Apple has issued a slew of security updates addressing a wide swath of vulnerabilities in its Safari Web browser, Mavericks desktop operating system, iOS mobile platform and content streaming AppleTV product.
Apple doesn’t rate the severity of the vulnerabilities it fixes nor does it advise on which patches should be prioritized for installation. However, a number of the updates appear to resolve fairly critical issues, with fixes for application sandbox escape, address space layout randomization circumvention, arbitrary code execution, privilege escalation and other severe vulnerabilities.
Apple posted 15 bulletins addressing vulnerabilities affecting Mac OS X Mavericks and other recent iterations of that operating system.
An unvalidated array index issue in the way Dock handles messages from applications could let an application break out of the sandbox. The bug is exploitable if an attacker were to send a maliciously crafted message causing an invalid function pointer to be dereferenced, which in turn could lead to an unexpected application termination or arbitrary code execution.
The three ASLR kernel bypass bugs lived in Graphics Driver, Intel Graphics Driver, and IOGraphicsFamily. Each of these has to do with a kernel pointer stored in an IOKit object that could be read by a local users.
There are also 10 additional arbitrary code execution bugs listed in the security update. One in copyfile, which could also enable application termination, having to do with an out of bounds byte swapping issue that existed in the handling of AppleDouble files in zip archives. Apple fixed a pair of validation issues in the way Intel graphics cards deal with OpenGL API calls and also in the way that Intel Compute deals with OpenCL API calls that could allow for code execution with system privileges. Another fix addresses an array indexing issue in IOAcceleratorFamily through which a malicious application could execute arbitrary code with system privileges. Launchd gets four arbitrary code execution with system privilege-related bulletins, as does Graphics Driver and Thunderbolt.
Apple also fixed an uninitialized memory access issue existing in the handling of DTLS messages in a TLS connection that could have exposed up to two bytes of memory to a remote attacker.
Finally, Apple updated the list of certificates that Mavericks accepts by default.
By installing the Mavericks updates, users will also be updating their Safari browsers as well, for which Apple shipped just three bulletins, all relating to Webkit. The first fixes a series of memory corruption bugs that could cause crashes and code execution in the web page rendering engine; the second is an information disclosure that could be triggered by dragging the URL from a maliciously crafted website into another window; and a third spoofing issue in the handling of URLs could let a maliciously crafted website spoof domain names.
In addition to updating its list of trusted certificates for iOS, Apple fixed 16 bugs in its mobile platform.
An unbounded stack allocation issue in CoreGraphics could be exploited to unexpectedly terminate applications or execute arbitrary code. A null pointer dereference in the kernel’s handling of IOKit API arguments could cause unexpected restarts.
Apple resolved four arbitrary code execution with system privilege flaws in Launchd, two caused by heap overflows in the handling of IPC and log messages, and the other two caused by integer overflows.
The update also resolves a pair lock-screen issues, one that was failing to enforce password attempt limits and another that could have allowed an attacker to view the application that was open prior to activating the screen lock. On a related but more serious note, an attacker in possession of an iOS device could potentially bypass the Activation Lock feature designed to prevent device theft.
The update also addresses a vulnerability in Mail that could have let an attacker extract attachments from the email application. A use after free vulnerability existed in Safari’s handling of invalid URLs, which could have led to application termination and code execution after visiting a maliciously crafted website. Another problem would have let anyone with access to a device disable the ‘Find My iPhone’ feature without requiring that person to enter the appropriate iCloud password.
Apple also fixed what appears to be the same uninitialized memory bug referenced for Maverick above. They also resolved a problem with Siri that could give an unauthenticated user access to a vulnerable device’s contact list. Apple also fixed a similar set of issues in the iOS variety of Webkit.
Lastly, Apple fixed a handful of problems in AppleTV, including an unexpected restart issue, a number of code execution flaws, another uninitialized memory access flaw, and a problem that was permitting purchases without sufficient authentication information.