifically, this issue affect the Local Authentication (CVE-2016-7601).
  • A security-bypass vulnerability that affects the 'Mail' component. Specifically, this issue occurs because S/MIME policy failed to check if a certificate was valid (CVE-2016-4689).
  • A security-bypass vulnerability that affects the 'Media Player' component. Successful exploits may allow an attackers to view photos and contacts from the lockscreen (CVE-2016-7653).
  • A security-bypass vulnerability that affects the 'SpringBoard' component. Specifically, this issue occurs in the handling of passcode attempts when resetting the passcode (CVE-2016-4781).
  • A security-bypass vulnerability that affects the 'SpringBoard' component (CVE-2016-7597).
  • A memory corruption vulnerability which by opening a maliciously crafted certificate may lead to arbitrary code execution (CVE-2016-7626).
  • A security-bypass vulnerability which does not reset authorization settings on app uninstall (CVE-2016-7651).

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user, arbitrary code execution within the context of the application, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

December 14 - UPDATED TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Safari, iTunes, iCloud, and macOS Sierra. The most severe of the vulnerabilities could allow for remote code execution. Details of all vulnerabilities are as follows:

  • A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. (CVE-2016-4688)

  • Multiple memory-corruption vulnerabilities exists because it fails to properly handle font files. Specifically, these issues affect the FontParser component. (CVE-2016-4691).

  • Multiple memory-corruption vulnerabilities exist because it fails to properly handle the memory. Specifically, these issues affect the 'WebKit' component. (CVE-2016-4692, CVE-2016-7635, CVE-2016-7652)

  • A security weakness exists because it uses insecure 3DES as default cipher. Specifically, this issue affects the Security component. (CVE-2016-4693)

  • A memory-corruption vulnerability exists because it fails to properly validate the user supplied input. Specifically, this issue affect the 'WebKit' component. An attacker can exploit this issue to obtain sensitive information. (CVE-2016-4743)

  • A security-bypass vulnerability due to a state management issue. Specifically, this issue affect the 'WebKit' component. (CVE-2016-7586)

  • Multiple memory-corruption vulnerabilities due to the state management issues. Specifically, these issues affect the 'WebKit' component. (CVE-2016-7587)(CVE-2016-7610)(CVE-2016-7611)(CVE-2016-7639)(CVE-2016-7640)(CVE-2016-7641)(CVE-2016-7642)(CVE-2016-7645)(CVE-2016-7646)(CVE-2016-7648)(CVE-2016-7649)(CVE-2016-7654)

  • A memory-corruption vulnerability exists because it fails to properly handle the memory. Specifically, this issue  affects the CoreMedia Playback component. (CVE-2016-7588)

  • A memory corruption vulnerability exists because it fails to properly handle the certificate profiles. Specifically, this issue affects the profile component. (CVE-2016-7589)

  • A local privilege-escalation vulnerability exists due to a use-after-free error. Specifically, this issue affects the IOHIDFamily component. (CVE-2016-7591)

  • A memory-corruption vulnerability exists because it fails to properly handle the memory. Specifically, this issue affects the ICU component. (CVE-2016-7594) 

  • Multiple memory-corruption vulnerabilities exist because it fails to properly handle font files. Specifically, these issues affect the CoreText component. (CVE-2016-7595)

  • A memory-corruption vulnerability. Specifically, this issue affects the 'Bluetooth' component. (CVE-2016-7596)

  • An information-disclosure vulnerability exists due to an uninitialized memory access issue.  Specifically, this issue affect the 'WebKit' component. (CVE-2016-7598)

  • A security-bypass vulnerability exists because it fails to handle HTTP redirects. Specifically, this issue affect the 'WebKit' component. (CVE-2016-7599)

  • A local privilege-escalation vulnerability. Specifically, this issue affects the 'OpenPAM'. (CVE-2016-7600)

  • A memory-corruption vulnerability. Specifically, this issue affects the 'Intel Graphics Driver' component. (CVE-2016-7602)

  • A local denial-of-service vulnerability because of an null pointer dereference error. Specifically, this issue affects the 'CoreStorage'. (CVE-2016-7603)

  • A local denial-of-service vulnerability because of an null pointer dereference error. Specifically, this issue affects the 'CoreCapture'. (CVE-2016-7604)

  • A denial-of-service vulnerability because of an null pointer dereference error. Specifically, this issue affects the 'Bluetooth' component. (CVE-2016-7605)

  • Multiple memory-corruption vulnerabilities exists because it fails to properly handle font files. Specifically, this issue affects the Kernel component. (CVE-2016-7606)(CVE-2016-7612)

  • An information-disclosure vulnerability exists because it fails to properly initialize the memory returned to user space. Specifically, this issue affects the Kernel component. (CVE-2016-7607)  

  • A memory-corruption vulnerability. Specifically, this issue affects the 'IOFireWireFamily' component. (CVE-2016-7608)

  • A local denial-of-service vulnerability because of an null pointer dereference error. Specifically, this issue affects the 'AppleGraphicsPowerManagement'. (CVE-2016-7609)

  • A local information-disclosure vulnerability because it fails to clear the memory. Specifically, the issue occurs in 'Windows Security'. (CVE-2016-7614)

  • A local denial-of-service vulnerability exists because it fails to properly handle memory. Specifically, this issue affect Kernel component. (CVE-2016-7615)

  • A memory-corruption vulnerability exists because it fails to properly validate the user supplied input. Specifically, this issue affects the Disk Images component. (CVE-2016-7616)

  • A remote code-execution vulnerability because of a type confusion error. Specifically, this issue affects the 'Bluetooth' component. (CVE-2016-7617)

  • A memory-corruption vulnerability. An attacker can exploit this issue by sending specially crafted '.gcx' file. (CVE-2016-7618)

  • A local arbitrary code-execution vulnerability exists because it fails to properly handle symlinks.  Specifically, this  issue  affects libarchive component. (CVE-2016-7619)

  • An local information-disclosure vulnerability that affects the 'IOSurface' component. An attacker can exploit this issue to determine kernel memory layout. (CVE-2016-7620)

  • A local arbitrary code-execution vulnerability exists due to a use-after-free error. Specifically, this issue affects Kernel component. (CVE-2016-7621)

  • A memory-corruption vulnerability. Specifically, this issue affects the 'Grapher'. (CVE-2016-7622)

  • A local information-disclosure vulnerability that affects the 'IOAcceleratorFamily' component. An attacker can exploit this issue to determine kernel memory layout. (CVE-2016-7624)

  • An local information-disclosure vulnerability that affects the 'IOKit' component. An attacker can exploit this issue to determine kernel memory layout. (CVE-2016-7625)

  • A denial-of-service vulnerability exists due to a null pointer dereference error.  Specifically, this issue affects the CoreGraphics component. (CVE-2016-7627)

  • A local security-bypass vulnerability because it fails to properly protect downloaded mobile assets. Specifically, this issue occurs in the 'Assets'. (CVE-2016-7628)

  • A memory-corruption vulnerability. Specifically, this issue affects the 'kext tools' component. (CVE-2016-7629)

  • A memory-corruption vulnerability exists due to a state management issue. Specifically, this issue affect the 'WebKit' component. (CVE-2016-7632)    

  • A local privilege-escalation vulnerability because of an use-after-free error. Specifically, this issue affects the 'Directory Services'. (CVE-2016-7633)

  • A denial-of-service vulnerability exists because it fails to properly handle OCSP responder URLs. Specifically, this issue affects the Security component. (CVE-2016-7636)

  • A local privilege-escalation vulnerability exists because it fails to properly sanitize user supplied input. Specifically, this issue affects the Kernel component. (CVE-2016-7637)

  • An information-disclosure vulnerability exists due to an out-of-bounds read error. Specifically, this issue affects the ImageIO component. (CVE-2016-7643)

  • A remote code-execution vulnerability due to a use-after-free error. Specifically, this issue affects the 'Kernel' component. (CVE-2016-7644)

  • A cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Specifically, this issue affects the Safari Reader component. (CVE-2016-7650)

  • An arbitrary code-execution vulnerability exists due to a type-confusion error. Specifically, the issue occurs in the 'mediaserver daemon' of CoreMedia External Displays. (CVE-2016-7655)

  • A memory-corruption vulnerability exists due to a state management issue. Specifically, these issues affect the 'WebKit' component. (CVE-2016-7656)

  • A memory-corruption vulnerability exists because it fails to properly validate user supplied input. Specifically, this issue affects the IOKit component. (CVE-2016-7657)

  • Multiple memory-corruption vulnerabilities exist because it fails  to properly validate user supplied input. Specifically, these issues affect the Audio component. (CVE-2016-7658)(CVE-2016-7659)

  • A local privilege-escalation vulnerability exists because it fails to properly validate mach port name references. Specifically, this issue affects  the syslog component. (CVE-2016-7660)

  • A privilege-escalation issue due to improper validation. Specifically, the issue occurs in 'Power Management'. (CVE-2016-7661)

  • A security-bypass vulnerability exists because it fails to properly validate certificates. Specifically, this issue affects the Security component. (CVE-2016-7662)

  • A memory-corruption vulnerability exists because it fails to properly bounds check the user supplied input. Specifically, this issue affects the CoreFoundation component. (CVE-2016-7663)

     

Actions: 
  • After appropriate testing, apply applicable patches by Apple to vulnerable systems immediately.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
References: 

Apple:
https://support.apple.com/en-us/HT207422
https://support.apple.com/en-us/HT207425
https://support.apple.com/en-us/HT207426

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4689

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4690

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4781

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7597

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7601

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7626

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7634

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7638

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7651

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7653

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7664 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7665

December 14 - UPDATED REFERENCES:
Apple:

https://support.apple.com/en-in/HT207421
https://support.apple.com/en-us/HT207424
https://support.apple.com/en-us/HT207427
https://support.apple.com/en-us/HT207423

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4688

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4691

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4692

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4693

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4743

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7586

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7587

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7588

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7589

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7591

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7594

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7595

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7596

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7598

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7599

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7600

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7602

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7603

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7604

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7605

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7606

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7607

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7608

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7609

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7610

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7611

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7612

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7614

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7615

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7616

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7617

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7618

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7619

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7620

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7621

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7622

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7624

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7625

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7627

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7628

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7629

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7632

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7633

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7635

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7636

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7637

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7639

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7640

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7641

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7642

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7643

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7644

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7645

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7646

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7648

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7649

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7650

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7652

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7654

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7655

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7656

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7657

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7658

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7659

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7660

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7661

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7662

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7663