SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Multimedia)  >   Apple TV Vendors:   Apple
(Apple Issues Fix for Apple TV) Apple iOS Multiple Flaws Let Remote Users Spoof URLs and Access Files, Apps Gain Elevated Privileges, and Local Users Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1034357
SecurityTracker URL:  http://securitytracker.com/id/1034357
CVE Reference:   CVE-2015-7051, CVE-2015-7055, CVE-2015-7072, CVE-2015-7079   (Links to External Site)
Date:  Dec 9 2015
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 9.1
Description:   Multiple vulnerabilities were reported in Apple iOS. A physically local user can obtain potentially sensitive information. An application can gain elevated privileges. A remote user can obtain files on the target system. A remote user can spoof URLs. Apple TV is affected.

A remote user with access to the backup system can trigger a path validation flaw in Mobile Backup to access restricted areas of the file system [CVE-2015-7037].

An application can exploit a timing bug in the loading of the trust cache to execute arbitrary code with system privileges [CVE-2015-7051].

An application can exploit an access control flaw to execute arbitrary code with system privileges [CVE-2015-7055].

An application can exploit a path validation flaw in Mobile Replayer to execute arbitrary code with system privileges [CVE-2015-7069, CVE-2015-7070].

An application can exploit a segment validation flaw in dyld to execute arbitrary code with system privileges [CVE-2015-7072, CVE-2015-7079].

A physically local user can exploit a flaw in Siri to read notifications of content that is configured to not be displayed on the lock screen [CVE-2015-7080].

A remote user can create a specially crafted web site that, when loaded by the target user, will spoof the displayed URL [CVE-2015-7093].

An application can trigger a memory corruption flaw in the processing of plists to execute arbitrary code with system privileges [CVE-2015-7113].

PanguTeam, Luca Todesco (@qwertyoruiop), Or Safran (www.linkedin.com/profile/view?id=33912591), xisigr of Tencent's Xuanwu LAB (www.tencent.com), and Olivier Goguel of Free Tools Association reported these vulnerabilities.

Impact:   A physically local user can obtain potentially sensitive information on the target system.

An application can gain elevated privileges on the target system.

A remote user can obtain files on the target system.

A remote user can spoof a URL.

Solution:   Apple has issued a fix for CVE-2015-7051, CVE-2015-7055, CVE-2015-7072, and CVE-2015-7079 for Apple TV (9.1).

The Apple advisory is available at:

https://support.apple.com/en-us/HT205640

Vendor URL:  support.apple.com/en-us/HT205640 (Links to External Site)
Cause:   Access control error, Input validation error, State error

Message History:   This archive entry is a follow-up to the message listed below.
Dec 9 2015 Apple iOS Multiple Flaws Let Remote Users Spoof URLs and Access Files, Apps Gain Elevated Privileges, and Local Users Obtain Potentially Sensitive Information



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC