Ministero dello Sviluppo Economico

CERT Nazionale Italia - Computer Emergency Response Team

Vulnerabilità

Aggiornamenti di sicurezza per prodotti Apple (22 luglio 2019)

apple  Safari   martedì, 23 luglio 2019

Apple ha rilasciato aggiornamenti di sicurezza che risolvono diverse vulnerabilità in macOS, iOS, tvOS, watchOS e Safari.

Apple macOS è un sistema operativo per i computer Mac. Apple iOS è un sistema operativo per iPhone, iPod touch e iPad. Apple tvOS è il sistema operativo per Apple TV. Apple watchOS è il sistema operativo per Apple Watch. Apple Safari è un browser Web disponibile per macOS e Microsoft Windows. Apple TV Software è il software che equipaggia i sistemi Apple TV.

L’aggiornamento per macOS contiene diversi fix di sicurezza che risolvono numerose vulnerabilità, di cui alcune di gravità elevata, in macOS Sierra 10.12.6, macOS High Sierra 10.13.6 e macOS Mojave 10.14.5. Lo sfruttamento delle più gravi tra queste vulnerabilità potrebbe consentire ad un attaccante di accedere ad aree di memoria protette, ottenere privilegi elevati, eseguire codice arbitrario sul sistema o provocare condizioni di denial of service.

Dettagli delle vulnerabilità risolte in macOS (in Inglese):

  • AppleGraphicsControl: a validation issue may allow an application to read restricted memory (CVE-2019-8693).
  • autofs: extracting a zip file containing a symbolic link to an endpoint in an NFS mount that is attacker controlled may bypass Gatekeeper (CVE-2019-8656).
  • Bluetooth: a memory corruption issue may allow a remote attacker to cause arbitrary code execution (CVE-2018-19860).
  • Carbon Core: a use after free issue may allow a remote attacker to cause arbitrary code execution (CVE-2019-8661).
  • Core Data: an out-of-bounds read may allow a remote attacker to leak memory (CVE-2019-8646).
  • Core Data: a memory corruption issue may allow a remote attacker to cause unexpected application termination or arbitrary code execution (CVE-2019-8660).
  • Disk Management: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8697).
  • FaceTime: a memory corruption issue may allow a remote attacker to cause arbitrary code execution (CVE-2019-8648).
  • Found in Apps: a remote attacker may be able to leak memory (CVE-2019-8663).
  • Foundation: an out-of-bounds read may allow a remote attacker to cause unexpected application termination or arbitrary code execution (CVE-2019-8641).
  • Grapher: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8695).
  • Graphics Drivers: a validation issue may allow an application to read restricted memory (CVE-2019-8691, CVE-2019-8692).
  • Heimdal: an issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services (CVE-2018-16860).
  • IOAcceleratorFamily: a memory corruption issue may allow an application to execute arbitrary code with kernel privileges (CVE-2019-8694).
  • libxslt: a stack overflow issue may allow a emote attacker to view sensitive information (CVE-2019-13118).
  • Quick Look: an attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary (CVE-2019-8662).
  • Safari: an inconsistent user interface issue may lead to address bar spoofing visiting a malicious website (CVE-2019-8670).
  • Security: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8697).
  • Siri: an out-of-bounds read issue may allow a remote attacker to leak memory (CVE-2019-8646).
  • Time Machine: an inconsistent user interface issue may lead to an incorrect encryption status of a Time Machine backup (CVE-2019-8667).
  • UIFoundation: an out-of-bounds read issue may lead to an unexpected application termination or arbitrary code execution parsing a maliciously crafted office document (CVE-2019-8657).
  • WebKit: a logic issue in the handling of document loads may lead to universal cross site scripting processing maliciously crafted web content (CVE-2019-8690).
  • WebKit: a logic issue in the handling of synchronous page loads may lead to universal cross site scripting processing maliciously crafted web content (CVE-2019-8649).
  • WebKit: a logic issue may lead to universal cross site scripting processing maliciously crafted web content (CVE-2019-8658).
  • WebKit: multiple memory corruption issues may lead to arbitrary code execution processing maliciously crafted web content (CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689).

L’aggiornamento per iOS, disponibile per iPhone 5s e successivo, iPad Air e successivo e and iPod touch 6a generazione, contiene diversi fix di sicurezza che risolvono diverse gravi vulnerabilità che potrebbero consentire ad un attaccante di accedere ad aree di memoria protette, elevare i propri privilegi, eseguire codice arbitrario sul sistema o provocare condizioni di denial of service.

Dettagli delle vulnerabilità risolte in iOS (in Inglese):

  • Core Data: an out-of-bounds read may allow a remote attacker to leak memory (CVE-2019-8646).
  • Core Data: a use after free issue may allow a remote attacker to cause arbitrary code execution (CVE-2019-8647).
  • Core Data: a memory corruption issue may allow a remote attacker to cause unexpected application termination or arbitrary code execution (CVE-2019-8660).
  • FaceTime: a memory corruption issue may allow a remote attacker to cause arbitrary code execution (CVE-2019-8648).
  • Found in Apps: a remote attacker may be able to leak memory (CVE-2019-8663).
  • Foundation: an out-of-bounds read may allow a remote attacker to cause unexpected application termination or arbitrary code execution (CVE-2019-8641).
  • Heimdal: an issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services (CVE-2018-16860).
  • libxslt: a stack overflow issue may allow a emote attacker to view sensitive information (CVE-2019-13118).
  • Messages: a denial of service issue may allow a remote attacker to cause an unexpected application termination (CVE-2019-8665).
  • Profiles: a validation issue may allow a malicious application to restrict access to websites (CVE-2019-8698).
  • Quick Look: an attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary (CVE-2019-8662).
  • Siri: an out-of-bounds read issue may allow a remote attacker to leak memory (CVE-2019-8646).
  • Telephony: a logic issue in the answering of phone calls may allow the initiator of a phone call to cause the recipient to answer a simultaneous Walkie-Talkie connection (CVE-2019-8699).
  • UIFoundation: an out-of-bounds read issue may lead to an unexpected application termination or arbitrary code execution parsing a maliciously crafted office document (CVE-2019-8657).
  • Wallet: a user may inadvertently complete an in-app purchase while on the lock screen (CVE-2019-8682).
  • WebKit: a logic issue in the handling of document loads may lead to universal cross site scripting processing maliciously crafted web content (CVE-2019-8690).
  • WebKit: a logic issue in the handling of synchronous page loads may lead to universal cross site scripting processing maliciously crafted web content (CVE-2019-8649).
  • WebKit: a logic issue may lead to universal cross site scripting processing maliciously crafted web content (CVE-2019-8658).
  • WebKit: multiple memory corruption issues may lead to arbitrary code execution processing maliciously crafted web content (CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689).

Si raccomanda di scaricare ed applicare gli aggiornamenti di sicurezza messi a disposizione da Apple il più presto possibile.

Per maggiori informazioni sui prodotti vulnerabili e sugli aggiornamenti disponibili è possibile consultare i seguenti bollettini di sicurezza di Apple (in Inglese):

Notizie correlate

Apple risolve vulnerabilità multiple in AirPort

3 giugno 2019

Apple ha rilasciato un aggiornamento di sicurezza per il firmware delle basi Wi-Fi AirPort che risolvere vulnerabilità che potrebbero provocare l’esecuzione di codice in modalità remota o causare condizioni di denial of service.Leggi tutto

Aggiornamenti di sicurezza per prodotti Apple (13 maggio 2019)

14 maggio 2019

Apple ha rilasciato aggiornamenti di sicurezza che risolvono diverse vulnerabilità in macOS, iOS, tvOS, watchOS, Safari e Apple TV Software.Leggi tutto

Aggiornamenti di sicurezza per prodotti Apple (25 marzo 2019)

26 marzo 2019

Apple ha rilasciato aggiornamenti di sicurezza che risolvono diverse vulnerabilità in macOS, iOS, tvOS, Safari, Xcode, iTunes per Windows e iCloud per Windows.Leggi tutto