Apple released a number of security bug fixes this week, and one of the more dangerous flaws was found by Google's...
Project Zero in the XNU kernel at the core of Apple's iOS and macOS platforms.
Ian Beer of Google Project Zero first reported the XNU kernel vulnerability to Apple in February. And, according to Beer, Apple has since shipped two iterations of mitigations before releasing a refactor in macOS 10.12.1 and iOS 10.1.
Beer said the simplest way to describe the kernel vulnerability was, "You cannot hold or use a task struct pointer and expect the [effective unique identifier (EUID)] of that task to stay the same."
"When a [binary file with permissions set to Set owner User ID upon execution] is executed, it's true that the task's old task and thread ports get invalidated; however, the task struct itself stays the same. There's no fork and no creation of a new task. This means that any pointers to that task struct now point to the task struct of an EUID 0 process," Beer described in the Chromium bug report. Ultimately, Beer said this could lead to either a privilege escalation or sandbox-escape exploit.
Beer noted that "this isn't an easy bug class to fix" and required a lot of work from Apple to fix the XNU kernel, which may explain the eight-month lag between his initial report to Apple and release of a full fix.
"Due to the design of XNU, there are task_t pointers everywhere, and the underlying issue affects more than just task_t; threads suffer from the same issue. Apple decided to refactor the execve code to allocate new task and thread structures when loading a binary, which should fix the underlying issue," Beer wrote in a blog post. "This is a considerable amount of work; kudos to Apple for the engineering effort they put into fixing these bugs, and I look forward to the release of the MacOS 10.12.1 XNU source to see the new code."
Meanwhile, at Pwn2Own 2016 in Tokyo, Tencent's Keen Security Lab team won $375,000 -- plus potential bonuses -- in prizes for two exploits of an iPhone 6s running iOS 10.1 and an exploit of a stock Google Nexus 6P.
Keen Security Lab had partial success installing a rogue application on the iPhone 6s, but did not receive full marks because the app did not persist through a reboot of the phone. Keen Security Lab also made use of a use-after-free bug in the renderer and a memory corruption bug in the sandbox to take photos off an iPhone 6s.
Learn more about a new iOS vulnerability putting business users in the hot seat.
Find out about the Dirty COW Linux kernel vulnerability that existed for nine years.
Get info on mitigating kernel vulnerabilities.