Apple Patches iOS Flaw Exploitable by Malicious JPEG

Apple on Monday rolled out dozens of patches including ones for its recently released Sierra operating system, OS X, iOS 10.1, watchOS, and Apple TV’s tvOS, along with fixes for Safari.

Apple on Monday patched a code execution vulnerability in iOS that could be exploited via a JPEG file crafted to take advantage of the flaw.

Apple also issued its first round of patches for macOS Sierra as part of a large update that also included fixes for vulnerabilities found in Safari, Apple Watch and Apple TV on Monday.

Sierra and iOS 10.1 received the lion’s share of the updates with a dozen fixes for both Apple products. In typical fashion, Apple is keeping tight-lipped about many of the most serious flaws regarding arbitrary code execution and vulnerabilities that leaked personal data. Neither is it known if any of the vulnerabilities have been exploited publicly.

iOS 10.1

Monday’s patches featured 12 fixes for iOS 10.1 running on iPhone 5 phones and 4th generation iPads and later. One of those fixes addresses flaws found in iOS 10.1 related to a CoreGraphics vulnerability (CVE-2016-4635) present on the iPhone, iPad and iPod Touch. The patch fixed a memory corruption issue that allowed the viewing of a maliciously crafted JPEG file to trigger arbitrary code execution.

A FaceTime fix (CVE-2016-4635) was issued for iPhone 5 models, 4th generation iPads and 6th generation iPod touches that allowed an attacker in a privileged network position to be able to cause a “relayed call to continue transmitting audio while appearing as if the call terminated,” according to Apple.

macOS Sierra

A dozen security bugs were plugged by Apple tied to its just-launched macOS Sierra 10.12.1 operating system. The patches address a wide range of vulnerabilities that have cropped up since the OS launched on Sept. 21, including three security issues that allowed for arbitrary code execution. Two (CVE-2016-4667 and CVE-2016-4674)  are related to an App Transport Security (ATP) feature announced at the 2016 WWDC for iOS 9. The feature requires all iOS apps to use HTTPS connections. Apple said it has fixed both Sierra OS memory corruption issues related to ATP that impacted the feature on Mac systems.

Another vulnerability (CVE-2016-4670) allowed a local attacker to “observe the length of a login password when a user logs in.” Apple said it fixed the problem by removing password length logging for Sierra.

Apple also plugged security holes in OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6; namely an Nvidia graphics driver bug (CVE-2016-4663) but that could cause a denial of service for targeted systems. Another vulnerability (CVE-2016-4671) identified and fixed, impacting OS X El Capitan v10.11.6, allowed a maliciously crafted PDF files to be parsed in such a way they could allow for arbitrary code execution on vulnerable systems.

Apple Safari

The Safari browser received two updates that could either lead to the disclosure of user information or arbitrary code execution. Both are tied to “maliciously crafted web content.” The first bug (CVE-2016-4613) is relates to Safari 10.0.1 and WebKit and could allow the processing of maliciously crafted web content to leak user data. The flaw was fixed for OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12 via an improved state management for WebKit, according to Apple.

An additional WebKit vulnerability (CVE-2016-4666) is related to multiple memory corruption issues within Safari that could allow for maliciously crafted web content to lead to arbitrary code execution. Apple said it has addressed the flaws for OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.

Apple TV

For Apple TV 4th generation (10.0.1) users, Apple has posted 11 security bulletins ranging from a “libxpc” flaw (CVE-2016-4675) that allows arbitrary code execution with root privileges for an unspecified application to a second less serious Sandbox Profiles bug (CVE-2016-4664) that allows for an application to retrieve metadata of photo directories.

Apple is warning of another Apple TV proxy credential vulnerability (CVE-2016-7579) that could allow an attacker with a “privileged network position” to leak sensitive user information. It’s unclear what the specifics of the vulnerability are, however Apple said it was tied to a “phishing issue” that was fixed by “removing unsolicited proxy password authentication prompts.”

A CoreGraphics vulnerability (CVE-2016-4673) reported to Apple created a memory corruption issue that allowed an attacker to send a maliciously crafted JPEG file that could lead to arbitrary code execution on the Apple TV 4th generation platform.

Apple Watch

Apple disclosed eight vulnerabilities tied to its Watch operating system, watchOS 3.1. Three of those vulnerabilities can create conditions that allow “arbitrary code” to be executed on the watch. One of those flaws (CVE-2016-4673) – also shared by Apple TV – is tied to the CoreGraphics component in both watchOS 3.1 and allows a maliciously crafted JPEG file to execute arbitrary code.

Apple also identified an Apple Watch system boot bug (CVE-2016-4669) that impacts all its watch models that could allow a local user to “cause an unexpected system termination or arbitrary code execution in the kernel,” Apple said.

Suggested articles