Apple Patches 'Darwin Nuke,' Other Security Flaws With New OS Releases

Apple iPhone, iPad, and Mac users have one more reason to upgrade to the latest versions of iOS and OS X besides the new Photos app, the 300 additional emoji characters, and several other features that Apple has packed into the operating systems.

The new versions also address a serious security vulnerability that leaves people using devices running OS X 10.10 or iOS 8 open to denial of service attacks.

The flaw, discovered by researchers at Kaspersky Lab, exists in the kernel of Darwin, the open source components on which iOS and OS X are built. Dubbed “Darwin Nuke,” the vulnerability basically allows attackers to remotely activate denial of service attacks that can damage a user’s Mac or iOS device and impact any corporate network to which it is connected, according to an alert issued by Kaspersky Lab today.

The devices affected by the threat include those with 64-bit processors and iOS 8, says Anton Ivanov, senior malware analyst at Kaspersky Lab. Specific devices include iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad Air 2, iPad Mini 2, and iPad Mini 3.

The problem has to do with the manner in which Darwin processes IP packets of a specific size and containing certain invalid IP options. An attacker that knows how to craft such malformed packages can use them to initiate a denial of service attack on any device running OS X 10.10 or iOS 8. “After processing the invalid network packet, the system will crash,” Ivanov said.

“Attackers can send just one incorrect network packet to the victim and the victim's system will crash,” he told Dark Reading.

However, certain specific conditions need to exist in order for someone to be able to exploit the vulnerability. The system can be made to crash only if the size of IP packet header is 60 bytes and the payload itself is less than or equal to 65 bytes, he says. The IP options specified in the packet also need to be deliberately incorrect in terms of size, class, and other features.

The bug appears hard to exploit initially because the prerequisite conditions are not particularly easy to achieve, he said. “But persistent cybercriminals can do so, breaking down devices or even affecting the activity of corporate networks,” Ivanov said.

Though routers and firewalls typically drop incorrectly formed IP packets, they don’t always do so, he noted. Kaspersky’s researchers were able to find several combinations of incorrect IP options that are able to get through Internet routers and perimeter defenses like firewalls. As a result, those using devices running OS X 10.10 and iOS 8 should update to the new OS X Yosemite v10.10.3 and iOS 8.3 releases of the operating systems, he said.

Apple’s new OS X Yosemite v10.10.3 also addresses another serious security flaw -- one discovered by Emil Kvarnhammar, a security researcher at TrueSec.

According to Kvarnhammar, the Admin framework in OS X contains a hidden backdoor Application Programming Interface (API) that would let an attacker gain root access to devices running previous versions of the operating system.

“This is a local privilege escalation to root, which can be used locally or combined with remote code execution exploits," he wrote in an alert yesterday.

Kvarnhammar says he discovered the flaw in October 2014 and reported it to Apple. But he thinks it may have been around since at least 2011 when Mac OS X 10.7 was released. Mac users running OS X 10.9 and older remain vulnerable to the threat because Apple has decided not to issues patches for these versions, he noted in urging people to upgrade to 10.10.3

Apple’s Yosemite v10.10.3 addresses several other flaws as well including several arbitrary code execution flaws reported by various researchers and by Google’s Project Zero vulnerability research group. Apple has published a complete list of patched vulnerabilities in Yosemite v10.10.3 here.