Apple Fixes Safari WebKit Flaws
Apple released an update addressing multiple security vulnerabilities in its Safari Web browser and iOS 6 mobile platform.
The iOS 6 update fixed four security bugs in the kernel, WebKit and Passcode, according to Apple's security advisory released Thursday. The two WebKit flaws fixed in iOS 6.0.1 were also present and fixed in Safari 6.0.2. One of the WebKit flaws was publicly disclosed during the Hack in the Box Kuala Lumpur conference in early October.
Users should considering upgrading to iOS 6 if they hadn't already done so, as the new version of the operating system patched a "whopping 197 CVE-numbered vulnerabilities in 41 system components," Ducklin said. The issues fixed in iOS 6 included six security bypasses, one denial of service condition, one privilege escalation flaws, 15 data leakage issues, 11 remote code execution holes, and seven spoofing flaws. Released a little over a month later, iOS 6.0.1 includes "improvements and bug fixes," of which four were security related, Apple said.
iOS 6.0.1 Fixes
The new iOS 6.0.1 addressed an information disclosure issue in the way APIs related to kernel extensions (CVE-2012-3749) were being handled which may have helped attacker bypass address space layout randomization protection, Apple said. ASLR is deliberately intended to make it hard for attackers to know where to go, making remote control execution exploits less likely to succeed.
A person with physical device may be able to access Passbook passes (CVE-2012-3750) without entering a password because of a state management issue in the way Passbook passes were being handled, Apple said.
"Since Passbook can store coupons, loyalty programme details and even airline boarding cards, having your Passbook unlocked even when your device is locked presents a rather obvious personal security risk," Paul Ducklin, head of technology for the Asia Pacific group at Sophos, wrote on Naked Security.
The final two vulnerabilities were located in WebKit. The first Webkit flaw was a "time of check to time of use issue" which existed in how JavaScript arrays were being handled (CVE-2012-3748). The other WebKit issue was a "use-after-free" issue in the way SVG images were handled (CVE-2012-5112), and was originally disclosed by Pinkie Pie during Google's recent pwnium2 contest at HITB Kuala Lumpur.
"One of these bugs can be triggered by deliberately-dodgy Javascript; the other by a craftily-tweaked SVG (scalable vector graphics) file," wrote Ducklin. These types of vulnerabilities can be used in drive-by attacks, and are "highly regarded" by cyber-criminals, he said.
Safari 6.0.2 Fixes
The update for Safari 6.0.2 is available for Mac OS X Lion and OS X Mountain Lion, according to Apple.
Apple closed a use-after-free vulnerability in the SVG implementation of WebKit (CVE-2012-5112), Apple said. If successfully exploited, remote attackers would be able to execute arbitrary code "via unspecified vectors," Apple said. Another security flaw, if left unpatched, could potentially result in an unexpected application termination or arbitrary code execution (CVE-2012-3748) if a user landed on a malicious Website. The use-after-free flaw was the same one disclosed by Pie during the HITB Kuala Lumpur.
Apple's new iOs version 6.0.2. addresses four vulnerabilities, including the above CVE-2012-5112 in WebKit and an ASLR bypass described by Mark Dowd and Tarjei Mandt also at HITB Kuala Lumpur 2012.
"A time of check to time of use issue existed in the handling of JavaScript arrays. This issue was addressed through additional validation of JavaScript arrays," Apple said in its advisory.
- Printer-friendly version
- Log in to post comments
- 3775 reads