Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution

ITS Advisory Number: 
2015-037
Date(s) Issued: 
Friday, April 10, 2015
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Apple's Mac OS X, Safari, iOS, and Xcode products that could allow remote code execution. Apple Safari is a web browser available for Mac OS X and Microsoft Windows. iOS is the operating system used by Apple’s mobile devices. Xcode is a software development tool allowing for development for OS X and iOS. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment, using a vulnerable version of Mac OSX, Apple Safari, or iOS.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
 

Systems Affected: 
  • Apple TV Prior To 7.2
  • Apple iOS prior to 8.3
  • Apple Safari 6 Prior To 6.2.5
  • Apple Safari 7 Prior To 7.1.5
  • Apple Safari 8 Prior To 8.0.5
  • Apple Mac OS X Prior To 10.10.3
  • Apple Xcode Prior To 6.3
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Multiple vulnerabilities have been discovered in Apple's Mac OS X, Safari, iOS, and Xcode. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file. Details of these vulnerabilities are as follows; 

  • Users may be tracked by malicious websites using client certificates. [CVE-2015-1129]
  • Notifications preferences may reveal users' browsing history in private browsing mode [CVE-2015-1128]
  • Users' browsing history may not be completely purged [CVE-2015-1112]
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution [CVE-2015-1119, CVE-2015-1120, CVE-2015-1121, CVE-2015-1122, CVE-2015-1124]
  • Users' browsing history in private mode may be indexed [CVE-2015-1127]
  • Visiting a maliciously crafted website may lead to resources of another origin being accessed [CVE-2015-1126]
  • A process may gain admin privileges without properly authenticating [CVE-2015-1130]
  • Multiple vulnerabilities exist in Apache versions prior to 2.4.10 and 2.2.29, including one that may allow a remote attacker to execute arbitrary code. [CVE-2013-0118, CVE-2013-5704, CVE-2013-6438, CVE-2014-0098, CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, CVE-2014-3523]
  • A local user may be able to execute arbitrary code with system privileges [CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, CVE-2015-1134, CVE-2015-1135]
  • A cross-domain cookie issue exists in redirect handling. Cookies set in a redirect response could be passed on to a redirect target belonging to another origin. [CVE-2015-1089]
  • A cross-domain HTTP request headers issue exists in redirect handling. HTTP request headers sent in a redirect response could be passed on to another origin. [CVE-2015-1091]
  • Visiting a maliciously crafted website may lead to arbitrary code execution [CVE-2015-1088]
  • A use-after-free vulnerability exists in CoreAnimation, allowing maliciously crafted websites to potentially execute arbitrary code. [CVE-2015-1136]
  • Processing a maliciously crafted font file may lead to arbitrary code execution [CVE-2015-1093]
  • A local user may be able to execute arbitrary code with system privileges [CVE-2015-1137]
  • A local application may be able to cause a denial of service [CVE-2015-1138]
  • Processing a maliciously crafted .sgi file may lead to arbitrary code execution [CVE-2015-1139]
  • A malicious HID device may be able to cause arbitrary code execution [CVE-2015-1095]
  • A local user may be able to execute arbitrary code with system privileges [CVE-2015-1140]
  • A local user may be able to determine kernel memory layout [CVE-2015-1096]
  • A heap buffer overflow exists in IOHIDFamily's handling of key-mapping properties. Allowing a malicious application potentially execute arbitrary code with system privileges. [CVE-2014-4404]
  • A null pointer dereference exists in IOHIDFamily's handling of key-mapping properties. Allowing a user potentially execute arbitrary code with system privileges [CVE-2014-4405]
  • user may be able to execute arbitrary code with system privileges [CVE-2014-4380]
  • A local user may be able to cause unexpected system shutdown [CVE-2015-1141]
  • A race condition exists in the kernel's setreuid system call. Allowing a local user to potentially cause a system denial of service [CVE-2015-1099]
  • A local application may escalate privileges using a compromised service intended to run with reduced privileges [CVE-2015-1117]
  • An attacker with a privileged network position may be able to redirect user traffic to arbitrary hosts [CVE-2015-1103]
  • An attacker with a privileged network position may be able to cause a denial of service [CVE-2015-1102]
  • A local user may be able to cause unexpected system termination or read kernel memory [CVE-2015-1100]
  • A remote attacker may be able to bypass network filters [CVE-2015-1104]
  • A local user may be able to execute arbitrary code with kernel privileges [CVE-2015-1101]
  • A remote attacker may be able to cause a denial of service [CVE-2015-1105]
  • A local user may be able to cause the Finder to crash [CVE-2015-1142]
  • A local user may be able to execute arbitrary code with system privileges [CVE-2015-1143]
  • Processing a maliciously crafted configuration profile may lead to unexpected application termination [CVE-2015-1118]
  • A remote attacker may brute force ntpd authentication keys [CVE-2014-9298]
  • A remote unauthenticated client may be able to cause a denial of service [CVE-2015-1545, CVE-2015-1546]
  • Multiple vulnerabilities in OpenSSL [CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204]
  • A password might be sent unencrypted over the network when using Open Directory from OS X Server [CVE-2015-1147]
  • Multiple vulnerabilities exist in PHP versions prior to 5.3.29, 5.4.38, and 5.5.20, including one which may allow arbitrary code execution. [CVE-2013-6712, CVE-2014-0207, CVE-2014-0237, CVE-2014-0238, CVE-2014-2497, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3538, CVE-2014-3587, CVE-2014-3597, CVE-2014-3668, CVE-2014-3669, CVE-2014-3670, CVE-2014-3710, CVE-2014-3981, CVE-2014-4049, CVE-2014-4670, CVE-2014-4698, CVE-2014-5120]
  • Opening a maliciously crafted iWork file may lead to arbitrary code execution [CVE-2015-1098]
  • Viewing a maliciously crafted Collada file may lead to arbitrary code execution [CVE-2014-8830]
  • A user's password may be logged to a local file [CVE-2015-1148]
  • Tampered applications may not be prevented from launching [CVE-2015-1145, CVE-2015-1146]
  • A local user may be able to execute arbitrary code with system privileges [CVE-2015-1144]
  • Visiting a maliciously crafted website may lead to arbitrary code execution [CVE-2015-1069]
  • A malicious application may be able to guess the user's passcode [CVE-2015-1085]
  • A malicious application may be able to execute arbitrary code with system privileges [CVE-2015-1086]
  • An attacker may be able to use the backup system to access restricted areas of the file system [CVE-2015-1087]
  • A user may be unable to fully delete browsing history [CVE-2015-1090]
  • An application using NSXMLParser may be misused to disclose information [CVE-2015-1092]
  • A malicious application may be able to determine kernel memory layout [CVE-2015-1094, CVE-2015-1097]
  • QuickType could learn users' passcodes [CVE-2015-1106]
  • An attacker in possession of a device may prevent erasing the device after failed passcode attempts [CVE-2015-1107]
  • An attacker in possession of a device may exceed the maximum number of failed passcode attempts [CVE-2015-1108]
  • An attacker in possession of a device may be able to recover VPN credentials [CVE-2015-1109]
  • Unnecessary information may be sent to external servers when downloading podcast assets [CVE-2015-1110]
  • A user may be unable to fully delete browsing history [CVE-2015-1111]
  • Users' browsing history may not be completely purged [CVE-2015-1112]
  • A malicious application may be able to access phone numbers or email addresses of recent contacts [CVE-2015-1113]
  • Hardware identifiers may be accessible by third-party apps [CVE-2015-1114]
  • A malicious application may be able to access restricted telephony functions [CVE-2015-1115]
  • Sensitive data may be exposed in application snapshots presented in the Task Switcher [CVE-2015-1116]
  • Inconsistent user interface may prevent users from discerning a phishing attack [CVE-2015-1084]
  • Visiting a maliciously crafted website may lead to arbitrary code execution [CVE-2015-1068, CVE-2015-1069, CVE-2015-1070, CVE-2015-1071, CVE-2015-1072, CVE-2015-1073, CVE-2015-1074, CVE-2015-1076, CVE-2015-1077, CVE-2015-1078, CVE-2015-1079, CVE-2015-1080, CVE-2015-1081, CVE-2015-1082, CVE-2015-1119, CVE-2015-1120, CVE-2015-1121, CVE-2015-1122, CVE-2015-1123, CVE-2015-1124]
  • Visiting a maliciously crafted website may lead to a user invoking a click on another website [CVE-2015-1125]
  • A integer overflow issue exists in the simulator that could lead to conversions returning unexpected values. [CVE-2015-1149]

Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
 

Actions: 

We recommend the following actions be taken:

  • Apply appropriate patches provided by Apple to affected systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download or open files from un-trusted websites, unknown users, or suspicious emails.
  • Remind users not to click links from unknown sources, or to click links without verifying the intended destination.
References: 

Apple:
https://support.apple.com/en-us/HT204658

https://support.apple.com/en-us/HT204659

https://support.apple.com/en-us/HT204661

https://support.apple.com/en-us/HT204662

https://support.apple.com/en-us/HT204663

Security Focus:
http://www.securityfocus.com/bid/73972

http://www.securityfocus.com/bid/73974

http://www.securityfocus.com/bid/73976

http://www.securityfocus.com/bid/73977

http://www.securityfocus.com/bid/73978

http://www.securityfocus.com/bid/73980

http://www.securityfocus.com/bid/73981

http://www.securityfocus.com/bid/73982

http://www.securityfocus.com/bid/73983

http://www.securityfocus.com/bid/73984

http://www.securityfocus.com/bid/73985

http://www.securityfocus.com/bid/73986

http://www.securityfocus.com/bid/73988

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0118

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2497

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3523

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3597

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3668

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4380

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4404

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4405

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5120

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8830

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1068

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1069

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1069

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1070

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1071

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1072

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1073

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1074

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1076

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1077

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1078

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1079

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1080

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1081

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1082

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1084

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1085

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1086

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1087

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1088

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1089

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1090

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1091

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1092

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1093

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1094

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1095

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1096

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1097

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1098

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1099

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1100

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1101

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1102

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1103

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1104

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1105

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1106

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1107

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1108

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1109

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1110

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1111

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1112

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1112

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1113

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1114

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1115

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1116

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1117

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1118

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1119

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1119

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1120

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1120

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1121

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1121

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1122

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1122

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1123

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1124

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1124

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1125

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1126

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1127

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1128

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1129

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1130

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1131

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1132

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1133

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1134

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1135

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1136

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1137

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1138

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1139

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1140

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1141

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1142

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1143

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1144

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1145

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1146

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1147

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1148

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1149

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546