Print

Print


To all IT Professionals:

 

The University of Nebraska Security Team wanted to bring your attention to some security updates for Apple and Cisco WebEx. 

Apple has released a patch for just about every product they sell, iOS, macOS, tvOS, Safari browser and iCloud for Windows.  A little something for everyone, please update your Mac devices accordingly. 

 

We appreciate your effort to keep your systems patched!

 

Apple Support Link:

hxxps://support.apple.com/en-ca/HT201222

Cisco WebEX Support Link:

hxxps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex

 

 

TLP: WHITE

MS-ISAC CYBERSECURITY ADVISORY

MS-ISAC ADVISORY NUMBER:

2017-007

 

DATE(S) ISSUED:

01/24/2017

 

SUBJECT:
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

 

OVERVIEW:
Multiple vulnerabilities have been discovered in iOS, tvOS, watchOS, macOS Sierra, iCloud for Windows, Safari, and iTunes for Windows, which could allow for arbitrary code execution. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch. tvOS is an operating system for the fourth-generation Apple TV digital media player. watchOS is the mobile operating system of the Apple Watch and is based on the iOS operating system. macOS Sierra is the thirteenth major release of macOS (previously OS X), Apple’s desktop and server operating system for Macintosh computers. iCloud for Windows is a service developed by Apple that keeps Apple devices in sync with each other. Safari is a web browser developed by Apple. iTunes for Windows is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple.

 

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

 

SYSTEMS AFFECTED:

•         iOS Versions prior to 10.2.1

•         tvOS Versions prior to 10.1.1

•         watchOS Versions prior to 3.1.3

•         macOS Sierra Versions prior to 10.12.3

•         iCloud for Windows Versions prior to 6.1.1

•         Safari Versions prior to 10.0.3

•         iTunes for Windows Versions prior to 12.5.5

 

RISK:
Government:

Businesses:

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, macOS Sierra, iCloud for Windows, Safari,  and iTunes for Windows. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of the vulnerabilities are as follows:

 

·         An arbitrary code execution vulnerability that affects a feature called ‘FontParser’ when processing a maliciously crafted font file. (CVE-2016-4691)

·         An arbitrary code execution vulnerability caused by opening a maliciously crafted file due to an input validation issue existing in modelines. (CVE-2016-1248)

·         An arbitrary code execution vulnerability that affects a feature called ‘FontParser’ when processing a maliciously crafted font file. (CVE-2016-4688)

·         A security vulnerability which may allow an attacker to exploit weaknesses in the 3DES cryptographic algorithm. (CVE-2016-4693)

·         An arbitrary code execution vulnerability that affects the ‘CoreMedia Playback’ module when processing a maliciously crafted .mp4 file. (CVE-2016-7588)

·         An arbitrary code execution vulnerability caused by processing maliciously crafted web content. (CVE-2016-7589)

·         An arbitrary code execution with kernel privileges vulnerability that affects a feature called ‘IOHIDFamily’. (CVE-2016-7591)

·         An arbitrary code execution vulnerability that affects a feature called ‘ICU’ when processing maliciously crafted web content. (CVE-2016-7594)

·         An arbitrary code execution vulnerability that affects the ‘CoreText’ module when processing a maliciously crafted font file. (CVE-2016-7595)

·         An insufficient initialization vulnerability allowing an application to read kernel memory was addressed by properly initializing memory returned to user space. (CVE-2016-7607)

·         Multiple memory corruption vulnerabilities allowing an application to execute arbitrary code with kernel privileges were addressed through improved input validation. (CVE-2016-7606, CVE-2016-7612)

·         A denial of service vulnerability allowing local user to cause a system denial of service was addressed through improved memory handling. (CVE-2016-7615)

·         An arbitrary code execution with kernel privileges vulnerability that affects a feature called ‘Disk Images’ due to input validation errors. (CVE-2016-7616)

·         A ‘symlink’ validation vulnerability allowing a local attacker to overwrite existing files. (CVE-2016-7619)

·         An arbitrary code execution vulnerability allowing a local user to cause an unexpected system termination or arbitrary code execution in the kernel was addressed through improved memory management. (CVE-2016-7621)

·         A denial of service vulnerability that affects the ‘CoreGraphics’ module when processing a maliciously crafted font file. (CVE-2016-7627)

·         A denial of service vulnerability that affects the handling of OCSP responder URLs. (CVE-2016-7636)

·         A memory corruption vulnerability allowing a user to gain root privileges was addressed through improved input validation. (CVE-2016-7637)

·         A security vulnerability that affects a feature called ‘ImageIO’ which may allow for a remote attacker to leak memory. (CVE-2016-7643)

·         An arbitrary code execution vulnerability may allow a local application with system privileges the ability to execute arbitrary code with kernel privileges. (CVE-2016-7644)

·         An issue existed which did not reset the authorization settings on app uninstall. This issue was addressed through improved sanitization. (CVE-2016-7651).

·         A memory corruption vulnerability which may allow an application to read kernel memory was addressed through improved input validation. (CVE-2016-7657)

·         Memory corruption issues caused by processing maliciously crafted files leading to arbitrary code execution was addressed through improved input validation. (CVE-2016-7658, CVE-2016-7659)

·         A privilege escalation vulnerability in mach port name references which may allow a local user to gain root privileges. (CVE-2016-7660)

·         A memory-corruption vulnerability in the ‘CoreFoundation’ module when processing strings may lead to an unexpected application termination or arbitrary code execution. (CVE-2016-7663)

·         Multiple issues in PHP were addressed by updating to PHP version 5.6.28. (CVE-2016-8670, CVE-2016-9933, CVE-2016-9934)

·         An arbitrary code execution vulnerability exists when unpacking a maliciously crafted archive was addressed through improved memory handling. (CVE-2016-8687)

·         A data exfiltration vulnerability exists in a prototype access issue by processing maliciously crafted web content was addressed through improved exception handling. (CVE-2017-2350)

·         A security-bypass vulnerability with handling user input that causes a device to present the home screen even when locked. (CVE-2017-2351)

·         A logic issue which may unlock an Apple Watch when it is off the user's wrist was addressed through improved state management. (CVE-2017-2352)

·         An arbitrary code execution vulnerability exists in the Bluetooth feature was addressed through improved memory management. (CVE-2017-2353)

·         An arbitrary code execution vulnerability caused by a memory initialization issue exists when processing maliciously crafted web content. (CVE-2017-2355)

·         A security vulnerability may allow an application to determine kernel memory layout due to an uninitialized memory issue. (CVE-2017-2357)

·         An arbitrary code execution with kernel privileges vulnerability caused by a memory corruption issue was addressed through improved input validation. (CVE-2017-2358)

·         A state management vulnerability in the address bar caused by visiting a malicious website was addressed through improved URL handling. (CVE-2017-2359)

·         An arbitrary code execution vulnerability may allow an application to execute arbitrary code with kernel privileges. (CVE-2017-2360)

·         A data exfiltration vulnerability caused by a validation issue when processing maliciously crafted web content. (CVE-2017-2365)

·         A denial of service vulnerability when processing a maliciously crafted contact card may lead to unexpected application termination. (CVE-2017-2368)

·         An arbitrary code execution with kernel privileges vulnerability due to a buffer overflow issue was addressed through improved memory handling. (CVE-2017-2370)

·         An arbitrary code execution vulnerability exists when processing maliciously crafted web content. (CVE-2017-2354, CVE-2017-2362, CVE-2017-2373)

·         Multiple arbitrary code execution vulnerabilities caused by multiple memory corruption issues exist when processing maliciously crafted web content. (CVE-2017-2356, CVE-2017-2369, CVE-2017-2366)

·         Multiple data exfiltration vulnerabilities are caused by processing maliciously crafted web content due to a validation issue existing in the handling of page loading. (CVE-2017-2363, CVE-2017-2364)

 

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

RECOMMENDATIONS:
We recommend the following actions be taken:

·         Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.

·         Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

·         Remind users not to download, accept, or execute files from un-trusted or unknown sources.

·         Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.

 

 

 

 

TLP: WHITE

MS-ISAC CYBERSECURITY ADVISORY

 

MS-ISAC ADVISORY NUMBER:

2017-008

 

DATE(S) ISSUED:

01/25/2017

 

SUBJECT:

A Vulnerability in Cisco WebEx Browser Extensions Could Allow for Arbitrary Code Execution

 

OVERVIEW:

A vulnerability has been discovered in the Cisco WebEx browser extension for Windows versions of Chrome, Firefox, and Internet Explorer, which could allow for arbitrary code execution. It has been confirmed by Cisco that this vulnerability does not affect Cisco WebEx browser extensions for Mac or Linux, or Cisco WebEx browser extensions for Microsoft Edge. The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. Successful exploitation of this vulnerability could result in the attacker gaining control of the affected system.

 

THREAT INTELLIGENCE:

While a proof of concept is available, there are no reports of this vulnerability being actively exploited in the wild.

 

SYSTEM AFFECTED:

 

RISK:

Government:

Businesses:

Home users: High

 

TECHNICAL SUMMARY:

A vulnerability has been discovered in the Cisco WebEx browser extensions, which could allow for arbitrary code execution. This vulnerability exists due to Cisco’s Webex browser extensions utilizing a “magic pattern” of "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html", which can be extracted from the extensions manifest. Any website could use this magic pattern to remotely activate a visitor’s Cisco WebEx browser extension, executing arbitrary code. Successful exploitation of this vulnerability could result in the attacker gaining control of the affected system.

 

According to the Cisco Advisory, they have begun to release software updates that address this vulnerability and that no workarounds exist to resolve the issue.

 

Currently, the Cisco WebEx Extension for Google Chrome version 1.0.5 contains a fix for this vulnerability. In order for Chrome users to ensure they are using the fixed version of the Cisco WebEx Extension for Google Chrome the following steps will need to be taken:

 

Internet Explorer users can take the following steps to ensure the Cisco WebEx Add-on is disabled until a patch has been released.  

 

Mozilla Firefox has disabled the Cisco WebEx Add-on and it is no longer available to download until an update has been released.  

 

RECOMMENDATIONS:

We recommend the following actions be taken:

 

 

Departments fully managed by ITS will have the updates automatically distributed.  Departments using SCCM and/or Casper to manage their own devices should enable the updates for distribution to their users.  For more information about how you can take advantage of the Enterprise Desktop Services provided by ITS, please visit http://its.unl.edu/desktop

 

 

Don’t hesitate to reach out if you have questions or comments about this notice.

 

Mike

 

 

 

Michael Rutt, CISSP | University of Nebraska | IT Security Coordinator | 402-472-0933 | [log in to unmask]