An MS-ISAC Cyber Security Advisory issued yesterday states that multiple vulnerabilities in Apple products could allow remote code execution: “Multiple vulnerabilities have been discovered in Apple iOS and iTunes…These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment.”

It further states, “Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and the ability to bypass the security systems.

While some of these have been known previously, seeing the entire list is sobering. There are over 100 of them and many of them permit an attacker to run arbitrary code on the device. For example:

CoreText

Available for:  iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  Processing a maliciously crafted font file may lead to arbitrary code execution
Description:  A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.
CVE-ID
CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team

Data Detectors Engine

Available for:  iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  Processing a maliciously crafted text file may lead to arbitrary code execution
Description:  Memory corruption issues existed in the processing of text files. These issues were addressed through improved bounds checking.
CVE-ID
CVE-2015-5829 : M1x7e1 of Safeye Team (www.safeye.org)

Dev Tools

Available for:  iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A memory corruption issue existed in dyld. This was addressed through improved memory handling.
CVE-ID
CVE-2015-5876 : beist of grayhash

Of particular interest is that CoreText—the font one—sounds very similar to the recent font bugs found in Windows and Adobe Reader. It is yet further evidence that Apple devices share much the same vulnerabilities as Windows PCs and Android devices, and hence the confidence that Apple have enjoyed regarding security from malware no longer applies.

The good news is: no exploits in the wild have been reported. That said, the detailed list of vulnerabilities should attract some attention. Stay tuned.

MS-ISAC recommends the following actions be taken:

  • Apply appropriate updates provided by Apple to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.