Ministero dello Sviluppo Economico

CERT Nazionale Italia - Computer Emergency Response Team

Vulnerabilità

Aggiornamenti di sicurezza per prodotti Apple (29 ottobre 2019)

apple  Safari   mercoledì, 30 ottobre 2019

Apple ha rilasciato aggiornamenti di sicurezza che risolvono diverse vulnerabilità in macOS, iOS, iPadOS, tvOS, watchOS e Safari.

Apple macOS è un sistema operativo per i computer Mac. Apple iOS è un sistema operativo per iPhone e iPod touch. Apple iPadOS è un sistema operativo per iPad basato su iOS. Apple tvOS è il sistema operativo per Apple TV. Apple watchOS è il sistema operativo per Apple Watch. Apple Safari è un browser Web disponibile per macOS e Microsoft Windows.

L’aggiornamento per macOS contiene diversi fix di sicurezza che risolvono numerose vulnerabilità, di cui alcune di gravità elevata, in macOS Catalina 10.15, macOS Mojave 10.14.6 e macOS High Sierra 10.13.6. Lo sfruttamento delle più gravi tra queste vulnerabilità potrebbe consentire ad un attaccante di accedere ad aree di memoria protette, ottenere privilegi elevati, eseguire codice arbitrario sul sistema o provocare condizioni di denial of service.

Dettagli delle vulnerabilità risolte in macOS (in Inglese):

  • Accounts: an out-of-bounds read issue may allow a remote attacker to leak memory (CVE-2019-8787).
  • App Store: an authentication issue may allow a local attacker to login to the account of a previously logged in user without valid credentials (CVE-2019-8803).
  • AppleGraphicsControl: a validation issue may allow an application to read restricted memory (CVE-2019-8817).
  • AppleGraphicsControl: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8716).
  • Associated Domains: an issue in the parsing of URLs may lead to data exfiltration (CVE-2019-8788).
  • Audio: a memory corruption issue may lead to arbitrary code execution processing a maliciously crafted audio file (CVE-2019-8706).
  • Audio: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8785, CVE-2019-8797).
  • Books: a validation issue in the handling of symlinks may lead to disclosure of user information parsing a maliciously crafted iBooks file (CVE-2019-8789).
  • Contacts: an inconsistent user interface issue may lead to UI spoofing processing a maliciously contact (CVE-2017-7152).
  • CUPS: an input validation issue may allow an attacker in a privileged network position to leak sensitive user information (CVE-2019-8736).
  • CUPS: a memory consumption issue may lead to heap corruption processing a maliciously crafted string (CVE-2019-8767).
  • CUPS: an attacker in a privileged position may be able to perform a denial of service attack (CVE-2019-8737).
  • File Quarantine: a malicious application may be able to elevate privileges (CVE-2019-8509).
  • File System Events: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8798).
  • Graphics: multiple memory corruption issues may result in unexpected application termination or arbitrary code execution processing a malicious shader (CVE-2018-12152, CVE-2018-12153, CVE-2018-12154).
  • Graphics Driver: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8784).
  • Intel Graphics Driver: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8807).
  • IOGraphics: an out-of-bounds read may allow a local user to cause unexpected system termination or read kernel memory (CVE-2019-8759).
  • iTunes: a dynamic library loading issue may result in arbitrary code execution running the iTunes installer in an untrusted directory (CVE-2019-8801).
  • Kernel: a validation issue may allow an application to read restricted memory (CVE-2019-8794).
  • Kernel: a memory corruption issue may allow an application to execute arbitrary code with kernel privileges (CVE-2019-8786).
  • Kernel: a memory corruption issue may allow a malicious application to determine kernel memory layout (CVE-2019-8744).
  • libxml2: multiple memory corruption issues (CVE-2019-8749, CVE-2019-8756).
  • libxslt: multiple memory corruption issues (CVE-2019-8750).
  • manpages: a validation issue may allow a malicious application to gain root privileges (CVE-2019-8802).
  • PluginKit: a logic issue may allow a local user to check for the existence of arbitrary files (CVE-2019-8708).
  • PluginKit: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8715).
  • System Extensions: a validation issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8805).
  • UIFoundation: parsing a maliciously crafted text file may lead to disclosure of user information (CVE-2019-8761).

L’aggiornamento per iOS e iPadOS, disponibile per iPhone 6s e successivo, iPad Air 2 e successivo, iPad mini 4 e successivo e iPod touch 7a generazione, contiene diversi fix di sicurezza che risolvono diverse gravi vulnerabilità che potrebbero consentire ad un attaccante di accedere ad aree di memoria protette, elevare i propri privilegi, eseguire codice arbitrario sul sistema o provocare condizioni di denial of service.

Dettagli delle vulnerabilità risolte in iOS e iPadOS (in Inglese):

  • Accounts: an out-of-bounds read issue may allow a remote attacker to leak memory (CVE-2019-8787).
  • App Store: an authentication issue may allow a local attacker to login to the account of a previously logged in user without valid credentials (CVE-2019-8803).
  • Associated Domains: an issue in the parsing of URLs may lead to data exfiltration (CVE-2019-8788).
  • Audio: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8785, CVE-2019-8797).
  • AVEVideoEncoder: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8795).
  • Books: a validation issue in the handling of symlinks may lead to disclosure of user information parsing a maliciously crafted iBooks file (CVE-2019-8789).
  • Contacts: an inconsistent user interface issue may lead to UI spoofing processing a maliciously contact (CVE-2017-7152).
  • File System Events: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8798).
  • Graphics Driver: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2019-8784).
  • Kernel: a validation issue may allow an application to read restricted memory (CVE-2019-8794).
  • Kernel: a memory corruption issue may allow an application to execute arbitrary code with kernel privileges (CVE-2019-8786).
  • Setup Assistant: an inconsistency in Wi-Fi network configuration settings may allow an attacker in physical proximity to force a user onto a malicious Wi-Fi network during device setup (CVE-2019-8804).
  • Screen Recording: a consistency issue may allow a local user to record the screen without a visible screen recording indicator (CVE-2019-8793).
  • WebKit: a logic issue may lead to universal cross site scripting processing maliciously crafted web content (CVE-2019-8813).
  • WebKit: multiple memory corruption issues may lead to arbitrary code execution processing maliciously crafted web content (CVE-2019-8782, CVE-2019-8783, CVE-2019-8808, CVE-2019-8811, CVE-2019-8812, CVE-2019-8814, CVE-2019-8816, CVE-2019-8819, CVE-2019-8820, CVE-2019-8821, CVE-2019-8822, CVE-2019-8823).
  • WebKit Process Model: multiple memory corruption issues may lead to arbitrary code execution processing maliciously crafted web content (CVE-2019-8815).

Si raccomanda di scaricare ed applicare gli aggiornamenti di sicurezza messi a disposizione da Apple il più presto possibile.

Per maggiori informazioni sui prodotti vulnerabili e sugli aggiornamenti disponibili è possibile consultare i seguenti bollettini di sicurezza di Apple (in Inglese):

Notizie correlate

Scoperte 17 app su Apple App Store infette da malware

28 ottobre 2019

Gli esperti di sicurezza della società Wandera hanno scoperto sull'App Store di Apple 17 app per iOS che risultano infette da un clicker trojan.Leggi tutto

Apple risolve numerose vulnerabilità in macOS Catalina 10.15

9 ottobre 2019

Apple ha rilasciato macOS Catalina 10.15. Questo aggiornamento contiene diversi fix di sicurezza che risolvono numerose vulnerabilità, di cui alcune di gravità elevata.Leggi tutto

Aggiornamenti di sicurezza per prodotti Apple (27 settembre 2019)

30 settembre 2019

Apple ha rilasciato aggiornamenti di sicurezza che risolvono diverse vulnerabilità in macOS, iOS e iPadOS.Leggi tutto