Thursday, 10 December 2015
0 comments

Apple Released Security Updates With iOS 9.2 Version


Apple Released Security Updates With 9.2 Version

Apple also released updates for iOS, tvOS, OS X, watchOS, Safari, and Xcode and patched many vulnerabilities.

Updates available including are:

  • iOS 9.2 for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • tvOS 9.1 for Apple TV (4th generation)
  • OS X El Capitan 10.11.2 and Security Update 2015-008 for OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  • watchOS 2.1 for Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
  • Safari 9.0.2 for OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  • Xcode 7.2 for OS X Yosemite v10.10.5 or later


More Updates are follows:

AppleMobileFileIntegrity

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An access control issue was addressed by preventing modification of access control structures.

CVE-ID
CVE-2015-7055 : Apple

AppSandbox

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious application may maintain access to Contacts after having access revoked

Description: An issue existed in the sandbox's handling of hard links. This issue was addressed through improved hardening of the app sandbox.

CVE-ID
CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi of TU Darmstadt.

CFNetwork HTTPProtocol

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker with a privileged network position may be able to bypass HSTS

Description: An input validation issue existed within URL processing. This issue was addressed through improved URL validation.

CVE-ID
CVE-2015-7094 : Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc. and Muneaki Nishimura (nishimunea)

Compression

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

Description: An uninitialized memory access issue existed in zlib. This issue was addressed through improved memory initialization and additional validation of zlib streams.

CVE-ID
CVE-2015-7054 : j00ru

CoreGraphics

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.

CVE-ID
CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team

CoreMedia Playback

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

Description: Multiple memory corruption issues existed in the processing of malformed media files. These issues were addressed through improved memory handling.

CVE-ID

  • CVE-2015-7074 : Apple
  • CVE-2015-7075


dyld

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: Multiple segment validation issues existed in dyld. These were addressed through improved environment sanitization.

CVE-ID

  • CVE-2015-7072 : Apple
  • CVE-2015-7079 : PanguTeam


GPUTools Framework

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: Multiple path validation issues existed in Mobile Replayer. These were addressed through improved environment sanitization.

CVE-ID

  • CVE-2015-7069 : Luca Todesco (@qwertyoruiop)
  • CVE-2015-7070 : Luca Todesco (@qwertyoruiop)


iBooks

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Parsing a maliciously crafted iBooks file may lead to disclosure of user information

Description: An XML external entity reference issue existed with iBook parsing. This issue was addressed through improved parsing.

CVE-ID
CVE-2015-7081 : Behrouz Sadeghipour (@Nahamsec) and Patrik Fehrenbach (@ITSecurityguard)

ImageIO

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue existed in ImageIO. This issue was addressed through improved memory handling.

CVE-ID
CVE-2015-7053 : Apple

IOHIDFamily

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: Multiple memory corruption issues existed in IOHIDFamily API. These issues were addressed through improved memory handling.

CVE-ID

  • CVE-2015-7111 : beist and ABH of BoB
  • CVE-2015-7112 : Ian Beer of Google Project Zero


IOKit SCSI
Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A null pointer dereference existed in the handling of a certain user-client type. This issue was addressed through improved validation.

CVE-ID
CVE-2015-7068 : Ian Beer of Google Project Zero

Kernel

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local application may be able to cause a denial of service

Description: Multiple denial of service issues were addressed through improved memory handling.

CVE-ID

  • CVE-2015-7040 : Lufeng Li of Qihoo 360 Vulcan Team
  • CVE-2015-7041 : Lufeng Li of Qihoo 360 Vulcan Team
  • CVE-2015-7042 : Lufeng Li of Qihoo 360 Vulcan Team
  • CVE-2015-7043 : Tarjei Mandt (@kernelpool)

Kernel

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues existed in the kernel. These issues were addressed through improved memory handling.

CVE-ID
  • CVE-2015-7083 : Ian Beer of Google Project Zero
  • CVE-2015-7084 : Ian Beer of Google Project Zero


Kernel

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to execute arbitrary code with kernel privileges

Description: An issue existed in the parsing of mach messages. This issue was addressed through improved validation of mach messages.

CVE-ID
CVE-2015-7047 : Ian Beer of Google Project Zero

LaunchServices

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue existed in the processing of malformed plists. This issue was addressed through improved memory handling.

CVE-ID
CVE-2015-7113 : Olivier Goguel of Free Tools Association
libarchive

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

Description: A memory corruption issue existed in the processing of archives. This issue was addressed through improved memory handling.

CVE-ID
CVE-2011-2895 : @practicalswift

libc

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Processing a maliciously crafted package may lead to arbitrary code execution

Description: Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds checking.

CVE-ID
CVE-2015-7038
CVE-2015-7039 : Maksymilian Arciemowicz (CXSECURITY.COM)
libxml2

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information

Description: A memory corruption issue existed in the parsing of XML files. This issue was addressed through improved memory handling.

CVE-ID
CVE-2015-3807 : Wei Lei and Liu Yang of Nanyang Technological University
MobileStorageMounter

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A timing issue existed in loading of the trust cache. This issue was resolved by validating the system environment before loading the trust cache.

CVE-ID
CVE-2015-7051 : PanguTeam

OpenGL

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: Multiple memory corruption issues existed in OpenGL. These issues were addressed through improved memory handling.

CVE-ID

  • CVE-2015-7064 : Apple
  • CVE-2015-7065 : Apple
  • CVE-2015-7066 : Tongbo Luo and Bo Qu of Palo Alto Networks


Photos

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to use the backup system to access restricted areas of the file system

Description: A path validation issue existed in Mobile Backup. This was addressed through improved environment sanitization.

CVE-ID
CVE-2015-7037 : PanguTeam

QuickLook

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Opening a maliciously crafted iWork file may lead to arbitrary code execution.

Description: A memory corruption issue existed in the handling of iWork files. This issue was addressed through improved memory handling.

CVE-ID
CVE-2015-7107

Safari

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a malicious website may lead to user interface spoofing

Description: An issue may have allowed a website to display content with a URL from a different website. This issue was addressed through improved URL handling.

CVE-ID
CVE-2015-7093 : xisigr of Tencent's Xuanwu LAB (www.tencent.com)

Sandbox

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious application with root privileges may be able to bypass kernel address space layout randomization

Description: An insufficient privilege separation issue existed in xnu. This issue was addressed by improved authorization checks.

CVE-ID
CVE-2015-7046 : Apple

Security

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution

Description: A memory corruption issue existed in handling SSL handshakes. This issue was addressed through improved memory handling.

CVE-ID
CVE-2015-7073 : Benoit Foucher of ZeroC, Inc.

Security
Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.

Impact: A malicious application may gain access to a user's Keychain items.

Description: An issue existed in the validation of access control lists for keychain items. This issue was addressed through improved access control list checks.

CVE-ID
CVE-2015-7058

Siri
Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.

Impact: A person with physical access to an iOS device may be able to use Siri to read notifications of content that is set not to be displayed at the lock screen.

Description: When a request was made to Siri, client side restrictions were not being checked by the server. This issue was addressed through improved restriction checking.

CVE-ID
CVE-2015-7080 : Or Safran (www.linkedin.com/profile/view?id=33912591)

WebKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.

Impact: Visiting a maliciously crafted website may lead to arbitrary code execution.

Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.

CVE-ID

  • CVE-2015-7048 : Apple
  • CVE-2015-7095 : Apple
  • CVE-2015-7096 : Apple
  • CVE-2015-7097 : Apple
  • CVE-2015-7098 : Apple
  • CVE-2015-7099 : Apple
  • CVE-2015-7100 : Apple
  • CVE-2015-7101 : Apple
  • CVE-2015-7102 : Apple
  • CVE-2015-7103 : Apple


WebKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.

Impact: Visiting a maliciously crafted website may reveal a user's browsing history
Description: An insufficient input validation issue existed in content blocking. This issue was addressed through improved content extension parsing.

Source: Apple

0 comments:

Post a Comment

Note: only a member of this blog may post a comment.

 
Toggle Footer
Top