October 5, 2015

Apple fixes security vulnerabilities in Safari, OS X, iOS and Apple TV

Apple-logo(LiveHacking.Com) – Apple has released a massive set of security fixes to address vulnerabilities in OS X, iOS, Safari, and Apple TV. The update for OS X is largest of all the patches and addresses 80 unique vulnerabilities. The OS X Yosemite v10.10.3 update is available for OS X Yosemite v10.10 to v10.10.2, while Security Update 2015-004 is available for OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5.

Of particular interest is a fix to several CVEs raised by Ian Beer of Google Project Zero. Multiple input validation issues existed in fontd, and as a result a local user may be able to execute arbitrary code with system privileges.

Apple also fixed a use-after-free issue that existed in CoreAnimation, an input validation issue that existed within OS X’s URL processing, and a memory corruption issue that existed in WebKit. Because of these, visiting a maliciously crafted website could have led to arbitrary code execution.

Other “arbitrary code execution” vulnerabilities fixed by Apple include:

  • Multiple memory corruption issues that existed in the processing of font files (CVE-2015-1093 : Marc Schoenefeld).
  • A memory corruption issue that existed in the handling of .sgi files.
  • A memory corruption issue that existed in an IOHIDFamily API (CVE-2015-1095 : Andrew Church).
  • A memory corruption issue that existed in the handling of iWork files (CVE-2015-1098 : Christopher Hickstein).
  • A heap buffer overflow existed in SceneKit’s handling of Collada files (CVE-2014-8830 : Jose Duart of Google Security Team).

Apple also update the bundled version of Apache in OS X. Multiple vulnerabilities existed in Apache versions prior to 2.4.10 and 2.2.29, including one that may allow a remote attacker to execute arbitrary code. These issues were addressed by updating Apache to versions 2.4.10 and 2.2.29.

Likewise it also updated the bundled version of PHP. Multiple vulnerabilities existed in PHP versions prior to 5.3.29, 5.4.38, and 5.5.20, including one which may have led to arbitrary code execution. This update addresses the issues by updating PHP to versions 5.3.29, 5.4.38, and 5.5.20.

The update for iOS addresses 58 separate CVE entries, while Apple TV 7.2 fixes 38 unique CVEs. The fixes for Safari updates the browser to Safari 8.0.5, Safari 7.1.5, and Safari 6.2.5 respectively. In total the Safari update addresses 10 different CVEs.

You can get more information on these updates on Apple’s Security Updates web site: https://support.apple.com/kb/HT1222

Apple updates iOS, OS X and Apple TV in monster patch release

ios8-logo(LiveHacking.Com) – Following Google’s disclose of a number of zero day vulnerabilities in OS X, Apple has released a huge set of patches that fix a range of Critical security problems on OS X, iOS, Apple TV, and Safari.

Starting with OS X, Apple’s patches fix 54 separate CVEs including 11 from Google’s Project Zero. Among the fixes are patches for the 3 bugs which Google disclosed last week:

  • An error existed in the Bluetooth driver that allowed a malicious application to control the size of a write to kernel memory.
  • Multiple type confusion issues existed in coresymbolicationd’s handling of XPC messages.
  • A memory access issue existed in the handling of IOUSB controller user client functions.

A security vulnerability in the Intel graphics driver is also credited to Google’s project zero. According to the release notes, multiple vulnerabilities existed in the Intel graphics driver, the most serious of could lead to arbitrary code execution with system privileges.

Another six CVE’s were reported to Apple from another of Google security groups, this time the Google Security Team. Among its catches are a bug in the kernel: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content.

The security update is available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1. You can read the full details here: http://support.apple.com/en-us/HT1222

Since iOS and OS X share much of the same code (certainly at the lower levels), Apple also released an update to its mobile operating system with many of the same fixes. The iOS update addresses 33 different CVEs and fixes some of the same vulnerabilities from Google’s Project Zero. You can read more about iOS 8.1.3 here: http://support.apple.com/kb/HT204245

Like iOS, Apple TV also uses lots of the same core technologies as OS X. In response to Google’s disclosures and in the light of other security issues, Apple has released Apple TV 7.0.3. It addresses 29 different CVEs including the disclosed problems with XPC: Multiple type confusion issues existed in networkd’s handling of interprocess communication. By sending a maliciously formatted message to networkd, it could be possible to execute arbitrary code as the networkd process.

Apple TV 7.0.3 is available for all 3rd generation and later Apple TV boxes. Full details can be found here: http://support.apple.com/kb/HT204246

To round off this huge security update, Apple has also updated Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3 on OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1 to fix a series of memory issues with WebKit. If exploited these vulnerabilities could allow an attacker to run arbitrary code on a victim’s Mac, if tricked into visiting a maliciously crafted website.

Apple has also updated its web plug-in blocking mechanism to disable all versions prior to Flash Player and

Apple patches security flaws in iOS 8, OS X 10.10 and Apple TV 7

Apple-logo(LiveHacking.Com) – Apple has released new versions of three of its major software products. The new versions of iOS, OS X and Apple TV address multiple security vulnerabilities. iOS 8.1.1, which is available for the iPhone 4s and later; the iPod touch (5th generation) and later; and the iPad 2 and later; addresses nine separate vulnerabilities. Apple TV 7.0.2, which is available for Apple TV 3rd generation and later, addresses four vulnerabilities, all of which are common with the iOS release. OS X 10.10.1 patches four flaws, two of which are common with the iOS release and two which are specific to OS X.

The common fixes are as follows:

  • iOS and OS X: A privacy issue existed where browsing data could remain in the cache after leaving private browsing. (CVE-2014-4460)
  • iOS and OS X: The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user’s approximate location before a user entered a query. (CVE-2014-4453)
  • iOS and Apple TV: A state management issue existed in the handling of Mach-O executable files with overlapping segments. (CVE-2014-4455)
  • iOS and Apple TV: A malicious application may be able to execute arbitrary code with system privileges due to a validation issue that existed in the handling of certain metadata fields in IOSharedDataQueue objects. (CVE-2014-4461)
  • iOS and Apple TV: Due to multiple memory corruption issues in WebKit, visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. (CVE-2014-4452 and CVE-2014-4462)

The iOS specific fixes are:

  • In some circumstances, the failed passcode attempt limit was not enforced. (CVE-2014-4451)
  • The Leave a Message option in FaceTime may have allowed viewing and sending photos from the device. (CVE-2014-4463)
  • A permissions issue existed with the debugging functionality for iOS that allowed the spawning of applications on trusted devices that were not being debugged. (CVE-2014-4457)

The OS X only patches are:

  • The request made by About This Mac to determine the model of the system and direct users to the correct help resources included unnecessary cookies. (CVE-2014-4458)
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution due to a use after free issue existed in the handling of page objects. (CVE-2014-4459)

More information about all these patches can be found on Apple’s Security Updates web site: http://support.apple.com/kb/HT1222

Apple release iOS 8.1 and Apple TV 7.0.1 with new security patches

Apple-logo(LiveHacking.Com) – Apple has released iOS 8.1, primarily to activate Apple Pay, but also to patch five CVE-listed vulnerabilities including fixes for a Bluetooth flaw and  a fix for the infamous SSL 3.0 POODLE security vulnerability.

POODLE (Padding Oracle On Downgraded Legacy Encryption) is the moniker given to a flaw in the SSL 3.0 protocol. SSL 3.0 is considered old and obsolete. It has been replaced by its successors TLS 1.0, TLS 1.1, and TLS 1.2. However many system still support SSL 3.0 for compatibility reasons. Many systems retry failed secure connections with older protocol versions, including SSL 3.0. This means that a hacker can trigger the use of SSL 3.0 and try to exploit POODLE.

The vulnerability only exists when the SSL 3.0 cipher suite uses a block cipher in CBC mode. As a result, Apple has disabled CBC cipher suites when TLS connection attempts fail in iOS 8.1.

Apple also fixed a flaw would could allow a malicious Bluetooth device to bypass pairing. According to Apple, “unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy accessories. If an iOS device had paired with such an accessory, an attacker could spoof the legitimate accessory to establish a connection. The issue was addressed by denying unencrypted HID connections.”

With the recent spate of leaked celebrity photos, Apple’s iCloud service has remained under the spotlight. According to Apple a flaw has been fixed which could allow an attacker in a privileged network position to force iCloud data access clients to leak sensitive information. The problem is connected with a TLS certificate validation vulnerability that existed in the iCloud data access clients on previous versions of iOS.

Apple TV 7.0.1

The update to Apple TV is smaller than the changes to iOS, however just as significant. Like the iOS 8.1 release, Apple TV 7.0.1 denies unencrypted HID connections to block malicious Bluetooth input devices that try to bypass pairing. iOS 8.1 also disables CBC cipher suites when TLS connection attempts fail, this is needed to stop hackers trying to exploit the POODLE flaw in SSL 3.0.

Apple TV will periodically check for software updates and will install the update on the next check. However if you want to manually check for software updates go to “Settings -> General -> Update Software”.

Apple fixes 44 security bugs in iOS

Apple-logo(LiveHacking.Com) – Apple has released a new point release of iOS 7 to address 44 different security issues with Apple’s mobile operating system. Among the patches are bug fixes for vulnerabilities in the iOS kernel, and fixes for errors in “launchd,” which could allow a malicious application to execute arbitrary code with system privileges. There are also lots of fixes for WebKit, the HTML rendering engine used by Safari.

The kernel vulnerability, which could cause an iOS device to unexpectedly restart, exists because of a null pointer de-reference in the handling of IOKit API arguments. This problem was addressed through additional validation of IOKit API arguments.

launchd has been patched quite extensively in this release. The program is responsible for starting, stopping and managing back ground processes and apps on iOS. According to Apple’s security notice for iOS 7.1.2, launchd has several different vulnerabilities including a heap buffer overflow in the handling of IPC messages, a heap buffer overflow in the handling of log messages, and some unspecified integer overflow/underflow issues. All of these could possibly allow a malicious application to execute arbitrary code with system privileges.

The WebKit HTML rendering engine was also heavily patched with 28 unique bugs being squashed. Many of the bugs were discovered either by Google’s Chrome Security Team or by renowned security researchers like “miaubiz” who were participating in Google’s Vulnerability Rewards Program for Chromium. However Apple did find several bugs on its own. In total, the discovery of 12 of the 28 vulnerabilities is attributed (or co-attributed) to Apple. The result of the “multiple memory corruption issues” in WebKit was that a user visiting a maliciously crafted website could lead to an unexpected application termination or arbitrary code execution.

Two other WebKit vulnerabilities were also found by Erling Ellingsen of Facebook. The first was an encoding issue that existed in the handling of unicode characters in URLs. The result was that a malicious site could send messages to a connected frame or window in a way that might circumvent the receiver’s origin check. The other problem was a spoofing issue that existed in the handling of URLs.

Another interesting issue fixed in this version of iOS was a problem with Siri and lock codes. If a Siri request referred to one of several possible contacts, Siri displayed a list of choices and the option ‘More…’ for a complete contact list. When used at the lock screen, Siri did not require the passcode before viewing the complete contact list.

iOS 7.1.2 is available now for the iPhone 4 and later, the iPod touch (5th generation) and later, and the iPad 2 and later.

Apple updates OS X, iOS, Apple TV and AirPort

Apple-logoApple has released a slew of updates for several of its key platforms to fix a range of security issues including some related to the OpenSSL HeartBleed bug. According to the release notes for AirPort Base Station Firmware Update 7.7.3, the new software contains a fix for an out-of-bounds memory issue in the OpenSSL library when handling TLS heartbeat extension packets (i.e. the HeartBleed bug). Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected.

For iOS, Apple TV and OS X, Apple also released a set of patches one of which also applies to sessions protected by SSL. Known as a “triple handshake” attack, it was possible for an attacker to create two connections using the same keys and handshake. As a result an attacker could insert data into one connection and renegotiate so that the connections are forwarded to each other. To work around this scenario Apple has changed the SSL renegotiation code so that  the same server certificate needs to be presented as in the original connection.

The update to OS X is called Security Update 2014-002 and has various changes for  OS X 10.7 Lion, OS X 10.8 Mountain Lion and OS X 10.9 Mavericks. The changes are as follows:

  • Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie.
  • A format string issue existed in the CoreServicesUIAgent’s handling of URLs.
  • A buffer underflow existed in the handling of fonts in PDF files.
  • A reachable abort existed in the Heimdal Kerberos’ handling of ASN.1 data. This meant that a remote attacker could cause a denial of service.
  • A buffer overflow issue existed in ImageIO’s handling of JPEG images.
  • A validation issue existed in the Intel Graphics Driver’s handling of a pointer from userspace. As a result a malicious application could take control of the system.
  • A set of kernel pointers stored in an IOKit object could be retrieved from userland.
  • A kernel pointer stored in a XNU object could be retrieved from userland.
  • If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep.
  • An integer overflow issue existed in LibYAML’s handling of YAML tags as used by Ruby.
  • A heap-based buffer overflow issue existed in Ruby when converting a string to a floating point value.
  • WindowServer sessions could be created by sandboxed applications.

Apple has also updated iOS 7 with the release of iOS 7.1.1. It patches the same Set-Cookie HTTP headers bug as found in OS X plus it updates WebKit (the HTML rendering engine used by mobile Safari) to fix a number of issues, many of which were found by Google (for its Chrome browser). The new Apple TV 6.1.1 firmware has the same changes as iOS 7.1.1 and addresses the Set-Cookie HTTP headers bug and also patches WebKit.

You can get more information on Apple’s security updates here: http://support.apple.com/kb/HT1222

Apple fixes security vulnerabilities with release of iOS 7.1 and Apple TV 6.1

iosApple has released a new version of its popular iOS platform for the iPhone 4 and later, the iPod touch (5th generation) and later, and iPad 2 and later. It has also released a new version of the Apple TV platform for Apple TV 2nd generation units and later.

iOS 7.1 adds a range of new features  but crucially it also fixes a wide variety of security issues including fixes to the WebKit HTML rendering engine used by Safari. In a ironic twist Apple has credited four of the fixes to the evad3rs jailbreak team. According to Apple the following fixes were made to tackle the jailbreakers techniques:

  • A symbolic link in a backup would be restored, allowing subsequent operations during the restore to write to the rest of the filesystem. This issue was addressed by checking for symbolic links during the restore process. CVE-2013-5133 : evad3rs
  • CrashHouseKeeping followed symbolic links while changing permissions on files. This issue was addressed by not following symbolic links when changing permissions on files. CVE-2014-1272 : evad3rs
  • Text relocation instructions in dynamic libraries may be loaded by dyld without code signature validation. This issue was addressed by ignoring text relocation instructions. CVE-2014-1273 : evad3rs
  • An out of bounds memory access issue existed in the ARM ptmx_get_ioctl function. This issue was addressed through improved bounds checking. CVE-2014-1278 : evad3rs

The oldest bug fixed was CVE-2012-2088 which was fixed in OS X in March 2013. Because of a buffer overflow in libtiff’s handling of TIFF images, viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution. This issue was fix through additional validation of TIFF images. Other fixed bugs which could lead to arbitrary code execution include: a buffer overflow that existed in the handling of JPEG2000 images in PDF files, CVE-2014-1275 : Felix Groebert of the Google Security Team; a double free issue that existed in the handling of Microsoft Word documents, CVE-2014-1252 : Felix Groebert of the Google Security Team; and a memory corruption issue that existed in the handling of USB messages, CVE-2014-1287 : Andy Davis of NCC Group.

Apple has posted a document online describing the full security content of iOS 7.1.

Apple TV

Simultaneously with the iOS 7.1 release, Apple also released Apple TV 6.1. Many of the same bugs are addressed including three by the evad3rs jailbreak team along with the other arbitrary code execution vulnerabilities. One specific Apple TV vulnerability allowed an attacker with access to an Apple TV to access sensitive user information from the log files. The problem was that this sensitive user information was being logged by the system. This issue was fixed by altering the logging output.

Apple’s website contains more information about the security content of Apple TV 6.1.

iOS 6.1 released by Apple with dozens of security fixes

ios6(LiveHacking.Com) – Apple has released an upgrade for the iOS firmware running on its range of smartphones and tablets. iOS 6.1 adds some new features, including LTE support for extra carriers and the ability for iTunes Match subscribers to download individual songs from iCloud, and to fix dozens of security vulnerabilities.

The fixes come  in two categories, iOS specific fixes and WebKit fixes. Since various parts of iOS rely heavily on WebKit including the iTunes stores and the Safari web browser these WebKit fixes impact the whole of iOS.

First the iOS specific fixes. Apple lists several crucial fixes including:

  • An error handling issue existed in Identity Services. If the user’s AppleID certificate failed to validate, the user’s AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust.
  • Visiting a maliciously crafted website may lead to a cross-site scripting attack.
  • JavaScript may be enabled in Mobile Safari without user interaction. If a user disabled JavaScript in Safari Preferences, visiting a site which displayed a Smart App Banner would re-enable JavaScript without warning the user.

There are also two fixes which are shared with the recent Apple TV 5.2 release:

  • A user-mode process may be able to access the first page of kernel memory.
  • A remote attacker on the same WiFi network may be able to temporarily disable WiFi because of an out of bounds read issue exists in Broadcom’s BCM4325 and BCM4329 firmware’s handling of 802.11i information elements.

The WebKit changes fix vulnerabilities where visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution because of different  memory corruption issues in WebKit. Many of these problem where previously fixed by Google in its Chrome web browser. There is also a WebKit fix for and issue where copying and pasting content on a malicious website may lead to a cross-site scripting attack.

Finally, the update also deals with the intermediate CA certificates that were issued by TURKTRUST.

iOS 6.1 is available for iPhone 3GS and later, iPod touch (4th generation) and later and iPad 2 and later.

Apple releases iOS 6.0.1 and Safari 6.0.2

(LiveHacking.Com) – Apple has released updates for it mobile device operating system iOS and its OS X web browser Safari. Both releases fix a number of security bugs.

The WebKit related fixes are both the same for iOS and Safari. The first and biggest bug fixed is the use after free issue in the handling of SVG images which was used by Pinkie Pie to win $60,000 at Google’s Pwnium 2 contest. The other WebKit error is with the handling of JavaScript arrays. Both errors can lead to an unexpected application termination or arbitrary code execution.

The iOS 6.0.1 also contains two additional fixes: an information disclosure issue in the handling of APIs related to kernel extensions and a problem where a person with physical access to an iOS device may be able to access Passbook passes without entering a passcode.

The kernel API problem meant that maliciously crafted or compromised iOS applications may be able to determine addresses in the kernel and so possibly bypass address space layout randomization protection.

iOS 6.0.1 is now available iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later. Safari 6.0.2 is now available OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.2.

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222.

Will Apple fix SMS spoofing flaw before iOS 6 is released?

(LiveHacking.Com) – As demonstrated many times, social engineering is a key method used by hackers to solicit personal information from victims and now, due to a new SMS spoofing flaw which has been discovered on the iPhone, users need to be extra careful about trusting text messages they receive on their phones.

Security researcher “pod2g” has found a serious flaw in the way iOS processes SMS messages that leaves iPhone users open to spoofing.

This means that an attacker can spoof messages from a victim’s bank asking them for some private information, or linking to phishing website and, because of the flaw, the message look genuine. Also false messages can be sent to a device and used as false evidence. In fact, pod2g writes that the spoofing can be use to do “anything you can imagine that could be utilized to manipulate people, letting them trust somebody or some organization [that] texted them.”

This flaw has existed since 2007, when the first iPhone was released, and still hasn’t been addressed with iOS 6  beta 4.

SMS messages are converted to complex PDU (Protocol Description Unit) packets  for delivery. As part of the payload, a section called UDH (User Data Header) allows the sender to add a reply-to number. If included, any replies written by the receiver will be sent to that number rather than the original number.

The problem with the iPhone SMS app is that the reply-to address is displayed rather than the genuine originator number. This means a message can be sent from one device and made to look like it came from another. What should happen is that if the reply-to and originator numbers are different both should be shown or a warning displayed.

Tools exist for smartphones and even online for sending raw PDU messages meaning that these fake messages are relatively easy to generate.

“Apple takes security very seriously,” representatives from the Cupertino, Calif.-based company told The Verge on Saturday. “When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks.”

“Now you are alerted. Never trust any SMS you received on your iPhone at first sight,” wrote pod2g.

The question now remains, will Apple fix this before iOS 6 is released?