
Apple Remote Code Execution with Image Files - amatus
http://blog.talosintel.com/2016/07/apple-image-rce.html
======
mrmondo
I will remind people again that the issue lays within upstream libraries such
as libxml and have the potential to affect not just Apple (although everyone
loves to target a single brand), but other operating systems and software,
remember to keep your software up to date across the board.

Security is everyone's problem.

~~~
microcolonel
The only XML-related bug I see in this group is the SceneKit Collada one; and
as far as I'm aware, it's not the XML parser which fails in this case, it's
SceneKit itself. All of these bugs are the sole responsibility of Apple Inc.

Did you even read any of these advisories before saying Apple didn't do it?

~~~
mrmondo
Did you even read my comment before saying that I said that Apple didn't do
it?

~~~
microcolonel
"I will remind people again that the issue lays within upstream libraries such
as libxml and have the potential to affect not just Apple" < right here, where
you said somebody else did it. These issues do not exist in upstream
libraries.

------
JonathonW
I was about to post that these exploits should be substantially mitigated by
iOS sandboxing (you can get arbitrary code execution, but can't get out of the
exploited process's sandbox without a second exploit), but then saw
CVE-2016-4627 [1] also in the 9.3.3 release notes, which is a local privilege
escalation exploit that allows arbitrary code execution with kernel
privileges.

There's not a ton of detail out there on the second exploit, so I'm not sure
whether or not they can actually be paired to gain kernel privileges remotely.
Still, more than enough reason to take these issues seriously and make sure
you upgrade in a timely manner.

[1]
[http://www.securityfocus.com/bid/91831](http://www.securityfocus.com/bid/91831)

------
cantrevealname
If you run an older version of OS X, does Apple supply security updates? How
far back?

I run Mountain Lion (OS X 10.8.5) on one of my systems. For the longest time,
whenever I click "Software Update", it says that there are no updates (though
it does offer OS X El Capitan as an upgrade).

I can understand that Apple or any company doesn't want to support old
software indefinitely, but if security updates _are_ available as separate
packages--without having to do a major OS upgrade--then you'd think that
"Software Update" should offer it!

~~~
blub
I'm pretty sure that they don't, they seem to use the iOS model: either you're
on the latest version or you're insecure.

~~~
NEDM64
You're pretty wrong.

~~~
legooolas
But Apple won't explicitly state which versions are and are not supported, so
everyone could be wrong.

------
inertial
> Image files are an excellent vector for attacks since they can be easily
> distributed over web ...

Reminds me of how easy it was to jailbreak the first iPhone (in 2007) with a
malicious image. No computer required.

\- Use a quick hack to enable WiFi on a brand new unactivated phone (for which
you just paid full price).

\- Visit a website with a malicious tiff file, Voila !

The best part : The above jailbreak also claimed that they patched the
vulnerability after exploiting it.

[http://www.computerworld.com/article/2539680/security0/new-i...](http://www.computerworld.com/article/2539680/security0/new-
iphone--ipod-touch--jailbreak--app-patches-critical-tiff-bug.html)

~~~
madeofpalk
> brand new unactivated phone (for which you just paid full price).

Still can't believe the fact that they let people walk away with a subsidised
phone without a contract to ensure they'll recoup the price.

~~~
mikestew
I'm lost. Between the parentheses it says one has paid "full price", and
therefore unsubsidized (or so I would assume if I paid the full retail price
for a phone).

~~~
UweSchmidt
"This is how I used lockpicks to open the door. Then I proceeded to NOT enter
the house as this would be a crime."

------
eridius
Since nobody else has said it yet, it looks like most, if not all, of these
vulnerabilities would not have happened were the libraries written in Rust.

~~~
JustSomeNobody
I cannot wait until the first nasty exploit due to a Rust vulnerability. I
just can't.

~~~
TillE
Indeed. There's a whole universe of logic bugs that lead to serious exploits.

Memory safety is nice, but I wish Rust evangelists would 1) stop acting like
it's a panacea, and 2) acknowledge that Rust isn't really fully baked yet. I
have various complaints about the language and standard library, but the real
show-stopper is this: [https://github.com/rust-
lang/libc/issues/290](https://github.com/rust-lang/libc/issues/290)

------
stevenh
Which version of iOS is fully patched?

Which version of OS X is fully patched?

Has this even been fixed yet?

~~~
matthew-wegner
9.3.3

10.11.6

Yes.

Previous HN discussion here:
[https://news.ycombinator.com/item?id=12124683](https://news.ycombinator.com/item?id=12124683)

Apple info here:

[https://support.apple.com/en-us/HT206902](https://support.apple.com/en-
us/HT206902) (iOS)

[https://support.apple.com/en-us/HT206903](https://support.apple.com/en-
us/HT206903) (OS X)

~~~
jacobolus
That is a misleading summary. (And out of context your link to Apple’s support
document is also a bit misleading.)

OS X Security Update 2016-004 applies to v10.9.5, v10.10.5, and v10.11+
[https://support.apple.com/en-us/HT201222](https://support.apple.com/en-
us/HT201222)

------
late2part
This is legit, kids. Take it seriously and upgrade.

------
merpnderp
I'm on vacation and only have access to tethered data. Can I just upgrade
firefox, or do I need to upgrade OSX?

------
Bootvis
Has this exploit been seen in the wild?

~~~
joelesler
No. The Talos Group has the working copies of the exploit.

------
qwertyuiop924
Quick, someone rebuild jailbreak.me!

