Apple updates its products, fixes iMessages zero-day

On Monday Apple has pushed out updates for its many products: iOS, OS X, OS X Server, Safari, watchOS, tvOS, and Xcode.

Of these, the most eagerly awaited was that for iOS, as it fixes a recently unveiled vulnerability (CVE-2016-1788) that could allow an attacker who is able to bypass Apple’s certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages to be able to read attachments.

The vulnerability was discovered by a group of Johns Hopkins University researchers, and details about it have been revealed after the update was released.

As computer science professor Matthew Green, who lead the team, explained in his blog post, “Apple iMessage, as implemented in versions of iOS prior to 9.3 and Mac OS X prior to 10.11.4, contains serious flaws in the encryption mechanism that could allow an attacker – who obtains iMessage ciphertexts – to decrypt the payload of certain attachment messages via a slow but remote and silent attack, provided that one sender or recipient device is online. While capturing encrypted messages is difficult in practice on recent iOS devices, thanks to certificate pinning, it could still be conducted by a nation state attacker or a hacker with access to Apple’s servers.”

Their discovery has been documented in depth in this paper.

The majority of the other fixed flaws in iOS could lead to arbitrary code execution, often with kernel privileges, through a specially crafted app or triggered by the processing of maliciously crafted XML, certificate, font file, or web content. Also, two flaws (CVE-2016-0801, CVE-2016-0802) that could allow an attacker with a privileged network position (e.g. on an insecure Wi-Fi network) to execute arbitrary code have been plugged.

The OS X El Capitan 10.11.4 (Security Update 2016-002) also fixes the aforementioned flaws in Messages and Wi-Fi, along with an AppleUSBNetworking (CVE-2016-1734) flaw that could lead to arbitrary code execution if a malicious USB device is connected to the computer, and two bugs in OpenSSH that could result in the leak of sensitive user information (e.g. a client’s private keys) when the user connects to a server.

The OS X Server update fixes for vulnerabilities. One of them has been fixed by removing support for the RC4 cryptographic algorithm.

The Safari update plugs a number of holes, most of them in Webkit. WatchOS 2.2 and tvOS 9.2 fix a lot of the same vulnerabilities that were plugged in the OS X patch, including the Wi-Fi one. Xcode 7.3 brings fixes for three flaws, two of which affect subversion versions prior to 1.7.21 and could result in a malicious server executing arbitrary code on the users’ machine or device.