CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2015-100

DATE(S) ISSUED:

08/13/2015

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple iOS, OS X, and Safari. Apple iOS is an operating system for iPhone, iPod touch, iPad. OS X is an operating system for Apple computers. Apple Safari is a web browser available for OS X and Microsoft Windows. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and bypass of security restrictions. Failed attacks may still cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Apple OS X Yosemite prior to 10.10.5
  • Apple iOS prior to 8.4.1
  • Apple Safari 6 Prior To 6.2.8
  • Apple Safari 7 Prior To 7.1.8
  • Apple Safari 8 Prior To 8.0.8

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

Multiple remote code execution vulnerabilities have been discovered in iOS, Safari, and OS X that could allow remote code execution. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file. Details of these vulnerabilities are as follows:
Multiple vulnerabilities affect the 'Kernel' component, which could allow an attacker to execute arbitrary code. (CVE-2015-3802, CVE-2015-3805, CVE-2015-3768, CVE-2015-3776, CVE-2015-3766, CVE-2015-3806, CVE-2015-3803, CVE-2015-5747, CVE-2015-5748, CVE-2015-3761)
Multiple vulnerabilities affect the 'libxml2' component when handling a specially-crafted XML document. An attacker can exploit these issues to gain access to user information or cause a denial of service. (CVE-2015-3807, CVE-2012-6685)
Multiple vulnerabilities affect the 'ImageIO' component due to an uninitialized memory access error in the ImageIO's handling of PNG and TIFF images, allowing access to process memory. (CVE-2015-5781, CVE-2015-5782, CVE-2015-5758)
Multiple memory-corruption vulnerabilities affect the 'CoreMedia Playback' component. An attacker can exploit these issues to terminate the application or execute arbitrary code. (CVE-2015-5777, CVE-2015-5778)
Multiple memory-corruption vulnerabilities affect the 'CoreText' component when handling specially-crafted font files. An attacker can exploit these issues to cause the application to terminate or execute arbitrary code. (CVE-2015-5755, CVE-2015-5761)
Multiple vulnerabilities affect the 'QL Office' component. An attacker can exploit these issues to cause the application to terminate or execute arbitrary code, or allow for information disclosure. (CVE-2015-5773, CVE-2015-3784)
Multiple memory-corruption vulnerabilities affect the 'Libc' component due to an error in the TRE library. An attacker can exploit this issue using a specially- crafted regular expression to cause the application to terminate or execute arbitrary code. (CVE-2015-3796, CVE-2015-3797, CVE-2015-3798)
A memory-corruption vulnerability affects the 'DiskImages' component when handling the specially-crafted DMG image files. An attacker can exploit this issue to cause the application to terminate or execute arbitrary code with system privileges. (CVE-2015-3800)
A memory-corruption vulnerability affects the 'Libinfo' component due to an error in the handling of AF_INET6 sockets. An attacker can exploit this issue to cause the application to terminate or execute arbitrary code. (CVE-2015-5776)
A memory-corruption vulnerability affects the 'libpthread' component when handling syscalls. An attacker can exploit this issue using a specially-crafted application to execute arbitrary code with system privileges. (CVE-2015-5757)
Multiple memory-corruption vulnerabilities affect the 'FontParser' component when handling specially-crafted font files. An attacker can exploit these issues to cause the application to terminate or execute arbitrary code. (CVE-2015-3804, CVE-2015-5775, CVE-2015-5756)
A memory-corruption vulnerability affects the 'libxpc' component when handling the specially-crafted XPC messages. An attacker can exploit this issue using a specially-crafted application to execute arbitrary code with system privileges. (CVE-2015-3795)
A local buffer-overflow vulnerability affects the 'IOHIDFamily' component when handling the specially-crafted XPC messages. A local attacker can exploit this issue to execute arbitrary code with system privileges. (CVE-2015-5774)
An access bypass vulnerability affects the 'CloudKit' component due to a state inconsistency when signing out users. An attacker can exploit this issue using a specially-crafted application to access the iCloud user record of a previously signed in user. (CVE-2015-3782)
A local authentication-bypass vulnerability exists due to a state management issue in the password authentication. An Attacker can exploit this issue to change the password of a local user. (CVE-2015-3799)
An information-disclosure vulnerability affects the 'AppleGraphicsControl' component. An attacker can exploit this issue to disclose the kernel memory layout using a specially-crafted application. (CVE-2015-5768)
Multiple vulnerabilities affect the 'Bluetooth' component. An attacker can exploit this issue to execute arbitrary code with system privileges. (CVE-2015-3779, CVE-2015-3780, CVE-2015-3786, CVE-2015-3787, CVE-2015-3777)
A security vulnerability affects the 'bootp' component. Specifically, this issue occurs because a malicious Wi-Fi network may be able to determine networks a device has previously accessed. (CVE-2015-3778)
A memory-corruption vulnerability affects the 'Data Detectors Engine' component. Specifically, this issue occurs when processing a sequence of unicode characters. This may lead to an unexpected application termination or arbitrary code execution. (CVE-2015-5750)
An authorization-bypass vulnerability affects the 'Date & Time pref pane' component. Specifically, this issue exists when modifying the system date and time preferences. (CVE-2015-3757)
A security-bypass affects the 'Dictionary Application' component. Specifically, this issue occurs because it fails to properly secure user communications. An attacker can exploit this issue to intercept users' Dictionary app queries. (CVE-2015-3774)
An arbitrary code-execution vulnerability affects the 'dyld' component. Specifically, this issue occurs due to a path validation issue existed in 'dyld'. (CVE-2015-3760)
Multiple arbitrary code-execution vulnerabilities affect the 'Install Framework Legacy' component. Specifically, this issue exists in how Install.framework's 'runner' binary dropped privileges. (CVE-2015-5784, CVE-2015-5754)
Multiple memory-corruption vulnerabilities affect the 'IOFireWireFamily' component. A local attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2015-3769, CVE-2015-3771, CVE-2015-3772)
Multiple memory-corruption vulnerabilities affect the 'IOGraphics' component. An attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2015-3770, CVE-2015-5783)
A security-bypass affects the 'Notification Center OSX' component. Specifically, this issue occurs because it fails to properly delete user notifications. An attacker can exploit this issue to access all notifications previously displayed to users. (CVE-2015-3764)
A memory-corruption vulnerability affects the 'ntfs' component. A local attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2015-5763)
A memory-corruption vulnerability affects the 'Quartz Composer Framework' component. An attacker can exploit this issue by sending a maliciously crafted QuickTime file. (CVE-2015-5771)
A security vulnerability affects the 'Quick Look' component. Specifically, this issue exists where 'QuickLook' had the capability to execute JavaScript. (CVE-2015-3781)
Multiple memory-corruption vulnerabilities affect the 'QuickTime 7' component. An attacker can exploit these issues by sending a maliciously crafted file. (CVE-2015-3772, CVE-2015-3779, CVE-2015-5753, CVE-2015-5779, CVE-2015-3765, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3791, CVE-2015-3792, CVE-2015-5751)
A heap-based buffer-overflow vulnerability affects the 'SceneKit' component. An attacker can exploit this issue by sending a maliciously crafted 'Collada' file. (CVE-2015-5772, CVE-2015-3783)
An authentication-bypass vulnerability affects the 'Security' component. Specifically, the issue occurs when handling user authentication. An Attacker can exploit this issue to to gain access to admin privileges without proper authentication. (CVE-2015-3775)
A memory-corruption vulnerability affects the 'SMBClient' component. An attacker can exploit this issue to cause unexpected application termination or arbitrary code execution. (CVE-2015-3773)
A memory-corruption vulnerability affects the 'Speech UI' component. An attacker can exploit this issue by sending maliciously crafted 'unicode' string. (CVE-2015-3794)
An XML External Entity injection vulnerability affects the 'Text Formats'. (CVE-2015-3762)
A memory-corruption vulnerability affects the 'udf' component. An attacker can exploit this issue by sending maliciously crafted 'DMG' file. (CVE-2015-3767)
Safari prone to multiple security-bypass vulnerabilities because it allows a malicious website to display an arbitrary URL when navigating to a specially-crafted URL. Specifically, these issues affect the 'WebKit Process Model' and 'Web' components. (CVE-2015-3755)
Webkit is prone multiple security-bypass an memory-corruption vulnerabilities, which could allow for arbitrary code execution. (CVE-2015-3730, CVE-2015-3731, CVE-2015-3732, CVE-2015-3733, CVE-2015-3734, CVE-2015-3735, CVE-2015-3736, CVE-2015-3737, CVE-2015-3738, CVE-2015-3739, CVE-2015-3740, CVE-2015-3741, CVE-2015-3742, CVE-2015-3743, CVE-2015-3744, CVE-2015-3745, CVE-2015-3746, CVE-2015-3747, CVE-2015-3748, CVE-2015-3749, CVE-2015-3750, CVE-2015-3751, CVE-2015-3752, CVE-2015-3753)

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and the ability to bypass the security systems. Failed attacks may still cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMENDATIONS:

We recommend the following actions be taken:

Upgrade to Apple OS X Yosemite 10.10.5 immediately after appropriate testing.
Apply appropriate updates provided by Apple to vulnerable systems immediately after appropriate testing.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Remind users not to download, accept, or execute files from un-trusted or unknown sources.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6685 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3730 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3731 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3732 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3733 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3734 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3735 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3736 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3737 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3738 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3739 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3740 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3741 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3742 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3743 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3744 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3745 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3746 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3747 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3748 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3749 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3750 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3751 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3752 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3753 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3755 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3757 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3760 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3761 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3762 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3764 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3765 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3766 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3767 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3768 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3769 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3770 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3771 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3772 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3772 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3773 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3774 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3775 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3776 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3777 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3778 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3779 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3779 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3780 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3781 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3782 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3783 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3784 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3786 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3787 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3788 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3789 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3790 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3791 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3792 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3794 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3795 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3796 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3797 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3798 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3799 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3800 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3802 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3803 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3804 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3805 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3806 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3807 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5747 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5748 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5750 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5751 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5753 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5754 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5755 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5756 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5757 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5758 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5761 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5763 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5768 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5771 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5772 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5773 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5774 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5775 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5776 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5777 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5778 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5779 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5781 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5782 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5783 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5784

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories