Ministero dello Sviluppo Economico

CERT Nazionale Italia - Computer Emergency Response Team

Vulnerabilità

Aggiornamenti di sicurezza per prodotti Apple (13 maggio 2019)

apple  Apple TV  Safari   martedì, 14 maggio 2019

Apple ha rilasciato aggiornamenti di sicurezza che risolvono diverse vulnerabilità in macOS, iOS, tvOS, watchOS, SafariApple TV Software.

Apple macOS è un sistema operativo per i computer Mac. Apple iOS è un sistema operativo per iPhone, iPod touch e iPad. Apple tvOS è il sistema operativo per Apple TV. Apple watchOS è il sistema operativo per Apple Watch. Apple Safari è un browser Web disponibile per macOS e Microsoft Windows. Apple TV Software è il software che equipaggia i sistemi Apple TV.

L’aggiornamento per macOS contiene diversi fix di sicurezza che risolvono numerose vulnerabilità, di cui alcune di gravità elevata, in macOS Sierra 10.12.6, macOS High Sierra 10.13.6 e macOS Mojave 10.14.4. Lo sfruttamento delle più gravi tra queste vulnerabilità potrebbe consentire ad un attaccante di accedere ad aree di memoria protette, ottenere privilegi elevati, eseguire codice arbitrario sul sistema o provocare condizioni di denial of service.

Dettagli delle vulnerabilità risolte in macOS (in Inglese):

  • Accessibility Framework: a validation issue may allow an application to read restricted memory (CVE-2019-8603).
  • AMD: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8635).
  • Application Firewall: a logic issue may allow an application to execute arbitrary code with kernel privileges (CVE-2019-8590).
  • CoreAudio: a memory corruption issue may lead to arbitrary code execution processing a maliciously crafted audio file (CVE-2019-8592).
  • CoreAudio: an out-of-bounds read issue may lead to arbitrary code execution processing a maliciously crafted movie file (CVE-2019-8585).
  • DesktopServices: a malicious application may bypass Gatekeeper checks (CVE-2019-8589).
  • Disk Images: a validation issue may allow an application to read restricted memory (CVE-2019-8560).
  • Disk Images: an out-of-bounds read issue may allow an application to read restricted memory (CVE-2019-8560).
  • EFI: an authentication issue may cause a user to be unexpectedly logged in to another user’s account (CVE-2019-8634).
  • Intel Graphics Driver: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8616).
  • Intel Graphics Driver: a memory initialization issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8629).
  • IOAcceleratorFamily: a memory initialization issue may allow an application to execute arbitrary code with system privileges (CVE-2018-4456).
  • IOKit: a validation issue may allow a local user to load unsigned kernel extensions (CVE-2019-8606).
  • Kernel: a use after free issue may allow a malicious application to execute arbitrary code with system privileges (CVE-2019-8605).
  • Kernel: an out-of-bounds read issue may allow a local user to cause unexpected system termination or read kernel memory (CVE-2019-8576).
  • Kernel: a type confusion issue may allow an application to cause unexpected system termination or write kernel memory (CVE-2019-8591).
  • Security: amemory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8604).
  • SQLite: an input validation issue may allow an application to gain elevated privileges (CVE-2019-8577).
  • SQLite: a memory corruption issue may lead to arbitrary code execution via a maliciously crafted SQL query (CVE-2019-8600).
  • SQLite: an input validation issue may allow a malicious application to read restricted memory (CVE-2019-8598).
  • SQLite: a memory corruption issue may allow a malicious application to elevate privileges (CVE-2019-8602).
  • StreamingZip: a validation issue may allow a local user to modify protected parts of the file system (CVE-2019-8568).
  • sysdiagnose: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8574).
  • Touch Bar Support: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8569).
  • WebKit: multiple memory corruption issues may lead to arbitrary code execution processing maliciously crafted web content (CVE-2019-6237, CVE-2019-8571, CVE-2019-8583, CVE-2019-8584, CVE-2019-8586, CVE-2019-8587, CVE-2019-8594, CVE-2019-8595, CVE-2019-8596, CVE-2019-8597, CVE-2019-8601, CVE-2019-8608, CVE-2019-8609, CVE-2019-8610, CVE-2019-8611, CVE-2019-8615, CVE-2019-8619, CVE-2019-8622, CVE-2019-8623, CVE-2019-8628).
  • WebKit: an out-of-bounds read issue may result in the disclosure of process memory processing maliciously crafted web content (CVE-2019-8607).

L’aggiornamento per iOS, disponibile per iPhone 5s e successivo, iPad Air e successivo e and iPod touch 6a generazione, contiene diversi fix di sicurezza che risolvono diverse gravi vulnerabilità che potrebbero consentire ad un attaccante di accedere ad aree di memoria protette, elevare i propri privilegi, eseguire codice arbitrario sul sistema o provocare condizioni di denial of service.

Dettagli delle vulnerabilità risolte in iOS (in Inglese):

  • AppleFileConduit: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8593).
  • Contacts: an input validation issue may allow a malicious application to read restricted memory (CVE-2019-8598).
  • CoreAudio: an out-of-bounds read issue may lead to arbitrary code execution processing a maliciously crafted movie file (CVE-2019-8585).
  • Disk Images: an out-of-bounds read issue may allow an application to read restricted memory (CVE-2019-8560).
  • Kernel: a use after free issue may allow a malicious application to execute arbitrary code with system privileges (CVE-2019-8605).
  • Kernel: an out-of-bounds read issue may allow a local user to cause unexpected system termination or read kernel memory (CVE-2019-8576).
  • Kernel: a type confusion issue may allow an application to cause unexpected system termination or write kernel memory (CVE-2019-8591).
  • Lock Screen: a logic issue may allow a person with physical access to an iOS device to see the email address used for iTunes (CVE-2019-8599).
  • Mail: an input validation issue may lead to a denial of service processing a maliciously crafted message (CVE-2019-8626).
  • Mail Message Framework: a use after free issue may allow a remote attacker to cause arbitrary code execution (CVE-2019-8613).
  • MobileInstallation: a validation issue may allow a local user to modify protected parts of the file system (CVE-2019-8568).
  • MobileLockdown: an input validation issue may allow a malicious application to gain root privileges (CVE-2019-8637).
  • Photos Storage: an access issue may allow a sandboxed process to circumvent sandbox restrictions (CVE-2019-8617).
  • SQLite: an input validation issue may allow an application to gain elevated privileges (CVE-2019-8577).
  • SQLite: a memory corruption issue may lead to arbitrary code execution via a maliciously crafted SQL query (CVE-2019-8600).
  • SQLite: an input validation issue may allow a malicious application to read restricted memory (CVE-2019-8598).
  • SQLite: a memory corruption issue may allow a malicious application to elevate privileges (CVE-2019-8602).
  • Status Bar: the lock screen may show a locked icon after unlocking (CVE-2019-8630).
  • StreamingZip: a validation issue may allow a local user to modify protected parts of the file system (CVE-2019-8568).
  • sysdiagnose: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8574).
  • WebKit: an out-of-bounds read issue may result in the disclosure of process memory processing maliciously crafted web content (CVE-2019-8607).
  • WebKit: multiple memory corruption issues may lead to arbitrary code execution processing maliciously crafted web content (CVE-2019-6237, CVE-2019-8571, CVE-2019-8583, CVE-2019-8584, CVE-2019-8586, CVE-2019-8587, CVE-2019-8594, CVE-2019-8595, CVE-2019-8596, CVE-2019-8597, CVE-2019-8601, CVE-2019-8608, CVE-2019-8609, CVE-2019-8610, CVE-2019-8611, CVE-2019-8615, CVE-2019-8619, CVE-2019-8622, CVE-2019-8623, CVE-2019-8628).
  • Wi-Fi: a user privacy issue may cause a device to be passively tracked by its WiFi MAC address (CVE-2019-8620).

Si raccomanda di scaricare ed applicare gli aggiornamenti di sicurezza messi a disposizione da Apple il più presto possibile.

Per maggiori informazioni sui prodotti vulnerabili e sugli aggiornamenti disponibili è possibile consultare i seguenti bollettini di sicurezza di Apple (in Inglese):

Notizie correlate

Apple risolve vulnerabilità multiple in AirPort

3 giugno 2019

Apple ha rilasciato un aggiornamento di sicurezza per il firmware delle basi Wi-Fi AirPort che risolvere vulnerabilità che potrebbero provocare l’esecuzione di codice in modalità remota o causare condizioni di denial of service.Leggi tutto

Aggiornamenti di sicurezza per prodotti Apple (25 marzo 2019)

26 marzo 2019

Apple ha rilasciato aggiornamenti di sicurezza che risolvono diverse vulnerabilità in macOS, iOS, tvOS, Safari, Xcode, iTunes per Windows e iCloud per Windows.Leggi tutto

Vulnerabilità 0-day nel kernel XNU di macOS

5 marzo 2019

È stata divulgata l'esistenza di una grave vulnerabilità zero-day nel kernel XNU di macOS che potrebbe essere sfruttata per caricare in memoria codice malevolo.Leggi tutto