tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesMultiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2017-007

DATE(S) ISSUED:

01/24/2017

OVERVIEW:

Multiple vulnerabilities have been discovered in iOS, tvOS, watchOS, macOS Sierra, iCloud for Windows, Safari, and iTunes for Windows, which could allow for arbitrary code execution. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.tvOSis anoperating system for the fourth-generation AppleTVdigital media player. watchOSis the mobileoperating systemof the AppleWatch and is based on the iOS operating system. macOS Sierra is the thirteenth major release of macOS (previously OS X), Apple’s desktop and server operating system for Macintosh computers. iCloud for Windows is a service developed by Apple that keeps Apple devices in sync with each other. Safari is a web browser developed by Apple. iTunes for Windows is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple.

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • iOS Versions prior to 10.2.1
  • tvOS Versions prior to 10.1.1
  • watchOS Versions prior to 3.1.3
  • macOS Sierra Versions prior to 10.12.3
  • iCloud for Windows Versions prior to 6.1.1
  • Safari Versions prior to 10.0.3
  • iTunes for Windows Versions prior to 12.5.5

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, macOS Sierra, iCloud for Windows, Safari, and iTunes for Windows. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of the vulnerabilities are as follows:

An arbitrary code execution vulnerability that affects a feature called ‘FontParser’ when processing a maliciously crafted font file. (CVE-2016-4691)

· An arbitrary code execution vulnerability caused by opening a maliciously crafted file due to an input validation issue existing in modelines. (CVE-2016-1248)

· An arbitrary code execution vulnerability that affects a feature called ‘FontParser’ when processing a maliciously crafted font file. (CVE-2016-4688)

· A security vulnerability which may allow an attacker to exploit weaknesses in the 3DES cryptographic algorithm. (CVE-2016-4693)

· An arbitrary code execution vulnerability that affects the ‘CoreMedia Playback’ module when processing a maliciously crafted .mp4 file. (CVE-2016-7588)

· An arbitrary code execution vulnerability caused by processing maliciously crafted web content. (CVE-2016-7589)

· An arbitrary code execution with kernel privileges vulnerability that affects a feature called ‘IOHIDFamily’. (CVE-2016-7591)

· An arbitrary code execution vulnerability that affects a feature called ‘ICU’ when processing maliciously crafted web content. (CVE-2016-7594)

· An arbitrary code execution vulnerability that affects the ‘CoreText’ module when processing a maliciously crafted font file. (CVE-2016-7595)

· An insufficient initialization vulnerability allowing an application to read kernel memory was addressed by properly initializing memory returned to user space. (CVE-2016-7607)

· Multiple memory corruption vulnerabilities allowing an application to execute arbitrary code with kernel privileges were addressed through improved input validation. (CVE-2016-7606, CVE-2016-7612)

· A denial of service vulnerability allowing local user to cause a system denial of service was addressed through improved memory handling. (CVE-2016-7615)

· An arbitrary code execution with kernel privileges vulnerability that affects a feature called ‘Disk Images’ due to input validation errors. (CVE-2016-7616)

· A ‘symlink’ validation vulnerability allowing a local attacker to overwrite existing files. (CVE-2016-7619)

· An arbitrary code execution vulnerability allowing a local user to cause an unexpected system termination or arbitrary code execution in the kernel was addressed through improved memory management. (CVE-2016-7621)

· A denial of service vulnerability that affects the ‘CoreGraphics’ module when processing a maliciously crafted font file. (CVE-2016-7627)

· A denial of service vulnerability that affects the handling of OCSP responder URLs. (CVE-2016-7636)

· A memory corruption vulnerability allowing a user to gain root privileges was addressed through improved input validation. (CVE-2016-7637)

· A security vulnerability that affects a feature called ‘ImageIO’ which may allow for a remote attacker to leak memory. (CVE-2016-7643)

· An arbitrary code execution vulnerability may allow a local application with system privileges the ability to execute arbitrary code with kernel privileges. (CVE-2016-7644)

· An issue existed which did not reset the authorization settings on app uninstall. This issue was addressed through improved sanitization. (CVE-2016-7651).

· A memory corruption vulnerability which may allow an application to read kernel memory was addressed through improved input validation. (CVE-2016-7657)

· Memory corruption issues caused by processing maliciously crafted files leading to arbitrary code execution was addressed through improved input validation. (CVE-2016-7658, CVE-2016-7659)

· A privilege escalation vulnerability in mach port name references which may allow a local user to gain root privileges. (CVE-2016-7660)

· A memory-corruption vulnerability in the ‘CoreFoundation’ module when processing strings may lead to an unexpected application termination or arbitrary code execution. (CVE-2016-7663)

· Multiple issues in PHP were addressed by updating to PHP version 5.6.28. (CVE-2016-8670, CVE-2016-9933, CVE-2016-9934)

· An arbitrary code execution vulnerability exists when unpacking a maliciously crafted archive was addressed through improved memory handling. (CVE-2016-8687)

· A data exfiltration vulnerability exists in a prototype access issue by processing maliciously crafted web content was addressed through improved exception handling. (CVE-2017-2350)

· A security-bypass vulnerability with handling user input that causes a device to present the home screen even when locked. (CVE-2017-2351)

· A logic issue which may unlock an Apple Watch when it is off the user's wrist was addressed through improved state management. (CVE-2017-2352)

· An arbitrary code execution vulnerability exists in the Bluetooth feature was addressed through improved memory management. (CVE-2017-2353)

· An arbitrary code execution vulnerability caused by a memory initialization issue exists when processing maliciously crafted web content. (CVE-2017-2355)

· A security vulnerability may allow an application to determine kernel memory layout due to an uninitialized memory issue. (CVE-2017-2357)

· An arbitrary code execution with kernel privileges vulnerability caused by a memory corruption issue was addressed through improved input validation. (CVE-2017-2358)

· A state management vulnerability in the address bar caused by visiting a malicious website was addressed through improved URL handling. (CVE-2017-2359)

· An arbitrary code execution vulnerability may allow an application to execute arbitrary code with kernel privileges. (CVE-2017-2360)

· A data exfiltration vulnerability caused by a validation issue when processing maliciously crafted web content. (CVE-2017-2365)

· A denial of service vulnerability when processing a maliciously crafted contact card may lead to unexpected application termination. (CVE-2017-2368)

· An arbitrary code execution with kernel privileges vulnerability due to a buffer overflow issue was addressed through improved memory handling. (CVE-2017-2370)

· An arbitrary code execution vulnerability exists when processing maliciously crafted web content. (CVE-2017-2354, CVE-2017-2362, CVE-2017-2373)

· Multiple arbitrary code execution vulnerabilities caused by multiple memory corruption issues exist when processing maliciously crafted web content. (CVE-2017-2356, CVE-2017-2369, CVE-2017-2366)

· Multiple data exfiltration vulnerabilities are caused by processing maliciously crafted web content due to a validation issue existing in the handling of page loading. (CVE-2017-2363, CVE-2017-2364)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMENDATIONS:

We recommend the following actions be taken:

· Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.

· Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

· Remind users not to download, accept, or execute files from un-trusted or unknown sources.

· Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1248 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4688 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4691 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4693 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7588 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7589 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7591 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7594 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7595 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7606 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7607 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7612 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7615 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7616 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7619 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7621 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7626 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7627 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7636 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7637 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7643 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7644 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7651 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7657 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7658 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7659 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7660 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7662 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7663 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8670 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8687 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9933 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9934 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2350 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2351 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2352 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2353 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2354 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2355 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2356 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2357 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2358 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2359 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2360 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2361 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2362 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2363 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2364 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2365 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2366 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2368 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2369 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2370 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2371 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2373

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Control That Helps Avoid This Issue Arrow CIS Control 4: Continuous Vulnerability Assessment and Remediation CIS Benchmarks and Other Tools for Related Technology Arrow Apple iOS Arrow Apple OS