Threat Level: green Handler on Duty: Lenny Zeltser

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
July OUCH Newsletter - Social Media: http://www.securingthehuman.org/ouch

Apple "Patch Tuesday"

Published: 2015-07-01
Last Updated: 2015-07-01 12:12:38 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Yesterday, Apple released patches for OS X, iOS, Safari, Mac EFI, iTunes and Quicktime (Windows) [1]. Here some of the highlights:

EFI Update

"EFI" is the firmware running your Mac. This update will only apply on certain Apple computer models. Two bugs that are being fixed by this updata:

CVE-2015-3692: This issues could allow an attacker to modify the EFI firmware, gaining persistent access to the system.  The bug was made public about two months ago and the basic issue was that the firmware is not properly locked as a system returns from sleep [2]. 

CVE-2015-3693: Researchers at Intel and Carnegie Mellon University originally discovered this issue, and in March, Google's project zero released details about a working exploit for the "rowhammer" vulnerability [3][4]. This problem is not specific to Apple, but effects many systems using modern DRAM memory. In short, by repeatedly writing to some areas of memory, adjacent rows of memory can be effected allowing an attacker to manipulate code they would not have access to otherwise. 

OS X Update

This update affects versions of OS X back to Mountain Lion (10.8). A total of 46 issues are addresses (and even more individual vulnerabilities). So here just some highlights:

Open Source Software: OS X includes many standard open source software products like Apache and libraries like OpenSSL. These open source products are updates.

SSL: A number of changes were made to SSL. For example, some intermediate certificates issues by CNNIC are no longer trusted. Interestingly, the CNNIC CA itself still seems to be trusted (others, like Google, removed CNNIC entirely). Apple does not provide a list of new certificates added, but just refers to its complete list of trusted certificates [5]. You can still manually "distrust" the certificate by adjusting the trust in Keychain Access. To respond to the logjam vulnerability, Diffie-Hellman parameters are now restricted to 768 bits or larger (before this, 512 bit was possible). This is in line with what other operating systems have implemented in response. There is a small chance that this will cause problems with connections to legacy servers.

EFI Related: The issues address by the EFI update, are also addresses by the OS X update.

Mail: An e-mail message was able to load web pages, which then could be used to various phishing attacks, for example by displaying a popup password dialog that appears to come from Mail.app. This issue was already made public early June [6]

iOS

Due to the overall similar code base between iOS and OS X, many of the OS X issues apply to iOS as well. For example the TLS issues, as well as the Mail issue affect iOS and are patched with this update. On interesting issue that I hadn't heard of before (but not surprising). Malicious SIM cards could lead to arbitrary code execution. 

Safari

As usual, Safari is made available as it's own update. Only 4 different issues here ranging from cross origin issues to remote code execution.

iTunes / QuickTime 

These updates affect Windows (the OS X version is rolled into the OS X patch). There is no official QuickTime version for Windows beyond Windows 7. But if you are using the Windows 7 version on Windows 8/8.1, you will likely still need to update.

 

[1] https://support.apple.com/en-us/HT201222​
[2] https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/
[3] http://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf
[4] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
[5] https://support.apple.com/en-us/HT202858
​[6] https://github.com/jansoucek/iOS-Mail.app-inject-kit/tree/master

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
0 comment(s)
ISC StormCast for Wednesday, July 1st 2015 http://isc.sans.edu/podcastdetail.html?id=4551
Diary Archives