Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution

ITS Advisory Number: 
2015-099
Date(s) Issued: 
Monday, August 17, 2015
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Apple iOS, OS X, and Safari. Apple iOS is an operating system for iPhone, iPod touch, iPad. OS X is an operating system for Apple computers. Apple Safari is a web browser available for OS X and Microsoft Windows. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and bypass of security restrictions. Failed attacks may still cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Apple OS X Yosemite prior to 10.10.5
  • Apple iOS prior to 8.4.1
  • Apple Safari 6 Prior To 6.2.8
  • Apple Safari 7 Prior To 7.1.8
  • Apple Safari 8 Prior To 8.0.8
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Multiple remote code execution vulnerabilities have been discovered in iOS, Safari, and OS X that could allow remote code execution. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file. Details of these vulnerabilities are as follows:

  • Multiple vulnerabilities affect the 'Kernel' component, which could allow an attacker to execute arbitrary code. (CVE-2015-3802, CVE-2015-3805, CVE-2015-3768, CVE-2015-3776,   CVE-2015-3766, CVE-2015-3806, CVE-2015-3803, CVE-2015-5747, CVE-2015-5748, CVE-2015-3761)
  • Multiple vulnerabilities affect the 'libxml2' component when handling a specially-crafted XML document. An attacker can exploit these issues to gain access to user information or cause a denial of service. (CVE-2015-3807, CVE-2012-6685)
  • Multiple vulnerabilities affect the 'ImageIO' component due to an uninitialized memory access error in the ImageIO's handling of PNG and TIFF images, allowing access to process memory. (CVE-2015-5781, CVE-2015-5782, CVE-2015-5758)
  • Multiple memory-corruption vulnerabilities affect the 'CoreMedia Playback' component. An attacker can exploit these issues to terminate the application or execute arbitrary code. (CVE-2015-5777, CVE-2015-5778)
  • Multiple memory-corruption vulnerabilities affect the 'CoreText' component when handling specially-crafted font files. An attacker can exploit these issues to cause the application to terminate or execute arbitrary code. (CVE-2015-5755, CVE-2015-5761)
  • Multiple vulnerabilities affect the 'QL Office' component. An attacker can exploit these issues to cause the application to terminate or execute arbitrary code, or allow for information disclosure. (CVE-2015-5773, CVE-2015-3784)
  • Multiple memory-corruption vulnerabilities affect the 'Libc' component due to an error in the TRE library. An attacker can exploit this issue using a specially- crafted regular expression to cause the application to terminate or execute arbitrary code. (CVE-2015-3796, CVE-2015-3797, CVE-2015-3798)
  • A memory-corruption vulnerability affects the 'DiskImages' component when handling the specially-crafted DMG image files. An attacker can exploit this issue to cause the application to terminate or execute arbitrary code with system privileges. (CVE-2015-3800)
  • A memory-corruption vulnerability affects the 'Libinfo' component due to an error in the handling of AF_INET6 sockets. An attacker can exploit this issue to cause the application to terminate or execute arbitrary code. (CVE-2015-5776)
  • A memory-corruption vulnerability affects the 'libpthread' component when handling syscalls. An attacker can exploit this issue using a specially-crafted application to execute arbitrary code with system privileges. (CVE-2015-5757)
  • Multiple memory-corruption vulnerabilities affect the 'FontParser' component when handling specially-crafted font files. An attacker can exploit these issues to cause the application to terminate or execute arbitrary code. (CVE-2015-3804, CVE-2015-5775, CVE-2015-5756)
  • A memory-corruption vulnerability affects the 'libxpc' component when handling the specially-crafted XPC messages. An attacker can exploit this issue using a specially-crafted application to execute arbitrary code with system privileges. (CVE-2015-3795)
  • A local buffer-overflow vulnerability affects the 'IOHIDFamily' component when handling the specially-crafted XPC messages. A local attacker can exploit this issue to execute arbitrary code with system privileges. (CVE-2015-5774)
  • An access bypass vulnerability affects the 'CloudKit' component due to a state inconsistency when signing out users. An attacker can exploit this issue using a specially-crafted application to access the iCloud user record of a previously signed in user. (CVE-2015-3782)
  • A local authentication-bypass vulnerability exists due to a state management issue in the password authentication. An Attacker can exploit this issue to change the password of a local user. (CVE-2015-3799)
  • An information-disclosure vulnerability affects the 'AppleGraphicsControl' component. An attacker can exploit this issue to disclose the kernel memory layout using a specially-crafted application. (CVE-2015-5768)
  • Multiple vulnerabilities affect the 'Bluetooth' component. An attacker can exploit this issue to execute arbitrary code with system privileges. (CVE-2015-3779, CVE-2015-3780, CVE-2015-3786, CVE-2015-3787, CVE-2015-3777)
  • A security vulnerability affects the 'bootp' component. Specifically, this issue occurs because a malicious Wi-Fi network may be able to determine networks a device has previously accessed. (CVE-2015-3778)
  • A memory-corruption vulnerability affects the 'Data Detectors Engine' component. Specifically, this issue occurs when processing a sequence of unicode characters. This may lead to an unexpected application termination or arbitrary code execution. (CVE-2015-5750)
  • An authorization-bypass vulnerability affects the 'Date & Time pref pane' component. Specifically, this issue exists when modifying the system date and time preferences. (CVE-2015-3757)
  • A security-bypass affects the 'Dictionary Application' component. Specifically, this issue occurs because it fails to properly secure user communications. An attacker can exploit this issue to intercept users' Dictionary app queries. (CVE-2015-3774)
  • An arbitrary code-execution vulnerability affects the 'dyld' component. Specifically, this issue occurs due to a path validation issue existed in 'dyld'. (CVE-2015-3760)
  • Multiple arbitrary code-execution vulnerabilities affect the 'Install Framework Legacy' component. Specifically, this issue exists in how Install.framework's 'runner' binary dropped privileges. (CVE-2015-5784, CVE-2015-5754)
  • Multiple memory-corruption vulnerabilities affect the 'IOFireWireFamily' component. A local attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2015-3769, CVE-2015-3771, CVE-2015-3772)
  • Multiple memory-corruption vulnerabilities affect the 'IOGraphics' component. An attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2015-3770, CVE-2015-5783)
  • A security-bypass affects the 'Notification Center OSX' component. Specifically, this issue occurs because it fails to properly delete user notifications. An attacker can exploit this issue to access all notifications previously displayed to users. (CVE-2015-3764)
  • A memory-corruption vulnerability affects the 'ntfs' component. A local attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2015-5763)
  • A memory-corruption vulnerability affects the 'Quartz Composer Framework' component. An attacker can exploit this issue by sending a maliciously crafted QuickTime file. (CVE-2015-5771)
  • A security vulnerability affects the 'Quick Look' component. Specifically, this issue exists where 'QuickLook' had the capability to execute JavaScript. (CVE-2015-3781)
  • Multiple memory-corruption vulnerabilities affect the 'QuickTime 7' component. An attacker can exploit these issues by sending a maliciously crafted file. (CVE-2015-3772, CVE-2015-3779, CVE-2015-5753, CVE-2015-5779, CVE-2015-3765, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3791, CVE-2015-3792, CVE-2015-5751)
  • A heap-based buffer-overflow vulnerability affects the 'SceneKit' component. An attacker can exploit this issue by sending a maliciously crafted 'Collada' file. (CVE-2015-5772, CVE-2015-3783)
  • An authentication-bypass vulnerability affects the 'Security' component. Specifically, the issue occurs when handling user authentication. An Attacker can exploit this issue to to gain access to admin privileges without proper authentication. (CVE-2015-3775)
  • A memory-corruption vulnerability affects the 'SMBClient' component. An attacker can exploit this issue to cause unexpected application termination or arbitrary code execution. (CVE-2015-3773)
  • A memory-corruption vulnerability affects the 'Speech UI' component. An attacker can exploit this issue by sending maliciously crafted 'unicode' string. (CVE-2015-3794)
  • An XML External Entity injection vulnerability affects the 'Text Formats'. (CVE-2015-3762)
  • A memory-corruption vulnerability affects the 'udf' component. An attacker can exploit this issue by sending maliciously crafted 'DMG' file. (CVE-2015-3767)
  • Safari prone to multiple security-bypass vulnerabilities because it allows a malicious website to display an arbitrary URL when navigating to a specially-crafted URL. Specifically, these issues affect the 'WebKit Process Model' and 'Web' components. (CVE-2015-3755)
  • Webkit is prone multiple security-bypass an memory-corruption vulnerabilities, which could allow for arbitrary code execution. (CVE-2015-3730, CVE-2015-3731, CVE-2015-3732, CVE-2015-3733, CVE-2015-3734, CVE-2015-3735, CVE-2015-3736, CVE-2015-3737, CVE-2015-3738, CVE-2015-3739, CVE-2015-3740, CVE-2015-3741, CVE-2015-3742, CVE-2015-3743, CVE-2015-3744, CVE-2015-3745, CVE-2015-3746, CVE-2015-3747, CVE-2015-3748, CVE-2015-3749, CVE-2015-3750, CVE-2015-3751, CVE-2015-3752, CVE-2015-3753)

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and the ability to bypass the security systems. Failed attacks may still cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, apply appropriate updates provided by Apple to vulnerable systems.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

 

References: 

Apple:

https://support.apple.com/en-in/HT205030

https://support.apple.com/en-ie/HT205031

https://support.apple.com/en-in/HT205033

SecurityFocus:

http://www.securityfocus.com/advisories/35979

http://www.securityfocus.com/advisories/35980

http://www.securityfocus.com/advisories/35981

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6685

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3730

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3731

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3732

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3733

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3734

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3735

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3736

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3737

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3738

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3739

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3740

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3741

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3742

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3743

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3744

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3745

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3746

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3747

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3748

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3749

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3750

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3751

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3752

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3753

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3755

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3757

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3760

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3761

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3762

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3764

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3765

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3766

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3767

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3768

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3769

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3770

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3771

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3772

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3772

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3773

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3774

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3775

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3776

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3777  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3778

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3779

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3779

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3780

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3781 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3782

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3783

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3784

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3786

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3787

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3788

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3789

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3790

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3791

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3792  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3794  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3795

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3796

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3797

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3798

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3799

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3800

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3802

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3803

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3804

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3805

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3806

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3807

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5747

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5748

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5750

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5751

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5753

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5754

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5755

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5756

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5757

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5758

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5761

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5763

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5768

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5771

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5772

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5773

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5774

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5775

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5776

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5777

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5778

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5779

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5781

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5782

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5783

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5784