Update: Apple yesterday patched a critical privilege escalation vulnerability in OS X 10.10 that was disclosed in early July. The flaw in OS X’s dynamic linker called dyld was specific to a new feature that allowed for error logging to arbitrary files.
Researcher Stefan Esser shared details of the vulnerability and source code for a kernel extension that mitigated the vulnerability until Apple’s patch was made publicly available yesterday.
Esser’s July 7 report said the OS X 10.10 supported a new DYLD_PRINT_TO_FILE variable which lacked “safeguards” that are generally included when new variables are added to the DYLD.
“Normally for security reasons the dynamic linker should reject all environment variables passed to it in case of restricted files. This is automatically handled when new environment variables are added to the processDyldEnvironmentVariable() function,” Esser wrote. “However in the DYLD_PRINT_TO_FILE case the code was directly added to the _main function of dyld.”
Esser wrote that DYLD accepts the new variable even for restricted binaries such as SUID root binaries.
“This is obviously a problem, because it allows the creation or opening (for writing) of any file in the filesystem. And because the log file is never closed by dyld and the file is not openes with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries,” he wrote. “This can be easily exploited for privilege escalation.”
OS X Yosemite 10.10.5 includes patches for numerous code execution, denial of service, information disclosure, and memory-corruption vulnerabilities leading to RCE or crashes.
Missing from the list is a patch for the UEFI EDK2 vulnerabilities related to the Thunderstrike 2 firmware attack; researchers Xeno Kovah and Trammell Hudson said that some extensions in OS X can be abused in attacks, despite the fact that the main firmware attacks used in Thunderstrike 2 were patched in OS X 10.10.4.
Thunderstrike 2 is an attack against Apple firmware and, unlike its predecessor, can be exploited remotely and self-replicates through peripheral devices. The researchers disclosed a half-dozen vulnerabilities to Apple months ago, and some are patched while others remain on the drawing board.
The flaws have been patched on the reference implementation for UEFI on other Intel platforms. In the case of Apple, the company has said in the past its firmware was not impacted; all the firmware in question, however, is derived from the same Intel reference implementation, the researchers said.
Apple’s mobile iOS platform has been upgraded to version 8.4.1 and include the usual long list of WebKit code-execution, information (cookie) leakage, and Content Security Policy vulnerabilities.
The iOS update also includes patches for ImageIO, a library that provides an interface to read and write image data. Google researcher Michal Zalewski reported bugs in ImageIO where a malicious .TIFF file could corrupt memory during processing and lead to code execution. The update also patches a problem with ImageIO’s handling of PNG images that could result, Apple said, in the disclosure of process memory to a website hosting an exploit.
Apple also updated its Safari browser, releasing versions 8.0.8, 7.1.8 and 6.2.8. Most of the vulnerabilities addressed in the update reside in WebKit and result in code execution or exposure of cookie information if exploited.
The OS X Server update to version 4.1.5 addresses a recently patched vulnerability in BIND that could lead to server crashes. BIND patched the vulnerability in the way it handled TKEY queries, which was remotely exploitable, on July 29. The flaw affected all versions of BIND’s DNS software from 9.1.0 through 9.9.7. The vulnerability is in the way that BIND handles certain queries related to transaction key records, and it affected recursive and authoritative servers. The bug is fixed in BIND versions 9.9.7-P2 and P3.
BIND is the most widely deployed name server software on the Internet and the TKEY flaw is an especially problematic one for administrators running name servers; its handlers at the Internet System Consortium said there is no real workaround, and defending against the bug can be quite difficult.
This article was updated with clarifications around the Thunderstrike 2 patch.