Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/10/2015
03:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Apple Patches 'Darwin Nuke,' Other Security Flaws With New OS Releases

Denial-of-service flaw discovered by researchers at Kaspersky Lab could affect Apple users' corporate networks.

Apple iPhone, iPad, and Mac users have one more reason to upgrade to the latest versions of iOS and OS X besides the new Photos app, the 300 additional emoji characters, and several other features that Apple has packed into the operating systems.

The new versions also address a serious security vulnerability that leaves people using devices running OS X 10.10 or iOS 8 open to denial of service attacks.

The flaw, discovered by researchers at Kaspersky Lab, exists in the kernel of Darwin, the open source components on which iOS and OS X are built. Dubbed “Darwin Nuke,” the vulnerability basically allows attackers to remotely activate denial of service attacks that can damage a user’s Mac or iOS device and impact any corporate network to which it is connected, according to an alert issued by Kaspersky Lab today.

The devices affected by the threat include those with 64-bit processors and iOS 8, says Anton Ivanov, senior malware analyst at Kaspersky Lab. Specific devices include iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad Air 2, iPad Mini 2, and iPad Mini 3.

The problem has to do with the manner in which Darwin processes IP packets of a specific size and containing certain invalid IP options. An attacker that knows how to craft such malformed packages can use them to initiate a denial of service attack on any device running OS X 10.10 or iOS 8. “After processing the invalid network packet, the system will crash,” Ivanov said.

“Attackers can send just one incorrect network packet to the victim and the victim's system will crash,” he told Dark Reading.

However, certain specific conditions need to exist in order for someone to be able to exploit the vulnerability. The system can be made to crash only if the size of IP packet header is 60 bytes and the payload itself is less than or equal to 65 bytes, he says. The IP options specified in the packet also need to be deliberately incorrect in terms of size, class, and other features.

The bug appears hard to exploit initially because the prerequisite conditions are not particularly easy to achieve, he said. “But persistent cybercriminals can do so, breaking down devices or even affecting the activity of corporate networks,” Ivanov said.

Though routers and firewalls typically drop incorrectly formed IP packets, they don’t always do so, he noted. Kaspersky’s researchers were able to find several combinations of incorrect IP options that are able to get through Internet routers and perimeter defenses like firewalls. As a result, those using devices running OS X 10.10 and iOS 8 should update to the new OS X Yosemite v10.10.3 and iOS 8.3 releases of the operating systems, he said.

Apple’s new OS X Yosemite v10.10.3 also addresses another serious security flaw -- one discovered by Emil Kvarnhammar, a security researcher at TrueSec.

According to Kvarnhammar, the Admin framework in OS X contains a hidden backdoor Application Programming Interface (API) that would let an attacker gain root access to devices running previous versions of the operating system.

“This is a local privilege escalation to root, which can be used locally or combined with remote code execution exploits," he wrote in an alert yesterday.

Kvarnhammar says he discovered the flaw in October 2014 and reported it to Apple. But he thinks it may have been around since at least 2011 when Mac OS X 10.7 was released. Mac users running OS X 10.9 and older remain vulnerable to the threat because Apple has decided not to issues patches for these versions, he noted in urging people to upgrade to 10.10.3

Apple’s Yosemite v10.10.3 addresses several other flaws as well including several arbitrary code execution flaws reported by various researchers and by Google’s Project Zero vulnerability research group. Apple has published a complete list of patched vulnerabilities in Yosemite v10.10.3 here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.