Apple Security Advisory 2015-10-21-1 - iOS 9.1 is now available and addresses arbitrary code execution, cookies being overwritten, heap based buffer overflow, and various other vulnerabilities.
dd5e6a9416d9e971b2e3f787976bc2659a2ded06a1e7d6a8896e91cda4316e25
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-10-21-1 iOS 9.1
iOS 9.1 is now available and addresses the following:
Accelerate Framework
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A memory corruption issue existed in the Accelerate
Framework in multi-threading mode. This issue was addressed through
improved accessor element validation and improved object locking.
CVE-ID
CVE-2015-5940 : Apple
Bom
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Unpacking a maliciously crafted archive may lead to
arbitrary code execution
Description: A file traversal vulnerability existed in the handling
of CPIO archives. This issue was addressed through improved
validation of metadata.
CVE-ID
CVE-2015-7006 : Mark Dowd at Azimuth Security
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to cookies
being overwritten
Description: A parsing issue existed when handling cookies with
different letter casing. This issue was addressed through improved
parsing.
CVE-ID
CVE-2015-7023 : Marvin Scholz; Xiaofeng Zheng and Jinjin Liang of
Tsinghua University, Jian Jiang of University of California,
Berkeley, Haixin Duan of Tsinghua University and International
Computer Science Institute, Shuo Chen of Microsoft Research Redmond,
Tao Wan of Huawei Canada, Nicholas Weaver of International Computer
Science Institute and University of California, Berkeley, coordinated
via CERT/CC
configd
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to elevate privileges
Description: A heap based buffer overflow issue existed in the DNS
client library. A malicious application with the ability to spoof
responses from the local configd service may have been able to cause
arbitrary code execution in DNS clients.
CVE-ID
CVE-2015-7015 : PanguTeam
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues existed in
CoreGraphics. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-5925 : Apple
CVE-2015-5926 : Apple
CoreText
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-6975 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-6992 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-7017 : John Villamil (@day6reak), Yahoo Pentest Team
Disk Images
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the parsing of
disk images. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-6995 : Ian Beer of Google Project Zero
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2015-5927 : Apple
CVE-2015-5942
CVE-2015-6976 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-6977 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-6978 : Jaanus Kp, Clarified Security, working with HP's Zero
Day Initiative
CVE-2015-6990 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-6991 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-6993 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-7008 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-7009 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-7010 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-7018 : John Villamil (@day6reak), Yahoo Pentest Team
GasGauge
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-6979 : PanguTeam
Grand Central Dispatch
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted package may lead to
arbitrary code execution
Description: A memory corruption issue existed when handling
dispatch calls. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-6989 : Apple
Graphics Driver
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Executing a malicious application may result in arbitrary
code execution within the kernel
Description: A type confusion issue existed in AppleVXD393. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-6986 : Proteas of Qihoo 360 Nirvan Team
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted image file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
parsing of image metadata. These issues was addressed through
improved metadata validation.
CVE-ID
CVE-2015-5935 : Apple
CVE-2015-5936 : Apple
CVE-2015-5937 : Apple
CVE-2015-5939 : Apple
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in
IOAcceleratorFamily. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-6996 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-6974 : Luca Todesco (@qwertyoruiop)
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local application may be able to cause a denial of service
Description: An input validation issue existed in the kernel. This
issue was addressed through improved input validation.
CVE-ID
CVE-2015-7004 : Sergi Alvarez (pancake) of NowSecure Research Team
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to execute arbitrary code
Description: An uninitialized memory issue existed in the kernel.
This issue was addressed through improved memory initialization.
CVE-ID
CVE-2015-6988 : The Brainy Code Scanner (m00nbsd)
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local application may be able to cause a denial of service
Description: An issue existed when reusing virtual memory. This
issue was addressed through improved validation.
CVE-ID
CVE-2015-6994 : Mark Mentovai of Google Inc.
Notification Center
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Phone and Messages notifications may appear on the lock
screen even when disabled
Description: When "Show on Lock Screen" was turned off for Phone or
Messages, configuration changes were not immediately applied. This
issue was addressed through improved state management.
CVE-ID
CVE-2015-7000 : William Redwood of Hampton School
OpenGL
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A memory corruption issue existed in OpenGL. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-5924 : Apple
Security
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to overwrite arbitrary
files
Description: A double free issue existed in the handling of
AtomicBufferedFile descriptors. This issue was addressed through
improved validation of AtomicBufferedFile descriptors.
CVE-ID
CVE-2015-6983 : David Benjamin, Greg Kerr, Mark Mentovai and Sergey
Ulanov from the Chrome Team
Security
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to make a revoked certificate appear
valid
Description: A validation issue existed in the OCSP client. This
issue was addressed by checking the OCSP certificate's expiration
time.
CVE-ID
CVE-2015-6999 : Apple
Security
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A trust evaluation configured to require revocation checking
may succeed even if revocation checking fails
Description: The kSecRevocationRequirePositiveResponse flag was
specified but not implemented. This issue was addressed by
implementing the flag.
CVE-ID
CVE-2015-6997 : Apple
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to leak sensitive user
information
Description: An issue existed in the authorization checks for
querying phone call status. This issue was addressed through
additional authorization state queries.
CVE-ID
CVE-2015-7022 : Andreas Kurtz of NESO Security Labs
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5928 : Apple
CVE-2015-5929 : Apple
CVE-2015-5930 : Apple
CVE-2015-6981
CVE-2015-6982
CVE-2015-7002 : Apple
CVE-2015-7005 : Apple
CVE-2015-7012 : Apple
CVE-2015-7014
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "9.1".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJWJuKaAAoJEBcWfLTuOo7tstUP/2wSpPm4N88k8i6mqMZLIp4q
8sat980JOOzTfG+ZNNyBGliULqhDAAamIo5wnonrEguy6Slr24fHz9CY969t5b9+
juzZu8QSrS5GGrK4WJL1klyJCPK65EPW+gqK97lntFcjeUPVOHCHCwuGUfOj4+AH
fc7EjlWm7ED3QuKiY7hLD1DQq/y9WWNMNKGDxwkaVYAUQ7vccDNPppH4G+bdP4oz
KRR58XlJZ2RGuuN6NR/TKVlbm8HM1i0pXpRo7yO4ZDd4p/QrGdY7UUndng6WZpQn
txC00efGPSQA5WxHXwbDQeAI+rqYA0Bi0yJEuWdD9hfSgC0lZ8/G2qz8FrjfdEgJ
FnugvjHMZ4vz461oo8+ee0Yfy62hgfilHL73KpPJcYoQQCeuNhiLpP61gUInhgqY
uSRxO+EVtLk5hPIxRFcQbQmeJn2qS+04jXD8r05D9piUuyNmRf6FoLFs068SrRcQ
LP2sppSl6aW46hAuXIaMwxsbz5vO0GatB5Y4MWDVsxUu5UNHuBPzkX5w2zjeVsZ5
lydJPTQvcfOihWBjJyVXhQWg+thT2h0tybKFfz9fnBqpOY+QjQr5TtQOs5bghp06
bp/CcN4S1GKkwkZ7zx69ZyIP48HTDcD5gxJKqFwdDmy1u939lXP0h3y9uQkBj5Pa
6gEixmcvOvkvoTisU8Gf
=E3lA
-----END PGP SIGNATURE-----