Apple has released new versions of iOS and OS X, both of which include a significant number of security patches, several for bugs that can lead to remote code execution and other serious issues.
Version 8.4 of iOS contains fixes for more than 30 security vulnerabilities, including bugs in the iOS kernel, WebKit, and CoreText. Apple also patched the vulnerability that leads to the Logjam attack, an issue with servers that support weak Diffie-Hellman cryptography. To fix that issue in iOS, Apple released a patch for the coreTLS component of the operating system.
“coreTLS accepted short ephemeral Diffie-Hellman (DH) keys, as used in export-strength ephemeral DH cipher suites. This issue, also known as Logjam, allowed an attacker with a privileged network position to downgrade security to 512-bit DH if the server supported an export-strength ephemeral DH cipher suite. The issue was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits,” the Apple advisory says.
Apple also patched an interesting bug that involved the way that iOS handles payloads from SIM cards. The vulnerability could allow an attacker to craft a malicious SIM card that could give him code execution on a target device.
Among the other vulnerabilities addressed in iOS 8.4 are a number of WebKit bugs, some of which could lead to arbitrary code execution. The code execution flaws include a pair of memory corruption vulnerabilities in WebKit, and an issue with the way the framework handled some SQL functions.
“An insufficient comparison issue existed in SQLite authorizer which allowed invocation of arbitrary SQL functions. This issue was addressed with improved authorization checks,” the Apple advisory says.
There is a patch in the new version of iOS for a bug that could lead to an attacker being able to replace a legitimate app with a malicious one under some conditions. The vulnerability is in the way the OS handles universal provisioning profiles, and could be used to replace system apps such as Apple Pay. Researchers at FireEye discovered the vulnerability and reported it to Apple almost a year ago.
“Manifest Masque Attack leverages the CVE-2015-3722/3725 vulnerability to demolish an existing app on iOS when a victim installs an in-house iOS app wirelessly using enterprise provisioning from a website. The demolished app (the attack target) can be either a regular app downloaded from official App Store or even an important system app, such as Apple Watch, Apple Pay, App Store, Safari, Settings, etc. This vulnerability affects all iOS 7.x and iOS 8.x versions prior to iOS 8.4. We first notified Apple of this vulnerability in August 2014,” FireEye’s researchers wrote in an explanation of the bug and its consequences.
As for OS X, Apple patched many of the same bugs that were present in iOS, along with dozens of others, for a total of more than 75 flaws in all. OS X 10.10.4 includes patches for several buffer overflow vulnerabilities in the Intel graphics driver, some of which could lead to code execution. Apple also fixed a number of memory corruption bugs in QuickTime that could be used for code execution.
In both iOS and OS X Apple updated the certificate trust policy to address the CNNIC certificate issue, among other problems.
Image from Flickr photos of GDS-Productions.