Apple released fixes for various products this week, including several nasty arbitrary code execution (ACE) flaws, and a bug that has been public with proof-of-concept code for two months.
CVE-2019-8656, discovered by cybersecurity researcher Filippo Cavallarin, enabled an attacker to bypass Apple’s Gatekeeper functionality with a suitably formed Zip file. Gatekeeper is the Mac function that asks you if you want to run untrusted content downloaded from the web. Apple was supposed to have fixed this by mid-May following a 90-day responsible disclosure period, but didn’t, so Cavallarin published proof of concept code.
The fix was part of a patchfest addressing 48 separate entries in the CVE database. The patches spanned these Apple products:
- iOS 12.4
- tvOS 12.4 (the Apple TV operating system)
- Safari browser 12.1.2
- iTunes 12.9.6 for Windows
- iCloud for Windows 10.6 and 7.13
- watchOS 5.3
- macOS Mojave 10.14.6, High Sierra, and Sierra
Many of the fixes addressed single bugs that affected multiple Apple products, showing how tightly integrated Apple’s code base is. One of the most notable was for the company’s WebKit browser engine, which it mandates for other browser vendors (Chrome is forced to use WebKit on Apple operating systems rather than its own Blink engine, for example).
These fixes included 19 separate CVEs related to memory vulnerabilities, affecting iOS, tvOS, Safari, and macOS. These bugs would allow an attacker to exploit a device by showing it malicious web content. A subset of eight of these bugs also affected watchOS.
There were also universal cross-site scripting (XSS) vulnerabilities affecting the four platforms listed above, plus Safari and iTunes for Windows.
Arbitrary code execution
Apple fixed several bugs shared across multiple platforms that allowed for arbitrary code execution (ACE). These included two in the Core Data library, which is Apple’s local data caching mechanism for storing data offline. Another in that library would let an attacker leak memory remotely.
Foundation, Apple’s layer of core data types and operating system services, also got an ACE flaw (CVE-2019-8641) and so did FaceTime (CVE-2019-8648), which it shared with macOS and watchOS.
Many of these bug descriptions and fixes were pretty opaque, with short descriptions and impact statements, like “an out of bounds read was address with improved input validation”. There were a couple of more descriptive entries, though.
Apple’s Heimdal implementation of the Kerberos 5 certificate management system suffered a bug that could allow apps to intercept communications between services. That affected iOS, tvOS, macOS, and watchOS.
Poorly configured Office documents could also cause arbitrary code execution, Apple revealed. It fixed CVE-2019-8657, in which “parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution”. Apple said that affected the same platforms as the Heimdal bug, including watchOS.
There was also a fix for CVE-2019-8682, which allowed someone to accidentally complete a purchase while on the lock screen (affecting the Wallet app in iOS and watchOS). Another, CVE-2019-8659, was purely for watchOS and allowed users removed from an iMessage conversation to alter their state.
CVE-2019-8670 allowed someone to spoof the address bar in Safari with a malicious web page. That’s now fixed, too.
There were eight bugs that were unique to macOS. These included four ACE vulnerabilities spanning Bluetooth, disk management, the operating system’s built-in graphing calculator, and Carbon Core, which lets apps interact with legacy services.
There was also a macOS bug (CVE-2019-8667) that made it possible for the encryption status of Apple Time Machine services to be incorrect.
With proof-of-concept code for one of these bugs out for months and with the fixes addressing a gaggle of nasty code execution flaws, it’s time to get patching if you haven’t already.