CIS Logo
tagline: Confidence in the Connected World
HomeResourcesAdvisoriesMultiple Vulnerabilities in Apple Products Could Allow Remote Code Execution

Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2015-039

DATE(S) ISSUED:

04/08/2015

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple's Mac OS X, Safari, iOS, and Xcode products that could allow remote code execution. Apple Safari is a web browser available for Mac OS X and Microsoft Windows. iOS is the operating system used by Apple’s mobile devices. Xcode is a software development tool allowing for development for OS X and iOS. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment, using a vulnerable version of Mac OSX, Apple Safari, or iOS. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

At this time there is no known proof-of-concept code available.

SYSTEMS AFFECTED:

  • Apple TV Prior To 7.2
  • Apple iOS Prior To 8.3
  • Apple Safari 6 Prior To 6.2.5
  • Apple Safari 7 Prior To 7.1.5
  • Apple Safari 8 Prior To 8.0.5
  • Apple Mac OS X Prior To 10.10.3
  • Apple Xcode Prior To 6.3

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Apple's Mac OS X, Safari, iOS, and Xcode. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file. Details of these vulnerabilities are as follows:

Users may be tracked by malicious websites using client certificates. [CVE-2015-1129]
Notifications preferences may reveal users' browsing history in private browsing mode [CVE-2015-1128]
Users' browsing history may not be completely purged [CVE-2015-1112]
Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution [CVE-2015-1119, CVE-2015-1120, CVE-2015-1121, CVE-2015-1122, CVE-2015-1124]
Users' browsing history in private mode may be indexed [CVE-2015-1127]
Visiting a maliciously crafted website may lead to resources of another origin being accessed [CVE-2015-1126]
A process may gain admin privileges without properly authenticating [CVE-2015-1130]
Multiple vulnerabilities exist in Apache versions prior to 2.4.10 and 2.2.29, including one that may allow a remote attacker to execute arbitrary code. [CVE-2013-0118, CVE-2013-5704, CVE-2013-6438, CVE-2014-0098, CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, CVE-2014-3523]
A local user may be able to execute arbitrary code with system privileges [CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, CVE-2015-1134, CVE-2015-1135]
A cross-domain cookie issue exists in redirect handling. Cookies set in a redirect response could be passed on to a redirect target belonging to another origin. [CVE-2015-1089]
A cross-domain HTTP request headers issue exists in redirect handling. HTTP request headers sent in a redirect response could be passed on to another origin. [CVE-2015-1091]
Visiting a maliciously crafted website may lead to arbitrary code execution [CVE-2015-1088]
A use-after-free vulnerability exists in CoreAnimation, allowing maliciously crafted websites to potentially execute arbitrary code. [CVE-2015-1136]
Processing a maliciously crafted font file may lead to arbitrary code execution [CVE-2015-1093]
A local user may be able to execute arbitrary code with system privileges [CVE-2015-1137]
A local application may be able to cause a denial of service [CVE-2015-1138]
Processing a maliciously crafted .sgi file may lead to arbitrary code execution [CVE-2015-1139]
A malicious HID device may be able to cause arbitrary code execution [CVE-2015-1095]
A local user may be able to execute arbitrary code with system privileges [CVE-2015-1140]
A local user may be able to determine kernel memory layout [CVE-2015-1096]
A heap buffer overflow exists in IOHIDFamily's handling of key-mapping properties. Allowing a malicious application potentially execute arbitrary code with system privileges. [CVE-2014-4404]
A null pointer dereference exists in IOHIDFamily's handling of key-mapping properties. Allowing a user potentially execute arbitrary code with system privileges [CVE-2014-4405]
User may be able to execute arbitrary code with system privileges [CVE-2014-4380]
A local user may be able to cause unexpected system shutdown [CVE-2015-1141]
A race condition exists in the kernel's setreuid system call. Allowing a local user to potentially cause a system denial of service [CVE-2015-1099]
A local application may escalate privileges using a compromised service intended to run with reduced privileges [CVE-2015-1117]
An attacker with a privileged network position may be able to redirect user traffic to arbitrary hosts [CVE-2015-1103]
An attacker with a privileged network position may be able to cause a denial of service [CVE-2015-1102]
A local user may be able to cause unexpected system termination or read kernel memory [CVE-2015-1100]
A remote attacker may be able to bypass network filters [CVE-2015-1104]
A local user may be able to execute arbitrary code with kernel privileges [CVE-2015-1101]
A remote attacker may be able to cause a denial of service [CVE-2015-1105]
A local user may be able to cause the Finder to crash [CVE-2015-1142]
A local user may be able to execute arbitrary code with system privileges [CVE-2015-1143]
Processing a maliciously crafted configuration profile may lead to unexpected application termination [CVE-2015-1118]
A remote attacker may brute force ntpd authentication keys [CVE-2014-9298]
A remote unauthenticated client may be able to cause a denial of service [CVE-2015-1545, CVE-2015-1546]
Multiple vulnerabilities in OpenSSL [CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204]
A password might be sent unencrypted over the network when using Open Directory from OS X Server [CVE-2015-1147]
Multiple vulnerabilities exist in PHP versions prior to 5.3.29, 5.4.38, and 5.5.20, including one which may allow arbitrary code execution. [CVE-2013-6712, CVE-2014-0207, CVE-2014-0237, CVE-2014-0238, CVE-2014-2497, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3538, CVE-2014-3587, CVE-2014-3597, CVE-2014-3668, CVE-2014-3669, CVE-2014-3670, CVE-2014-3710, CVE-2014-3981, CVE-2014-4049, CVE-2014-4670, CVE-2014-4698, CVE-2014-5120]
Opening a maliciously crafted iWork file may lead to arbitrary code execution [CVE-2015-1098]
Viewing a maliciously crafted Collada file may lead to arbitrary code execution [CVE-2014-8830]
A user's password may be logged to a local file [CVE-2015-1148]
Tampered applications may not be prevented from launching [CVE-2015-1145, CVE-2015-1146]
A local user may be able to execute arbitrary code with system privileges [CVE-2015-1144]
Visiting a maliciously crafted website may lead to arbitrary code execution [CVE-2015-1069]
A malicious application may be able to guess the user's passcode [CVE-2015-1085]
A malicious application may be able to execute arbitrary code with system privileges [CVE-2015-1086]
An attacker may be able to use the backup system to access restricted areas of the file system [CVE-2015-1087]
A user may be unable to fully delete browsing history [CVE-2015-1090]
An application using NSXMLParser may be misused to disclose information [CVE-2015-1092]
A malicious application may be able to determine kernel memory layout [CVE-2015-1094, CVE-2015-1097]
QuickType could learn users' passcodes [CVE-2015-1106]
An attacker in possession of a device may prevent erasing the device after failed passcode attempts [CVE-2015-1107]
An attacker in possession of a device may exceed the maximum number of failed passcode attempts [CVE-2015-1108]
An attacker in possession of a device may be able to recover VPN credentials [CVE-2015-1109]
Unnecessary information may be sent to external servers when downloading podcast assets [CVE-2015-1110]
A user may be unable to fully delete browsing history [CVE-2015-1111]
Users' browsing history may not be completely purged [CVE-2015-1112]
A malicious application may be able to access phone numbers or email addresses of recent contacts [CVE-2015-1113]
Hardware identifiers may be accessible by third-party apps [CVE-2015-1114]
A malicious application may be able to access restricted telephony functions [CVE-2015-1115]
Sensitive data may be exposed in application snapshots presented in the Task Switcher [CVE-2015-1116]
Inconsistent user interface may prevent users from discerning a phishing attack [CVE-2015-1084]
Visiting a maliciously crafted website may lead to arbitrary code execution [CVE-2015-1068, CVE-2015-1069, CVE-2015-1070, CVE-2015-1071, CVE-2015-1072, CVE-2015-1073, CVE-2015-1074, CVE-2015-1076, CVE-2015-1077, CVE-2015-1078, CVE-2015-1079, CVE-2015-1080, CVE-2015-1081, CVE-2015-1082, CVE-2015-1119, CVE-2015-1120, CVE-2015-1121, CVE-2015-1122, CVE-2015-1123, CVE-2015-1124]
Visiting a maliciously crafted website may lead to a user invoking a click on another website [CVE-2015-1125]
A integer overflow issue exists in the simulator that could lead to conversions returning unexpected values. [CVE-2015-1149]
Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMENDATIONS:

We recommend the following actions be taken:

Apply appropriate patches provided by Apple to affected systems immediately after appropriate testing.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Remind users not to download or open files from un-trusted websites, unknown users, or suspicious emails.
Remind users not to click links from unknown sources, or to click links without verifying the intended destination.

REFERENCES:

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0118 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2497 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3523 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3597 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3668 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4380 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4404 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4405 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5120 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8830 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1068 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1069 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1069 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1070 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1071 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1072 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1073 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1074 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1076 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1077 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1078 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1079 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1080 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1081 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1082 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1084 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1085 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1086 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1087 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1088 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1089 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1090 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1091 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1092 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1093 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1094 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1095 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1096 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1097 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1098 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1099 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1100 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1101 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1102 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1103 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1104 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1105 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1106 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1107 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1108 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1109 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1110 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1111 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1112 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1112 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1113 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1114 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1115 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1116 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1117 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1118 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1119 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1119 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1120 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1120 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1121 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1121 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1122 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1122 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1123 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1124 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1124 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1125 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1126 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1127 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1128 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1129 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1130 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1131 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1132 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1133 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1134 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1135 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1136 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1137 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1138 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1139 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1140 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1141 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1142 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1143 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1144 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1145 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1146 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1147 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1148 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1149 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories