There may be Worms in your Apple

By   ISBuzz Team
Writer , Information Security Buzz | Nov 15, 2015 05:00 pm PST

An MS-ISAC Cyber Security Advisory issued on September 18 states that multiple vulnerabilities in Apple products could allow remote code execution: “Multiple vulnerabilities have been discovered in Apple iOS and iTunes…These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment.”

It further states, “Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and the ability to bypass the security systems.

While some of these have been known previously, seeing the entire list is sobering. There are over 100 of them and many of them permit an attacker to run arbitrary code on the device. For example :


  • Available for : iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Impact : Processing a maliciously crafted font file may lead to arbitrary code execution
  • Description : A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.
  • CVE-ID
  • CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team

Data Detectors Engine

  • Available for : iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Impact : Processing a maliciously crafted text file may lead to arbitrary code execution
  • Description : Memory corruption issues existed in the processing of text files. These issues were addressed through improved bounds checking.
  • CVE-ID
  • CVE-2015-5829 : M1x7e1 of Safeye Team

Dev Tools

  • Available for : iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Impact : A malicious application may be able to execute arbitrary code with system privileges
  • Description : A memory corruption issue existed in dyld. This was addressed through improved memory handling.
  • CVE-ID
  • CVE-2015-5876 : beist of grayhash

Of particular interest is that CoreText—the font one—sounds very similar to the recent font bugs found in Windows and Adobe Reader. It is yet further evidence that Apple devices share much the same vulnerabilities as Windows PCs and Android devices, and hence the confidence that Apple have enjoyed regarding security from malware no longer applies.

The good news is: no exploits in the wild have been reported. That said, the detailed list of vulnerabilities should attract some attention. Stay tuned.

MS-ISAC recommends the following actions be taken :

  • Apply appropriate updates provided by Apple to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.

Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

[su_box title=”About Francis Turner” style=”noise” box_color=”#336588″]Francis TurnerFrancis Turner has worked for over 20 years in the IT and data communication industries, starting with a stint at IBM in the mid 1980s before reading Computer Science at Cambridge University. Subsequently he worked for Madge Networks and Bay Networks. After the latter merged with Nortel, he became the European Product Manager for their enterprise switching division. In 2001 he left Nortel Networks to be CIO at a small biotech company that was seminal in the use of computation in the analysis and creation of new enzymatic processes. Most recently he worked at a consultancy firm assisting ICT companies with their multinational product marketing and business development.[/su_box]