British govt hackers report vulnerabilities to Apple

Britain's main spy agency has reported two serious operating system vulnerabilites to Apple, as concerns over government stockpiling of zero-day exploits continue.

The Communications Electronics Security Group that reported the flaws is the information assurance arm of the United Kingdom's main signals intelligence agency, the Government Communications Headquarters.

One flaw, with a high common vulnerability scoring system (CVSS) 3.0 rating of 7.8, can be used to cause memory corruption in the IOFireWireFamily kernel extension, used to handle FireWire connectors.

This allows attackers to execute arbitrary code with full operating system kernel privileges, or cause a denial of service via a specially crafted app. It affects OS X versions 10.11.4 and earlier.

Exploits for the IOFireWireFamily are trading for US$2000 to US$5000 (A$2785 to A$6965). Apple patched the flaw in the recent OS X 10.11.5 update.

A second flaw reported by CESG, along with researcher Brandon Azad, affects the operating system kernels in Apple OS X 10.11.4, iOS 9.3.1, tvOS 9.2.0 and watchOS 2.2.0 and earlier. The vulnerability allows attackers to run any code they want at full system privileges.

It is not known if CESG reported the vulnerabilities because they are no longer of use to the agency. Government intelligence agencies around the world are currently balancing the two opposing tasks of protecting computer users from exploitable vulnerabilites, and the possiblity of using these to collect important information for national security purposes.

The GCHQ information assurance arm has featured prominently in US National Security Agency contractor Edward Snowden's leaked top secret documents. Among its work is the reverse engineering of commercial antivirus software to create opportunities for computer network exploitation attacks.