Apple on Wednesday released close to 80 security updates for OS X, including remote code execution vulnerabilities in a dozen components that were patched in Yosemite 10.10.3.
The OS X update was released the same day as an extensive update in iOS 8.3 that patched three dozen code execution and privilege escalation vulnerabilities.
Details are trickling out about some of the vulnerabilities as well. Yahoo, for example, disclosed some insight into a NULL pointer dereference flaw it found in the nVidia GeForce graphics driver that ships natively with OS X.
“It is possible for an attacker to exploit this vulnerability by mapping the NULL page which can result in code execution and privilege escalation,” Yahoo said in its advisory. “Using publicly available techniques a 32-bit exploit can be created that maps a page at NULL filled with user controllable data.”
Apple said that it addressed the issue, which occurs in the driver’s handling of certain IOService userclient types, through additional context validation.
A researcher at Sandstorm.io, meanwhile, disclosed some details on one of the nine kernel vulnerabilities Apple patched. The bug allows an attacker to trivially crash a number of network services and apps, including Node.js and Google Chrome, said Kenton Varda.
Varda explained in his report that event-driven OS X network apps could be sent into an infinite loop if they receive a particular packet.
Varda’s kernel bug was one of several denial of service vulnerabilities addressed alongside code execution, privilege escalation and an issue with ICMP redirects that could allow an attacker to redirect traffic to an arbitrary host.
One of the denial of service vulnerabilities, reported by Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab, allows an attacker in a privileged network position to cause a denial of service. The bug, CVE-2015-1102, affects Yosemite v10.10 to v10.10.2.
“A state inconsistency existed in the processing of TCP headers,” Apple said. “This issue was addressed through improved state handling.”
Yesterday’s OS X update also patched the following components:
- Admin Framework: privilege escalation vulnerability
- Apache: multiple vulnerabilities, including one remote code execution bug
- ATS: Code execution and input validation issues
- CFNetwork HTTPProtocol: cross-domain cookie issue in redirect handling
- CFNetwork Session: cross-domain HTTP request headers issue in redirect handling
- CFURL: Input validation issue
- CoreAnimation: use-after-free vulnerability
- FontParser: memory corruption issues
- Hypervisor: input validation
- ImageIO: memory corruption
- IOHIDFamily: code execution, privilege escalation, kernel memory leak, buffer overflow and other memory issues
- LaunchServices: input validation and memory issues
- Libnetcore: memory corruption
- NTP: authentication key issue
- OpenLDAP: denial of service and multiple input validation issues
- OpenSSL: multiple issues in OpenSSL that put secure connections at risk
- Open Directory Client: unencrypted passwords sent over network
- PHP: multiple vulnerabilities, including one remote code execution
- QuickLook: memory corruption issue in iWork
- SceneKit: heap buffer overflow
- Screen Sharing: logging passwords to local files
- Code Signing: apps launching without valid signatures
- Uniform TypeIdentifiers: buffer overflow
- WebKit: memory corruption issue
Also, unlike its contemporaries Google and Mozilla, Apple continues to include the controversial CNNIC root certificate in the OS X Yosemite v10.10 trust store.
Google and Mozilla, last week, removed the Chinese certificate authority from their respective trust stores after Google discovered that a CNNIC-issued certificate was used in a man-in-the-middle attack intercepting traffic to a number of Google domains. The misused certificate was immediately dropped by most of the browser vendors, but Google and Mozilla went a step further and dropped the CA altogether. The move is a definitive line in the sand to other CAs that anything impacting the integrity of certs would not be tolerated.
Apple makes three distinctions with its certs it trusts: Trusted; Always Ask; and Blocked. Always Ask certs are untrusted, but are not blocked by Apple; instead a user is presented with an advisory ask them to choose whether to trust it. Blocked certs are compromised, Apple says, and will not be trusted. The CNNIC cert is listed as Trusted, and is run without question.
