CIS Logo
tagline: Confidence in the Connected World
HomeResourcesAdvisoriesMultiple Vulnerabilities in Apple Products Could Allow Remote Code Execution

Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2015-114

DATE(S) ISSUED:

09/15/2015

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple iOS and iTunes. Apple iOS is an operating system for iPhone, iPod touch, and iPad. Apple iTunes is used to play media files on Microsoft Windows and MAC OS X platforms. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and the ability to bypass the security systems Failed attacks may still cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

September 21 - UPDATED OVERVIEW:

Multiple vulnerabilities have been discovered in Apple watchOS. Apple watchOS is the operating system used by the Apple Watch.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Apple iOS prior to 9.0
  • Apple iTunes prior to 12.3
  • Apple watchOS prior to 2

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in iOS and iTunes where the most severe of these could allow remote code execution. Details of these vulnerabilities are as follows:

Multiple vulnerabilities affect the 'Kernel' component, which could allow an attacker to execute arbitrary code. (CVE-2015-5868, CVE-2015-5896, CVE-2015-5903)
A memory-corruption vulnerability affects the 'CoreText' component when handling specially-crafted font files. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5874)
A memory-corruption vulnerability affects the 'Data Detectors Engine' component. Specifically, this issue occurs when processing a maliciously crafted text file. This may lead to arbitrary code execution. (CVE-2015-5829)
A memory-corruption vulnerability affects the ‘Dev Tools’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5876)
A memory-corruption vulnerability affects the ‘Disk Images’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5847)
A memory-corruption vulnerability affects the ‘libc’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2014-8611)
A memory-corruption vulnerability affects the ‘libpthread’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5899)
memory-corruption vulnerability affects the ‘IOAcceleratorFamily’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5848)
A memory-corruption vulnerability affects the ‘IOHIDFamily’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5867)
Memory-corruption vulnerabilities affect the ‘IOKit’ component. An attacker can exploit these issues to execute arbitrary code. (CVE-2015-5844, CVE-2015-5845, CVE-2015-5846)
A memory-corruption vulnerability affects the ‘IOMobileFrameBuffer’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5843)
Memory-corruption vulnerabilities affect the ‘JavaScriptCore’ component. An attacker can exploit these issues to execute arbitrary code. (CVE-2015-5791, CVE-2015-5793, CVE-2015-5814, CVE-2015-5816, CVE-2015-5822, CVE-2015-5823)
Memory-corruption vulnerabilities affect the ‘tidy’ component. An attacker can exploit these issues to execute arbitrary code. (CVE-2015-5522, CVE-2015-5523)
Webkit is prone multiple memory-corruption vulnerabilities, which could allow for arbitrary code execution. (CVE-2015-5789, CVE-2015-5790, CVE-2015-5792, CVE-2015-5794, CVE-2015-5795, CVE-2015-5796, CVE-2015-5797, CVE-2015-5799, CVE-2015-5800, CVE-2015-5801, CVE-2015-5802, CVE-2015-5803, CVE-2015-5804, CVE-2015-5805, CVE-2015-5806, CVE-2015-5807, CVE-2015-5809, CVE-2015-5810, CVE-2015-5811, CVE-2015-5812, CVE-2015-5813, CVE-2015-5817, CVE-2015-5818, CVE-2015-5819, CVE-2015-5821)
Terminals may retrieve limited transaction history from some cards using Apple Pay. (CVE-2015-5916)
Resetting failed passcode attempts utilizing an iOS backup. (CVE-2015-5850)
Malicious ITMS link may cause DoS when clicked. (CVE-2015-5856)
Malicious audio playback may cause unexpected app termination. (CVE-2015-5862)
Apple app cache data may be read with physical access to machine. (CVE-2015-5898)
User-activity can be tracked by attacker in privileged network position. (CVE-2015-5885)
Unintended cookie creation for websites. (CVE-2015-3801)
Client reconnaissance of other hosts using malicious ftp servers. (CVE-2015-5912)
Bypass of HTTP Strict Transport Security (HSTS) with a maliciously crafted URL to leak sensitive data. (CVE-2015-5858)
User-tracking safari private browsing mode with a malicious website. (CVE-2015-5860)
Assigning malicious cookies for a website by malicious websites. (CVE-2015-5841)
Interception of SSL/TLS connections by attacker from privileged network position. (CVE-2015-5824)
Sensitive user information leakage by malicious application. (CVE-2015-5880)
Bypass of dyld code signing. (CVE-2015-5839)
Access of player’s email address by malicious Game Center application. (CVE-2015-5855)
Multiple vulnerabilities in ICU. (CVE-2014-8146, CVE-2015-1205)
Determination of kernel address memory layout by malicious application. (CVE-2015-5834)
Memory reading by local attacker. (CVE-2015-5863)
AppleID credentials persisting after signing out. (CVE-2015-5832)
Stack cookie values controlled by attacker. (CVE-2013-3951)
Modification of other processes by a local process without entitlement checks. (CVE-2015-5882)
Ability to launch DoS attacks to TCP connections without sequence number. (CVE-2015-5879)
Disabling of IPv6 routing by attacker in local LAN segment. (CVE-2015-5869)
Determination of kernel memory layout by local user. (CVE-2015-5842)
System DoS by local user. (CVE-2015-5748)
Impersonation of recipient’s address book contact by email. (CVE-2015-5857)
Observation of unprotected multipeer data by local attacker. (CVE-2015-5851)
Determination of kernel memory layout by malicious application. (CVE-2015-5831)
OpenSSL vulnerabilities. (CVE-2015-0286, CVE-2015-0287)
Installation of extensions prior to trust. (CVE-2015-5837)
Unexpected application termination by malicious data processing. (CVE-2015-5840)
Access to Safari bookmarks on locked iOS device without use of passcode. (CVE-2015-5903)
User-interface spoofing from malicious website. (CVE-2015-5904, CVE-2015-5905, CVE-2015-5764, CVE-2015-5765, CVE-2015-5767)
User-tracking with client certificates by malicious websites. (CVE-2015-1129)
Interception of communications between apps by a malicious app. (CVE-2015-5835)
Access to notifications not to be displayed at lock screen available through usage of Siri with physical access to device. (CVE-2015-5892)
Audio message reply from lock screen when lock screen message preview is disabled with physical access to device. (CVE-2015-5861)
Spoof of other applications dialog windows by a malicious application. (CVE-2015-5838)
SQLite vulnerabilities. (CVE-2015-5895)
Object references leak in WebKit. (CVE-2015-5827)
Unintended dialing by visiting malicious website. (CVE-2015-5820)
Quicktype can access value of last character in password of a filled form. (CVE-2015-5906)
Redirection to malicious domain by attacker in privileged network position. (CVE-2015-5907)
Cross-origin data exfiltration vulnerability. (CVE-2015-5826)
Leakage of browsing history, mouse movements, and network activity by malicious website. (CVE-2015-5825)
Leakage of sensitive user information by attacker in privileged network position. (CVE-2015-5921)
Disclosure of image data from another site when visiting malicious website. (CVE-2015-5788)
Memory-corruption vulnerabilities affects iTunes. Specifically, these issues occur when processing a maliciously crafted text file. This may lead to arbitrary code execution. (CVE-2015-1157, CVE-2015-3686, CVE-2015-3687, CVE-2015-3688, CVE-2015-5755, CVE-2015-5761)
Arbitrary code execution when opening a media file. (CVE-2010-3190)
MITM attack using iTunes store browsing can result in arbitrary code execution. (CVE-2015-1152, CVE-2015-1153, CVE-2015-3730, CVE-2015-3731, CVE-2015-3733, CVE-2015-3734, CVE-2015-3735, CVE-2015-3736, CVE-2015-3737, CVE-2015-3738, CVE-2015-3739, CVE-2015-3740, CVE-2015-3741, CVE-2015-3742, CVE-2015-3743, CVE-2015-3744, CVE-2015-3745, CVE-2015-3746, CVE-2015-3747, CVE-2015-3748, CVE-2015-3749, CVE-2015-5798, CVE-2015-5808, CVE-2015-5815)
SMB credentials can be obtained by attacker in privileged network position. (CVE-2015-5920)
Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and the ability to bypass the security systems. Failed attacks may still cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

September 21 - UPDATED TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Apple watchOS where the most severe of these could allow remote code execution. Details of these vulnerabilities are as follows:

Two memory corruption issues exists in the kernel in Apple watchOS that could allow for local arbitrary code execution (CVE-2015-5918, CVE-2015-5919)

RECOMENDATIONS:

We recommend the following actions be taken:

Apply appropriate updates provided by Apple to vulnerable systems immediately after appropriate testing.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Remind users not to download, accept, or execute files from un-trusted or unknown sources.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5916 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5850 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5856 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5862 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5898 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5885 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3801 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5912 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5858 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5860 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5841 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5824 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5880 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5874 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5829 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5876 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5839 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5847 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5855 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8146 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1205 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5834 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5848 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5867 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5844 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5845 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5846 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5843 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5863 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5832 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5791 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5793 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5814 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5816 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5822 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5823 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5868 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5896 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5903 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3951 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5882 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5879 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5869 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5842 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5748 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8611 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5899 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5857 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5851 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5831 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5837 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5840 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5904 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5905 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1129 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5764 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5765 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5767 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5835 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5892 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5861 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5838 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5895 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5522 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5523 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5827 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5789 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5790 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5792 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5794 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5795 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5796 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5797 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5799 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5800 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5801 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5802 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5803 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5804 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5805 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5806 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5807 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5808 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5809 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5810 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5811 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5812 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5813 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5817 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5818 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5819 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5821 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5820 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5906 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5907 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5826 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5825 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5921 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5788 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1157 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3686 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3687 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3688 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5755 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5761 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1152 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1153 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3730 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3731 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3733 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3734 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3735 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3736 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3737 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3738 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3739 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3740 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3741 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3742 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3743 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3744 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3745 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3746 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3747 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3748 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3749 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5798 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5808 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5815 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5920 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5918 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5919

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories