Sign-up

ID

VAR-201501-0263


CVE

CVE-2014-8826


TITLE

Apple OS X of LaunchServices In Gatekeeper Vulnerabilities that circumvent protection mechanisms

Trust: 0.8

sources: JVNDB: JVNDB-2015-001302

DESCRIPTION

LaunchServices in Apple OS X before 10.10.2 does not properly handle file-type metadata, which allows attackers to bypass the Gatekeeper protection mechanism via a crafted JAR archive. Supplementary information : CWE Vulnerability type by CWE-19: Data Handling ( Data processing ) Has been identified. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X prior to 10.10.2. LaunchServices is one of the components that uses a running application to open other applications or documents

Trust: 2.25

sources: NVD: CVE-2014-8826 // JVNDB: JVNDB-2015-001302 // BID: 72341 // BID: 72328 // VULHUB: VHN-76771

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.10.1

Trust: 1.4

vendor:applemodel:mac os xscope:lteversion:10.10.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.10

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.8.5

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.9.5

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.10

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.8.5

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.10.1

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.9.5

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.8.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.7.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.2

Trust: 0.3

sources: BID: 72341 // BID: 72328 // JVNDB: JVNDB-2015-001302 // NVD: CVE-2014-8826 // CNNVD: CNNVD-201501-681

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2014-8826
value: MEDIUM

Trust: 1.8

CNNVD: CNNVD-201501-681
value: MEDIUM

Trust: 0.6

VULHUB: VHN-76771
value: MEDIUM

Trust: 0.1

NVD:
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2014-8826
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-76771
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-76771 // JVNDB: JVNDB-2015-001302 // NVD: CVE-2014-8826 // CNNVD: CNNVD-201501-681

PROBLEMTYPE DATA

problemtype:CWE-19

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-76771 // JVNDB: JVNDB-2015-001302 // NVD: CVE-2014-8826

THREAT TYPE

network

Trust: 0.6

sources: BID: 72341 // BID: 72328

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201501-681

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2014-8826

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-76771

PATCH
title:APPLE-SA-2015-01-27-4url:http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html
Trust: 0.8
title:HT204244url:http://support.apple.com/en-us/ht204244
Trust: 0.8
title:HT204244url:http://support.apple.com/ja-jp/ht204244
Trust: 0.8
title:osxupd10.10.2url:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=53587
Trust: 0.6
title:iPhone7,1_8.1.3_12B466_Restoreurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=53586
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-001302 // 
            
            
            
            CNNVD: CNNVD-201501-681

EXTERNAL IDS
db:NVDid:CVE-2014-8826
Trust: 3.1
db:BIDid:72341
Trust: 2.0
db:EXPLOIT-DBid:35934
Trust: 1.7
db:OSVDBid:117659
Trust: 1.7
db:SECTRACKid:1031650
Trust: 1.7
db:PACKETSTORMid:130147
Trust: 1.7
db:BIDid:72328
Trust: 0.9
db:JVNid:JVNVU96447236
Trust: 0.8
db:JVNDBid:JVNDB-2015-001302
Trust: 0.8
db:CNNVDid:CNNVD-201501-681
Trust: 0.7
db:SEEBUGid:SSVID-89438
Trust: 0.1
db:VULHUBid:VHN-76771
Trust: 0.1
sources:
            
            
            VULHUB: VHN-76771 // 
            
            
            
            BID: 72341 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001302 // 
            
            
            
            NVD: CVE-2014-8826 // 
            
            
            
            CNNVD: CNNVD-201501-681

REFERENCES
url:https://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html
Trust: 2.0
url:http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html
Trust: 1.7
url:http://www.securityfocus.com/bid/72341
Trust: 1.7
url:http://www.securityfocus.com/archive/1/534567/100/0/threaded
Trust: 1.7
url:http://support.apple.com/ht204244
Trust: 1.7
url:http://www.exploit-db.com/exploits/35934
Trust: 1.7
url:http://seclists.org/fulldisclosure/2015/jan/109
Trust: 1.7
url:http://packetstormsecurity.com/files/130147/os-x-gatekeeper-bypass.html
Trust: 1.7
url:http://www.osvdb.org/117659
Trust: 1.7
url:http://www.securitytracker.com/id/1031650
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100519
Trust: 1.7
url:http://www.apple.com/macosx/
Trust: 1.2
url:https://support.apple.com/en-us/ht204659
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8826
Trust: 0.8
url:https://jvn.jp/vu/jvnvu96447236/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8826
Trust: 0.8
url:https://www.securityfocus.com/bid/72328
Trust: 0.6
sources:
            
            
            VULHUB: VHN-76771 // 
            
            
            
            BID: 72341 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001302 // 
            
            
            
            NVD: CVE-2014-8826 // 
            
            
            
            CNNVD: CNNVD-201501-681

CREDITS
Vitaliy Toropov working with HP's Zero Day Initiative, Roberto Paleari and Aristide Fattori of Emaze Networks, Sten Petersen, Mike Myers,Ian Beer of Google Project Zero, Ale,Hernan Ochoa from Amplia Security, @PanguTeam, Trammell Hudson of Two Sigma Investments, Alex, of Digital Operatives LLC
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201501-681

SOURCES
db:VULHUBid:VHN-76771
db:BIDid:72341
db:BIDid:72328
db:JVNDBid:JVNDB-2015-001302
db:NVDid:CVE-2014-8826
db:CNNVDid:CNNVD-201501-681

LAST UPDATE DATE
2023-12-18T11:09:50.519000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-76771date:2020-07-17T00:00:00
db:BIDid:72341date:2015-01-27T00:00:00
db:BIDid:72328date:2019-04-12T18:00:00
db:JVNDBid:JVNDB-2015-001302date:2015-02-12T00:00:00
db:NVDid:CVE-2014-8826date:2020-07-17T18:15:12.470
db:CNNVDid:CNNVD-201501-681date:2020-07-20T00:00:00

SOURCES RELEASE DATE
db:VULHUBid:VHN-76771date:2015-01-30T00:00:00
db:BIDid:72341date:2015-01-27T00:00:00
db:BIDid:72328date:2015-01-27T00:00:00
db:JVNDBid:JVNDB-2015-001302date:2015-02-12T00:00:00
db:NVDid:CVE-2014-8826date:2015-01-30T11:59:36.313
db:CNNVDid:CNNVD-201501-681date:2015-01-29T00:00:00