Apple on Wednesday released close to 80 security updates for OS X, including remote code execution vulnerabilities in a dozen components that were patched in Yosemite 10.10.3.
The OS X update was released the same day as an extensive update in iOS 8.3 that patched three dozen code execution and privilege escalation vulnerabilities.
Details are trickling out about some of the vulnerabilities as well. Yahoo, for example, disclosed some insight into a NULL pointer dereference flaw it found in the nVidia GeForce graphics driver that ships natively with OS X.
“It is possible for an attacker to exploit this vulnerability by mapping the NULL page which can result in code execution and privilege escalation,” Yahoo said in its advisory. “Using publicly available techniques a 32-bit exploit can be created that maps a page at NULL filled with user controllable data.”
Apple said that it addressed the issue, which occurs in the driver’s handling of certain IOService userclient types, through additional context validation.
A researcher at Sandstorm.io, meanwhile, disclosed some details on one of the nine kernel vulnerabilities Apple patched. The bug allows an attacker to trivially crash a number of network services and apps, including Node.js and Google Chrome, said Kenton Varda.
Varda explained in his report that event-driven OS X network apps could be sent into an infinite loop if they receive a particular packet.
Varda’s kernel bug was one of several denial of service vulnerabilities addressed alongside code execution, privilege escalation and an issue with ICMP redirects that could allow an attacker to redirect traffic to an arbitrary host.
One of the denial of service vulnerabilities, reported by Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab, allows an attacker in a privileged network position to cause a denial of service. The bug, CVE-2015-1102, affects Yosemite v10.10 to v10.10.2.
“A state inconsistency existed in the processing of TCP headers,” Apple said. “This issue was addressed through improved state handling.”
Yesterday’s OS X update also patched the following components:
Also, unlike its contemporaries Google and Mozilla, Apple continues to include the controversial CNNIC root certificate in the OS X Yosemite v10.10 trust store.
Google and Mozilla, last week, removed the Chinese certificate authority from their respective trust stores after Google discovered that a CNNIC-issued certificate was used in a man-in-the-middle attack intercepting traffic to a number of Google domains. The misused certificate was immediately dropped by most of the browser vendors, but Google and Mozilla went a step further and dropped the CA altogether. The move is a definitive line in the sand to other CAs that anything impacting the integrity of certs would not be tolerated.
Apple makes three distinctions with its certs it trusts: Trusted; Always Ask; and Blocked. Always Ask certs are untrusted, but are not blocked by Apple; instead a user is presented with an advisory ask them to choose whether to trust it. Blocked certs are compromised, Apple says, and will not be trusted. The CNNIC cert is listed as Trusted, and is run without question.
yahoo-security.tumblr.com/post/115874628495/nvidia-null-pointer-vulnerability-cve-2015-1137
blog.sandstorm.io/news/2015-04-08-osx-security-bug.html
support.apple.com/en-us/HT202858
support.apple.com/en-us/HT204659
threatpost.com/apple-ios-8-3-includes-long-list-of-security-fixes/112072
threatpost.com/apple-leaves-cnnic-root-in-ios-osx-certificate-trust-lists/112086
threatpost.com/google-drops-trust-in-chinese-certificate-authority-cnnic/111974