Apple Patches Thunderstrike Bug in OSX, Fixes More Than 30 Flaws in iOS

Apple has released major security updates for both OS X and iOS that includes patches for a number of bugs that could lead to arbitrary code execution. The release of iOS 8.1.3 fixes a vulnerability that allowed an attacker to bypass the sandbox restrictions in Safari and the OS X update fixes a serious flaw in the CPU software that enabled the Thunderstrike bootkit attack.

The update for iOS is a major security release from Apple, fixing more than 30 vulnerabilities in all, including three flaws in the iOS kernel and several memory corruption bugs in WebKit. One of the more interesting issues is the Safari sandbox bypass, which can be used by a malicious site.

“An issue existed in the handling of URLs redirected from Safari to the iTunes Store that could allow a malicious website to bypass Safari’s sandbox restrictions. The issue was addressed with improved filtering of URLs opened by the iTunes Store,” the Apple advisory says.

Two of the vulnerabilities in the iOS kernel patched in this release could help an attacker bypass one of the key exploit mitigations in the operating system.

“An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them,” Apple said in its advisory.

The second ASLR bypass vulnerability is similar and could be used by a malicious or compromised app.

“The mach_port_kobject kernel interface leaked kernel addresses and heap permutation value, which may aid in bypassing address space layout randomization protection. This was addressed by disabling the mach_port_kobject interface in production configurations,” Apple said.

There also are two serious vulnerabilities in the FontParser component of iOS, both of which could lead to arbitrary code execution. One of the bugs is a buffer overflow and the other is a memory corruption flaw.

In the OS X update, Apple released a patch for a vulnerability discovered by researcher Trammell Hudson that enabled an attacker to modify the firmware of a target machine. The Thunderstrike bootkit that Hudson wrote to demonstrate the attack takes advantage of a vulnerability in the operating system and allowed him to maintain persistent control of the target machine, even after reinstallation of the operating system.

“Thunderbolt devices could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates,” the Apple advisory says.

The update for OS X also includes patches for a number of kernel vulnerabilities, some of which can be used for arbitrary code execution. And there’s a vulnerability that could allow some processes to circumvent the sandbox.

“A design issue existed in the caching of sandbox profiles which allowed sandboxed applications to gain write access to the cache. This issue was addressed by restricting write access to paths containing a “com.apple.sandbox” segment. This issue does not affect OS X Yosemite v10.10 or later,” Apple’s advisory says.

Image from Flickr photos of Klaquax.

Suggested articles