Updates released last week by Apple for its productivity apps address a series of vulnerabilities that can be exploited for denial-of-service (DoS) attacks, arbitrary code execution, and user information leakage.
With the release of Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6, Apple resolved multiple input validation issues related to how maliciously crafted documents are parsed. The vulnerabilities were reported to the tech giant by Bruno Morisson of INTEGRITY S.A (CVE-2015-3784), and researchers Behrouz Sadeghipour and Patrik Fehrenbach (CVE-2015-7032).
Sadeghipour and Fehrenbach, who earlier this year reported finding a serious email spoofing flaw in the Google Apps Admin console, identified a vulnerability that can be exploited using a specially crafted document that contains malicious XML data.
Exploitation of the vulnerability, reported to Apple on July 23, can result in user information getting compromised via what is known as an XML External Entity (XXE) attack, Sadeghipour told SecurityWeek on Wednesday.
The researcher pointed to OWASP’s definition of such attacks, which says: “An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.”
According to the expert, an attacker can exploit the vulnerability by sending a specially crafted Pages, Keynote, or Numbers file to the targeted user. Once the document is opened, the malicious XML data it contains is executed and it reaches an external XML file located on a host controlled by the attacker.
The latest versions of Apple’s productivity apps, available for OS X Yosemite v10.10.4 or later and iOS 8.4 or later, also patch a memory corruption issue (CVE-2015-7033) reported by Felix Groebert of the Google Security Team. Exploitation of the flaw using maliciously crafted documents can lead to the unexpected termination of the application opening the file, or arbitrary code execution.
Groebert also reported a memory corruption issue related to how Pages parses maliciously crafted documents (CVE-2015-7034). This vulnerability can also result in unexpected app termination or code execution.
While Apple’s software is generally considered more secure compared to Windows and Android, reports published over the past couple of months have demonstrated that Apple users can still be at risk. Here are some examples:
Apple Working to Patch Gatekeeper Bypass Flaw
XcodeGhost Compiler Malware Targets iOS, OS X Systems
Apple Updates “Sideloading” Process in iOS 9 to Boost App Security
Apple Patches Vulnerabilities in iOS, OS X, iTunes, Xcode