Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution

ITS Advisory Number: 
2015-113
Date(s) Issued: 
Monday, September 21, 2015
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Apple iOS and iTunes. Apple iOS is an operating system for iPhone, iPod touch, and iPad. Apple iTunes is used to play media files on Microsoft Windows and MAC OS X platforms. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and the ability to bypass the security systems. Failed attacks may still cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Apple iOS prior to 9.0
  • Apple iTunes prior to 12.3 
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Multiple vulnerabilities have been discovered in iOS and iTunes where the most severe of these could allow remote code execution. Details of these vulnerabilities are as follows:

  • Multiple vulnerabilities affect the 'Kernel' component, which could allow an attacker to execute arbitrary code. (CVE-2015-5868, CVE-2015-5896, CVE-2015-5903)
  • A memory-corruption vulnerability affects the 'CoreText' component when handling specially-crafted font files. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5874)
  • A memory-corruption vulnerability affects the 'Data Detectors Engine' component. Specifically, this issue occurs when processing a maliciously crafted text file. This may lead to arbitrary code execution. (CVE-2015-5829)
  • A memory-corruption vulnerability affects the 'Dev Tools' component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5876)
  • A memory-corruption vulnerability affects the 'Disk Images' component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5847)
  • A memory-corruption vulnerability affects the 'libc' component. An attacker can exploit this issue to execute arbitrary code. (CVE-2014-8611)
  • A memory-corruption vulnerability affects the 'libpthread' component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5899)
  • A memory-corruption vulnerability affects the 'IOAcceleratorFamily' component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5848)
  • A memory-corruption vulnerability affects the 'IOHIDFamily' component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5867)
  • Memory-corruption vulnerabilities affect the 'IOKit' component. An attacker can exploit these issues to execute arbitrary code. (CVE-2015-5844, CVE-2015-5845, CVE-2015-5846)
  • A memory-corruption vulnerability affects the 'IOMobileFrameBuffer' component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5843)
  • Memory-corruption vulnerabilities affect the 'JavaScriptCore' component. An attacker can exploit these issues to execute arbitrary code. (CVE-2015-5791, CVE-2015-5793, CVE-2015-5814, CVE-2015-5816, CVE-2015-5822, CVE-2015-5823)
  • Memory-corruption vulnerabilities affect the 'tidy' component. An attacker can exploit these issues to execute arbitrary code. (CVE-2015-5522, CVE-2015-5523)
  • Webkit is prone multiple memory-corruption vulnerabilities, which could allow for arbitrary code execution. (CVE-2015-5789, CVE-2015-5790, CVE-2015-5792, CVE-2015-5794, CVE-2015-5795, CVE-2015-5796, CVE-2015-5797, CVE-2015-5799, CVE-2015-5800, CVE-2015-5801, CVE-2015-5802, CVE-2015-5803, CVE-2015-5804, CVE-2015-5805, CVE-2015-5806, CVE-2015-5807, CVE-2015-5809, CVE-2015-5810, CVE-2015-5811, CVE-2015-5812, CVE-2015-5813, CVE-2015-5817, CVE-2015-5818, CVE-2015-5819, CVE-2015-5821)
  • Terminals may retrieve limited transaction history from some cards using Apple Pay. (CVE-2015-5916)
  • Resetting failed passcode attempts utilizing an iOS backup. (CVE-2015-5850)
  • Malicious ITMS link may cause DoS when clicked. (CVE-2015-5856)
  • Malicious audio playback may cause unexpected app termination. (CVE-2015-5862)
  • Apple app cache data may be read with physical access to machine. (CVE-2015-5898)
  • User-activity can be tracked by attacker in privileged network position. (CVE-2015-5885)
  • Unintended cookie creation for websites. (CVE-2015-3801)
  • Client reconnaissance of other hosts using malicious ftp servers. (CVE-2015-5912)
  • Bypass of HTTP Strict Transport Security (HSTS) with a maliciously crafted URL to leak sensitive data. (CVE-2015-5858)
  • User-tracking safari private browsing mode with a malicious website. (CVE-2015-5860)
  • Assigning malicious cookies for a website by malicious websites. (CVE-2015-5841)
  • Interception of SSL/TLS connections by attacker from privileged network position. (CVE-2015-5824)
  • Sensitive user information leakage by malicious application. (CVE-2015-5880)
  • Bypass of dyld code signing. (CVE-2015-5839)
  • Access of player's email address by malicious Game Center application. (CVE-2015-5855)
  • Multiple vulnerabilities in ICU. (CVE-2014-8146, CVE-2015-1205)
  • Determination of kernel address memory layout by malicious application. (CVE-2015-5834)
  • Memory reading by local attacker. (CVE-2015-5863)
  • AppleID credentials persisting after signing out. (CVE-2015-5832)
  • Stack cookie values controlled by attacker. (CVE-2013-3951)
  • Modification of other processes by a local process without entitlement checks. (CVE-2015-5882)
  • Ability to launch DoS attacks to TCP connections without sequence number. (CVE-2015-5879)
  • Disabling of IPv6 routing by attacker in local LAN segment. (CVE-2015-5869)
  • Determination of kernel memory layout by local user. (CVE-2015-5842)
  • System DoS by local user. (CVE-2015-5748)
  • Impersonation of recipient's address book contact by email. (CVE-2015-5857)
  • Observation of unprotected multipeer data by local attacker. (CVE-2015-5851)
  • Determination of kernel memory layout by malicious application. (CVE-2015-5831)
  • OpenSSL vulnerabilities. (CVE-2015-0286, CVE-2015-0287)
  • Installation of extensions prior to trust. (CVE-2015-5837)
  • Unexpected application termination by malicious data processing. (CVE-2015-5840)
  • Access to Safari bookmarks on locked iOS device without use of passcode. (CVE-2015-5903)
  • User-interface spoofing from malicious website. (CVE-2015-5904, CVE-2015-5905, CVE-2015-5764, CVE-2015-5765, CVE-2015-5767)
  • User-tracking with client certificates by malicious websites. (CVE-2015-1129)
  • Interception of communications between apps by a malicious app. (CVE-2015-5835)
  • Access to notifications not to be displayed at lock screen available through usage of Siri with physical access to device. (CVE-2015-5892)
  • Audio message reply from lock screen when lock screen message preview is disabled with physical access to device. (CVE-2015-5861)
  • Spoof of other applications dialog windows by a malicious application. (CVE-2015-5838)
  • SQLite vulnerabilities. (CVE-2015-5895)
  • Object references leak in WebKit. (CVE-2015-5827)
  • Unintended dialing by visiting malicious website. (CVE-2015-5820)
  • Quicktype can access value of last character in password of a filled form. (CVE-2015-5906)
  • Redirection to malicious domain by attacker in privileged network position. (CVE-2015-5907)
  • Cross-origin data exfiltration vulnerability. (CVE-2015-5826)
  • Leakage of browsing history, mouse movements, and network activity by malicious website. (CVE-2015-5825)
  • Leakage of sensitive user information by attacker in privileged network position. (CVE-2015-5921)
  • Disclosure of image data from another site when visiting malicious website. (CVE-2015-5788)
  • Memory-corruption vulnerabilities affects iTunes. Specifically, these issues occur when processing a maliciously crafted text file. This may lead to arbitrary code execution. (CVE-2015-1157, CVE-2015-3686, CVE-2015-3687, CVE-2015-3688, CVE-2015-5755, CVE-2015-5761)
  • Arbitrary code execution when opening a media file. (CVE-2010-3190)
  • MITM attack using iTunes store browsing can result in arbitrary code execution. (CVE-2015-1152, CVE-2015-1153, CVE-2015-3730, CVE-2015-3731, CVE-2015-3733, CVE-2015-3734, CVE-2015-3735, CVE-2015-3736, CVE-2015-3737, CVE-2015-3738, CVE-2015-3739, CVE-2015-3740, CVE-2015-3741, CVE-2015-3742, CVE-2015-3743, CVE-2015-3744, CVE-2015-3745, CVE-2015-3746, CVE-2015-3747, CVE-2015-3748, CVE-2015-3749, CVE-2015-5798, CVE-2015-5808, CVE-2015-5815)
  • SMB credentials can be obtained by attacker in privileged network position. (CVE-2015-5920)

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and the ability to bypass the security systems. Failed attacks may still cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Actions: 
  • Apply appropriate updates provided by Apple to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
References: 

Apple:

https://support.apple.com/en-us/HT205212

https://support.apple.com/en-us/HT205221

SecurityFocus:

http://www.securityfocus.com/advisories/36137

http://www.securityfocus.com/advisories/36139

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5916

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5850

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5856

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5862

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5898

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5885

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3801

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5912

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5858

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5860

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5841

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5824

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5880

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5874

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5829

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5876

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5839

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5847

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5855

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8146

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1205

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5834

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5848

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5867

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5844

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5845

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5846

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5843

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5863

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5832

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5791

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5793

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5814

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5816

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5822

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5823

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5868

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5896

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5903

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3951

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5882

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5879

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5869

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5842

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5748

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8611

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5899

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5857

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5851

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5831

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5837

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5840

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5904

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5905

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1129

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5764

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5765

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5767

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5835

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5892

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5861

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5838

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5895

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5522

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5523

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5827

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5789

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5790

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5792

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5794

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5795

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5796

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5797

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5799

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5800

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5801

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5802

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5803

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5804

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5805

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5806

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5807

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5809

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5810

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5811

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5812

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5813

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5817

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5818

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5819

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5821

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5820

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5906

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5907

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5826

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5825

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5921

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5788

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1157

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3686

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3687

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3688

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5755

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5761

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1152

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1153

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3730

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3731

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3733

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3734

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3735

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3736

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3737

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3738

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3739

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3740

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3741

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3742

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3743

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3744

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3745

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3746

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3747

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3748

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3749

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5798

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5808

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5815

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5920