http://packetstormsecurity.com/files/158874/Safari-Webkit-For-iOS-7.1.2-JIT-Optimization-Bug.html

93849

1037086

https://support.apple.com/HT207269

https://support.apple.com/HT207270

https://support.apple.com/HT207271

https://support.apple.com/HT207275

40654

The remote host is running a version of Mac OS X that is 10.10.5 but is missing Security Update 2016-006, or else it is version 10.11.6 but is missing Security Update 2016-002. It is, therefore, affected by multiple vulnerabilities :

  - A memory corruption issue exists in the     AppleGraphicsControl component due to improper lock     state checking. A local attacker can exploit this, via a     specially crafted application, to execute arbitrary code     with kernel-level privileges. (CVE-2016-4662)

  - A memory corruption issue exists in the NVIDIA Graphics     Driver due to improper validation of user-supplied     input. A local attacker can exploit this to cause a     denial of service condition. (CVE-2016-4663)

  - Multiple flaws exist in the System Boot component due to     improper validation of user-supplied input. A local     attacker can exploit these to terminate the system or     execute arbitrary code with kernel-level privileges.
    (CVE-2016-4669)

  - An out-of-bounds write error exists in the ImageIO     component when parsing PDF files due to improper bounds     checking. An unauthenticated, remote attacker can     exploit this, by convincing a user to open a specially     crafted PDF file, to execute arbitrary code.
    (CVE-2016-4671)

  - A memory corruption issue exists in the Core Image     component when handling JPEG files due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this, by convincing a user     to open a specially crafted JPEG file, to execute     arbitrary code. (CVE-2016-4681)

  - An out-of-bounds read error exists in the ImageIO     component when parsing specially crafted SGI images. An     unauthenticated, remote attacker can exploit this to     disclose potentially sensitive information in process     memory. (CVE-2016-4682)

  - Multiple out-of-bounds read and write errors exist in     the ImageIO component when parsing specially crafted     SGI images. An unauthenticated, remote attacker can     exploit these to disclose potentially sensitive     information, cause a denial of service condition, or     execute arbitrary code. (CVE-2016-4683)

The remote host is running a version of Mac OS X version 10.x prior to 10.12.1, and is affected by multiple vulnerabilities in the following components :

 - AppleMobileFileIntegrity (CVE-2016-7584)
 - AppleGraphicsControl (CVE-2016-4662)
 - AppleSMC (CVE-2016-4678)
 - ATS (CVE-2016-4667, CVE-2016-4674)
 - CFNetwork Proxies (CVE-2016-7579)
 - CoreGraphics (CVE-2016-4673)
 - Core Image (CVE-2016-4681)
 - FaceTime (CVE-2016-7577)
 - FontParser (CVE-2016-4660, CVE-2016-4688)
 - IDS - Connectivity (CVE-2016-4721)
 - ImageIO (CVE-2016-4671, CVE-2016-4682, CVE-2016-4683)
 - Kernel (CVE-2016-4669, CVE-2016-7613)
 - libarchive (CVE-2016-4679)
 - libxpc (CVE-2016-4675)
 - ntfs (CVE-2016-4661)
 - NVIDIA Graphics Drivers (CVE-2016-4663)
 - Security (CVE-2016-4670)
 - Thunderbolt (CVE-2016-4780)

Versions of Apple TV earlier than 10.0.1 are vulnerable to the following issues :

 - A flaw exists in WebKit when handling the location attribute that allows a unauthenticated, remote attacker to bypass the cross-origin policies and disclose sensitive user information. (CVE-2016-4613)
 - An out-of-bounds read error exists in the FontParser component when handling specially crafted font files that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-4660)
 - An unspecified flaw exists in the Sandbox Profiles component that allows a local attacker, via a specially crafted application, to disclose the metadata of photo directories. (CVE-2016-4664)
 - An unspecified flaw exists in the Sandbox Profiles component that allows a local attacker, via a specially crafted application, to disclose the metadata of audio recordings. (CVE-2016-4665)
 - Multiple memory corruption issues exist in Webkit due to improper validation of user-supplied input.  An unauthenticated, remote attacker can exploit these to execute arbitrary code. (CVE-2016-4666, CVE-2016-4677)
 - Multiple unspecified flaws exist in the System Boot component, within MIG generated code, due to improper validation of input.  A local attacker can exploit these to terminate the system or execute arbitrary code with elevated privileges. (CVE-2016-4669)
 - A memory corruption issue exists in the CoreGraphics component when handling specially crafted JPEG files.  An unauthenticated, remote attacker can exploit this, via a specially crafted file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4673)
 - An unspecified logic issue exists in libxpc that allows a local attacker to execute arbitrary code with root privileges. (CVE-2016-4675)
 - A NULL pointer dereference flaw exists in AppleSMC's smcHandleYPCEvent facility that is due to insufficient locking, which may allow a local attacker to gain elevated privileges. (CVE-2016-4678)
 - A flaw exists in libarchive due to improper path validation when creating temporary files during archive extraction.  An unauthenticated, remote attacker can exploit this, via a symlink attack, to overwrite arbitrary files. (CVE-2016-4679)
 - An unspecified flaw exists in the Kernel component due to improper sanitization of input.  A local attacker can exploit this to disclose kernel memory contents. (CVE-2016-4680)
 - A flaw exists in the CFNetwork Proxies component when handling proxy credentials that allows a man-in-the-middle attacker to disclose sensitive user information. (CVE-2016-7579)
 - A race condition exists in multiple IOKit drivers related to how they use task struct pointers.  This may allow a local attacker to potentially execute arbitrary code with kernel-level privileges. (CVE-2016-7613)

Note that only 4th generation models are affected by these vulnerabilities.

The version of iOS running on the mobile device is prior to 10.1, and is affected by multiple vulnerabilities in the following components :

 - CFNetwork Proxies (CVE-2016-7579)
 - Contacts (CVE-2016-4686)
 - CoreGraphics (CVE-2016-4673)
 - FaceTime (CVE-2016-7577)
 - FontParser (CVE-2016-4660, CVE-2016-4688)
 - IDS - Connectivity (CVE-2016-4721)
 - iTunes (CVE-2016-4685)
 - Kernel (CVE-2016-4669, CVE-2016-4680, CVE-2016-7613)
 - libarchive (CVE-2016-4679)
 - libxpc (CVE-2016-4675)
 - Safari (CVE-2016-7581)
 - Sandbox Profiles (CVE-2016-4664, CVE-2016-4665)
 - Security (CVE-2016-4670)
 - WebKit (CVE-2016-4666, CVE-2016-4677, CVE-2016-7578)

According to its banner, the version of Apple TV on the remote device is prior to 10.0.1. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists in WebKit when handling the location     attribute that allows an unauthenticated, remote     attacker to bypass the cross-origin policies and     disclose sensitive user information. (CVE-2016-4613)

  - An out-of-bounds read error exists in the FontParser     component when handling specially crafted font files     that allows an unauthenticated, remote attacker to     disclose sensitive information. (CVE-2016-4660)

  - An unspecified flaw exists in the Sandbox Profiles     component that allows a local attacker, via a specially     crafted application, to disclose the metadata of photo     directories. (CVE-2016-4664)

  - An unspecified flaw exists in the Sandbox Profiles     component that allows a local attacker, via a specially     crafted application, to disclose the metadata of audio     recordings. (CVE-2016-4665)

  - Multiple memory corruption issues exist in Webkit due     to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these to     execute arbitrary code. (CVE-2016-4666, CVE-2016-4677,     CVE-2016-7578)

  - Multiple unspecified flaws exist in the System Boot     component, within MIG generated code, due to improper     validation of input. A local attacker can exploit these     to terminate the system or execute arbitrary code with     elevated privileges. (CVE-2016-4669)

  - A memory corruption issue exists in the CoreGraphics     component when handling specially crafted JPEG files. An     unauthenticated, remote attacker can exploit this, via a     specially crafted file, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2016-4673)

  - An unspecified logic issue exists in libxpc that allows     a local attacker to execute arbitrary code with root     privileges. (CVE-2016-4675)

  - A flaw exists in libarchive due to improper path     validation when creating temporary files during archive     extraction. An unauthenticated, remote attacker can     exploit this, via a symlink attack, to overwrite     arbitrary files. (CVE-2016-4679)

  - An unspecified flaw exists in the Kernel component due     to improper sanitization of input. A local attacker can     exploit this to disclose kernel memory contents.
    (CVE-2016-4680)

  - An overflow condition exists in the FontParser component     due to improper validation when parsing font files. An     unauthenticated, remote attacker can exploit this to     cause a buffer overflow, resulting in a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-4688)

  - A flaw exists in the CFNetwork Proxies component when     handling proxy credentials that allows a     man-in-the-middle attacker to disclose sensitive user     information. (CVE-2016-7579)

  - A flaw exists in the AppleMobileFileIntegrity component     due to improper validation of code signatures. A local     attacker can exploit this to have a signed executable     substitute code with the same team ID. (CVE-2016-7584)

  - Multiple race conditions exist in various IOKit drivers     related to how they use task struct pointers. A local     attacker can exploit this to execute arbitrary code with     kernel-level privileges. (CVE-2016-7613)

Note that only 4th generation models are affected by these vulnerabilities.

The version of iOS running on the mobile device is prior to 10.1. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists in the FaceTime component when handling     relayed calls due to inconsistencies in the user     interface. A man-in-the-middle attacker can exploit this     issue to cause a relayed call to continue to transmit     audio while the call appears to be terminated.
    (CVE-2016-4635)

  - An out-of-bounds read error exists in the FontParser     component when handling specially crafted font files     that allows an unauthenticated, remote attacker to     disclose sensitive information. (CVE-2016-4660)

  - An unspecified flaw exists in the Sandbox Profiles     component that allows a local attacker, via a specially     crafted application, to disclose the metadata of photo     directories. (CVE-2016-4664)

  - An unspecified flaw exists in the Sandbox Profiles     component that allows a local attacker, via a specially     crafted application, to disclose the metadata of audio     recordings. (CVE-2016-4665)

  - Multiple memory corruption issues exist in Webkit due     to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these to     execute arbitrary code. (CVE-2016-4666, CVE-2016-4677)

  - Multiple unspecified flaws exist in the System Boot     component, within MIG generated code, due to improper     validation of input. A local attacker can exploit these     to terminate the system or execute arbitrary code with     elevated privileges. (CVE-2016-4669)

  - A flaw exists in the Security component due to the     program logging the length of passwords. A local     attacker can exploit this to disclose sensitive     information. (CVE-2016-4670)

  - A memory corruption issue exists in the CoreGraphics     component when handling specially crafted JPEG files. An     unauthenticated, remote attacker can exploit this, via a     specially crafted file, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2016-4673)

  - An unspecified logic issue exists in libxpc that allows     a local attacker to execute arbitrary code with root     privileges. (CVE-2016-4675)

  - A flaw exists in libarchive due to improper path     validation when creating temporary files during archive     extraction. An unauthenticated, remote attacker can     exploit this, via a symlink attack, to overwrite     arbitrary files. (CVE-2016-4679)

  - An unspecified flaw exists in the Kernel component due     to improper sanitization of input. A local attacker can     exploit this to disclose kernel memory contents.
    (CVE-2016-4680)

  - A flaw exists in the Contacts component due to a failure     to revoke an application's access to the Address Book     after its access has been removed in Settings. A local     attacker can exploit this to cause access to persist     after it should have been removed. (CVE-2016-4686)

  - A flaw exists in the CFNetworks component when handling     proxy credentials that allows a man-in-the-middle     attacker to disclose sensitive user information.
    (CVE-2016-7579)

The remote host is running a version of Mac OS X that is 10.12.x prior to macOS 10.12.1. It is, therefore, affected by multiple vulnerabilities in the following components :

  - ATS
  - AppleMobileFileIntegrity
  - AppleSMC
  - CFNetwork Proxies
  - CoreGraphics
  - FaceTime
  - FontParser
  - IDS - Connectivity
  - Kernel
  - libarchive
  - libxpc
  - ntfs
  - Security
  - Thunderbolt

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

ID	Name	Product	Family	Severity
100427	Mac OS X 10.10.5 / 10.11.6 Multiple Vulnerabilities (Security Update 2016-002 / 2016-006)	Nessus	MacOS X Local Security Checks	high
9758	Mac OS X 10.x < 10.12.1 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	high
9757	Apple TV < 10.0.1 Multiple Vulnerabilities	Nessus Network Monitor	Internet Services	high
9756	Apple iOS < 10.1 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	high
94337	Apple TV < 10.0.1 Multiple Vulnerabilities	Nessus	Misc.	high
94330	Apple iOS < 10.1 Multiple Vulnerabilities	Nessus	Mobile Devices	high
94253	macOS 10.12.x < 10.12.1 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high

CVE-2016-4669

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins