VARIoT IoT vulnerabilities database
| VAR-201507-0437 | CVE-2015-3674 | Apple OS X of afpserver Vulnerable to arbitrary code execution |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
afpserver in Apple OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. Apple Mac OS X is prone to multiple security vulnerabilities.
The update addresses new vulnerabilities that affect Admin Framework, afpserver, apache, AppleGraphicsControl, AppleFSCompression, AppleThunderboltEDMService, ATS, Bluetooth, Display Drivers, Intel Graphics Driver, IOAcceleratorFamily, IOFireWireFamily, Kernel, Install Framework Legacy, kext tools, ntfs, QuickTime, Security, Spotlight, and System Stats components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information, and perform other attacks.
These issues affect OS X prior to 10.10.4
| VAR-201507-0438 | CVE-2015-3675 | Apple OS X Run on Apache HTTP Server In the default settings of HTTP Vulnerability bypassing authentication |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The default configuration of the Apache HTTP Server on Apple OS X before 10.10.4 does not enable the mod_hfs_apple module, which allows remote attackers to bypass HTTP authentication via a crafted URL. Supplementary information : CWE Vulnerability types by CWE-284: Improper Access Control ( Improper access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlExpertly crafted by a third party URL Through HTTP Authentication may be bypassed. Apple Mac OS X is prone to multiple security vulnerabilities.
The update addresses new vulnerabilities that affect Admin Framework, afpserver, apache, AppleGraphicsControl, AppleFSCompression, AppleThunderboltEDMService, ATS, Bluetooth, Display Drivers, Intel Graphics Driver, IOAcceleratorFamily, IOFireWireFamily, Kernel, Install Framework Legacy, kext tools, ntfs, QuickTime, Security, Spotlight, and System Stats components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information, and perform other attacks.
These issues affect OS X prior to 10.10.4. The vulnerability is caused by the program not enabling the mod_hfs_apple module
| VAR-201507-0433 | CVE-2015-3669 | Apple QuickTime of QT Media Foundation Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
QT Media Foundation in Apple QuickTime before 7.7.7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, a different vulnerability than CVE-2015-3664 and CVE-2015-3665. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of SGI Image Files. By providing a malformed file, an attacker can overflow a fixed sized region of the heap. This could allow an attacker to execute arbitrary code under the context of the current process.
Versions prior to QuickTime 7.7.7 are vulnerable on Windows 7 and Vista. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3661 : G. Geshev working with HP's Zero Day Initiative
CVE-2015-3662 : kdot working with HP's Zero Day Initiative
CVE-2015-3663 : kdot working with HP's Zero Day Initiative
CVE-2015-3664 : Andrea Micalizzi (rgod) working with HP's Zero Day
Initiative
CVE-2015-3665 : WanderingGlitch of HP's Zero Day Initiative
CVE-2015-3666 : Steven Seeley of Source Incite working with HP's Zero
Day Initiative
CVE-2015-3667 : Ryan Pentney, Richard Johnson of Cisco Talos and Kai
Lu of Fortinet's FortiGuard Labs
CVE-2015-3668 : Kai Lu of Fortinet's FortiGuard Labs
CVE-2015-3669 : kdot working with HP's Zero Day Initiative
QuickTime 7.7.7 may be obtained from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
You may also update to the latest version of QuickTime via Apple
Software Update, which can be found in the Start menu.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJVkxVvAAoJEBcWfLTuOo7tuGoP/3oURL1tC5dv/+ZDKV/nI9Ug
WOJoeVUIT662wG7JLEEnhS94VAlChogFcgXNIrms72ApocBMxj81NIsjIjJPqmbg
3UgOHVcA7xYCUTvm5Q3Cj4zZRJ14J47GLu3On1bLtpFPcQRsAyeMIwtbawt6vYoB
qiQ7rYvtT02/SBXor0RojmIuo4kMZz2twpjZHGf5aOu/0CzuzA/TPJ1FRALWmvGx
rIy4bS0QPqbzg7A/TT+1X9e7pCdY/Hmn3GMFBk3cX0cLfQN8XHxMU/JJ8ja7vbl4
LfB9xuy6CJL9S1w6W/U5/4WVb5k5AXb9mF1KsfxffBGZnOqLxMGWlbr9holSBRfh
/BRbaLhNG9DQ9DMO9i7sjdFs3uVM9U3M0G/0TPed2+S8WBOgac+x9OCpM3u9aOjP
3nWiA4WDsurl8DFdZwt5mAi+OoocYQARS4g+JghVkBZ982MXGeisamqyec3BQVzs
i75lzDBPp6pW+TJj0GlEFTa2qf/n3YsL5au6RubFHb62qNq7SmmNj0GmBVddZIDd
I3TZ72sqievGv0UMMzYhIWeZCUJmSpsr2tJ9pkdH8SkmsEClGJHtwOscevQIhqPz
WfhRPgPmGE/0QBtDHRciVWxJ9jfH4AG79+69FqEE1QIew/+/hZcK0IJyttqOVli7
3l2PXTYo9ZOODysgzAFn
=Srvg
-----END PGP SIGNATURE-----
| VAR-201507-0457 | CVE-2015-3694 | Apple iOS and Apple OS X of FontParser Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
FontParser in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font file, a different vulnerability than CVE-2015-3719. Multiple memory-corruption vulnerabilities
2. Multiple information-disclosure vulnerabilities
3. A security vulnerability
4. Multiple buffer-overflow vulnerabilities
An attacker can leverage these issues to obtain sensitive information, and execute arbitrary code with system privileges. Failed exploit attempts will likely result in denial-of-service conditions. in the United States. FontParser is a font parsing component. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-06-30-1 iOS 8.4
iOS 8.4 is now available and addresses the following:
Application Store
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app may prevent
apps from launching
Description: An issue existed in the install logic for universal
provisioning profile apps, which allowed a collision to occur with
existing bundle IDs. This issue was addressed through improved
collision checking.
CVE-ID
CVE-2015-3722 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to intercept network traffic
Description: An intermediate certificate was incorrectly issued by
the certificate authority CNNIC. This issue was addressed through the
addition of a mechanism to trust only a subset of certificates issued
prior to the mis-issuance of the intermediate. Further details are
available at https://support.apple.com/en-us/HT204938
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork HTTPAuthentication
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Following a maliciously crafted URL may lead to arbitrary
code execution
Description: A memory corruption issue existed in handling of
certain URL credentials. This issue was addressed with improved
memory handling.
CVE-ID
CVE-2015-3684 : Apple
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of ICC profiles. These issues were addressed through
improved memory handling.
CVE-ID
CVE-2015-3723 : chaithanya (SegFault) working with HP's Zero Day
Initiative
CVE-2015-3724 : WanderingGlitch of HP's Zero Day Initiative
CoreText
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1157
CVE-2015-3685 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3689 : Apple
coreTLS
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: coreTLS accepted short ephemeral Diffie-Hellman (DH)
keys, as used in export-strength ephemeral DH cipher suites. This
issue, also known as Logjam, allowed an attacker with a privileged
network position to downgrade security to 512-bit DH if the server
supported an export-strength ephemeral DH cipher suite. The issue was
addressed by increasing the default minimum size allowed for DH
ephemeral keys to 768 bits.
CVE-ID
CVE-2015-4000 : The weakdh team at weakdh.org, Hanno Boeck
DiskImages
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue existed in the
processing of disk images. This issue was addressed through improved
memory management.
CVE-ID
CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved input validation.
CVE-ID
CVE-2015-3694 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3719 : John Villamil (@day6reak), Yahoo Pentest Team
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted .tiff file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
.tiff files. This issue was addressed with improved bounds checking.
CVE-ID
CVE-2015-3703 : Apple
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities exist in libtiff, the most serious
of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in libtiff versions
prior to 4.0.4. They were addressed by updating libtiff to version
4.0.4.
CVE-ID
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
HFS parameters which could have led to the disclosure of kernel
memory layout. This issue was addressed through improved memory
management.
CVE-ID
CVE-2015-3721 : Ian Beer of Google Project Zero
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted email can replace the message content
with an arbitrary webpage when the message is viewed
Description: An issue existed in the support for HTML email which
allowed message content to be refreshed with an arbitrary webpage.
The issue was addressed through restricted support for HTML content.
CVE-ID
CVE-2015-3710 : Aaron Sigel of vtty.com, Jan Soucek
MobileInstallation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app can prevent a
Watch app from launching
Description: An issue existed in the install logic for universal
provisioning profile apps on the Watch which allowed a collision to
occur with existing bundle IDs. This issue was addressed through
improved collision checking.
CVE-ID
CVE-2015-3725 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may compromise user
information on the filesystem
Description: A state management issue existed in Safari that allowed
unprivileged origins to access contents on the filesystem. This issue
was addressed through improved state management.
CVE-ID
CVE-2015-1155 : Joe Vennix of Rapid7 Inc. working with HP's Zero Day
Initiative
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to account
takeover
Description: An issue existed where Safari would preserve the Origin
request header for cross-origin redirects, allowing malicious
websites to circumvent CSRF protections. The issue was addressed
through improved handling of redirects.
CVE-ID
CVE-2015-3658 : Brad Hill of Facebook
Security
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework
code for parsing S/MIME e-mail and some other signed or encrypted
objects. This issue was addressed through improved validity checking.
CVE-ID
CVE-2013-1741
SQLite
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflows existed in SQLite's printf
implementation. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-3717 : Peter Rutenbar working with HP's Zero Day Initiative
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted SIM cards may lead to arbitrary code
execution
Description: Multiple input validation issues existed in the parsing
of SIM/UIM payloads. These issues were addressed through improved
payload validation.
CVE-ID
CVE-2015-3726 : Matt Spisak of Endgame
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website by clicking a link may lead to
user interface spoofing
Description: An issue existed in the handling of the rel attribute
in anchor elements. Target objects could get unauthorized access to
link objects. This issue was addressed through improved link type
adherence.
CVE-ID
CVE-2015-1156 : Zachary Durber of Moodle
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1152 : Apple
CVE-2015-1153 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: An insufficient comparison issue existed in SQLite
authorizer which allowed invocation of arbitrary SQL functions. This
issue was addressed with improved authorization checks.
CVE-ID
CVE-2015-3659 : Peter Rutenbar working with HP's Zero Day Initiative
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted website can access the WebSQL
databases of other websites
Description: An issue existed in the authorization checks for
renaming WebSQL tables which could have allowed a maliciously crafted
website to access databases belonging to other websites. This was
addressed through improved authorization checks.
CVE-ID
CVE-2015-3727 : Peter Rutenbar working with HP's Zero Day Initiative
WiFi Connectivity
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: iOS devices may auto-associate with untrusted access points
advertising a known ESSID but with a downgraded security type
Description: An insufficient comparison issue existed in WiFi
manager's evaluation of known access point advertisements. This issue
was addressed through improved matching of security parameters.
CVE-ID
CVE-2015-3728 : Brian W. Gray of Carnegie Mellon University, Craig
Young from TripWire
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.4".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVkr+6AAoJEBcWfLTuOo7tfDwP/1db2KLgQP+Pyb6av5awgS4m
hQul1ihU0JO8jAI2ww345v6jMFq7MIAs82DobbRwqtI97aTep5bieqr5qUautlFz
NtC4VQ5PsAyEoTo0cOSpvFOV3av6BdwFeNTI4w39n+bvKn6YUSJD0zswknUtI/G7
lpFx/KxvKBkXBhWWCg3cyVlo3Jap88svlyh9MZ+C0BYFyjZ+ZjYMlDZ6FdzRyBxI
4RHaXUFrtMQk3JAeIadSbevOH2mUwlCB9vDmFOC5BFTrMYV8nd3gyXMy924wLQli
l3gtx+Kgq3+i71Zay7HGmshv06vZop8X82fC/lNZmTQFfNABLLug0ve0tLH9+IRm
516Yb4UxUZ51Pnhbv1wvwqATGoJpK4oFXHsTx0rCVpkcxGMLmeYRyaxQYBUzh+ns
+9tcuqIBsvVudY8LGAF4yUxkmt2K5N6mqu9x+KqVmiI9M7DbBoc+AUNVJpoiEGmt
qB/eqkpGYKvHal3UEV6P3sSM3gBrzb5aFYNa8R31/cE8U+INeKTwd99KNoixJa9y
/rNOSnuwKsuD33NFUpOJo/MW70ts3BrjN8eIvtnZ7/GHVljkQde7LCCJ2k2iQWTW
lp+C5jWsR/2qXoCkG1p2oipBP/2OKo9wRzklkOo+1LJiWY18r/FlRMWqfkFUyMrK
+NEpxWhe8ytzIFIkrXDt
=iv++
-----END PGP SIGNATURE-----
| VAR-201507-0447 | CVE-2015-3684 | Apple iOS and Apple OS X of CFNetwork of HTTPAuthentication Implementation of arbitrary code execution vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
The HTTPAuthentication implementation in CFNetwork in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted credentials in a URL. Apple Mac OS X and iOS are prone to the following security vulnerabilities:
1. Multiple memory-corruption vulnerabilities
2. Multiple information-disclosure vulnerabilities
3. A security vulnerability
4. Multiple buffer-overflow vulnerabilities
An attacker can leverage these issues to obtain sensitive information, and execute arbitrary code with system privileges. Failed exploit attempts will likely result in denial-of-service conditions. in the United States. CFNetwork is a low-level, high-performance framework that is an extension of BSD sockets (sockets). -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-06-30-1 iOS 8.4
iOS 8.4 is now available and addresses the following:
Application Store
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app may prevent
apps from launching
Description: An issue existed in the install logic for universal
provisioning profile apps, which allowed a collision to occur with
existing bundle IDs. This issue was addressed through improved
collision checking.
CVE-ID
CVE-2015-3722 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to intercept network traffic
Description: An intermediate certificate was incorrectly issued by
the certificate authority CNNIC. This issue was addressed through the
addition of a mechanism to trust only a subset of certificates issued
prior to the mis-issuance of the intermediate. Further details are
available at https://support.apple.com/en-us/HT204938
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork HTTPAuthentication
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Following a maliciously crafted URL may lead to arbitrary
code execution
Description: A memory corruption issue existed in handling of
certain URL credentials. This issue was addressed with improved
memory handling.
CVE-ID
CVE-2015-3684 : Apple
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of ICC profiles. These issues were addressed through
improved memory handling.
CVE-ID
CVE-2015-3723 : chaithanya (SegFault) working with HP's Zero Day
Initiative
CVE-2015-3724 : WanderingGlitch of HP's Zero Day Initiative
CoreText
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1157
CVE-2015-3685 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3689 : Apple
coreTLS
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: coreTLS accepted short ephemeral Diffie-Hellman (DH)
keys, as used in export-strength ephemeral DH cipher suites. This
issue, also known as Logjam, allowed an attacker with a privileged
network position to downgrade security to 512-bit DH if the server
supported an export-strength ephemeral DH cipher suite. The issue was
addressed by increasing the default minimum size allowed for DH
ephemeral keys to 768 bits.
CVE-ID
CVE-2015-4000 : The weakdh team at weakdh.org, Hanno Boeck
DiskImages
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue existed in the
processing of disk images. This issue was addressed through improved
memory management.
CVE-ID
CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved input validation.
CVE-ID
CVE-2015-3694 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3719 : John Villamil (@day6reak), Yahoo Pentest Team
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted .tiff file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
.tiff files. This issue was addressed with improved bounds checking.
CVE-ID
CVE-2015-3703 : Apple
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities exist in libtiff, the most serious
of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in libtiff versions
prior to 4.0.4. They were addressed by updating libtiff to version
4.0.4.
CVE-ID
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
HFS parameters which could have led to the disclosure of kernel
memory layout. This issue was addressed through improved memory
management.
CVE-ID
CVE-2015-3721 : Ian Beer of Google Project Zero
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted email can replace the message content
with an arbitrary webpage when the message is viewed
Description: An issue existed in the support for HTML email which
allowed message content to be refreshed with an arbitrary webpage.
The issue was addressed through restricted support for HTML content.
CVE-ID
CVE-2015-3710 : Aaron Sigel of vtty.com, Jan Soucek
MobileInstallation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app can prevent a
Watch app from launching
Description: An issue existed in the install logic for universal
provisioning profile apps on the Watch which allowed a collision to
occur with existing bundle IDs. This issue was addressed through
improved collision checking.
CVE-ID
CVE-2015-3725 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may compromise user
information on the filesystem
Description: A state management issue existed in Safari that allowed
unprivileged origins to access contents on the filesystem. This issue
was addressed through improved state management.
CVE-ID
CVE-2015-1155 : Joe Vennix of Rapid7 Inc. working with HP's Zero Day
Initiative
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to account
takeover
Description: An issue existed where Safari would preserve the Origin
request header for cross-origin redirects, allowing malicious
websites to circumvent CSRF protections. The issue was addressed
through improved handling of redirects.
CVE-ID
CVE-2015-3658 : Brad Hill of Facebook
Security
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework
code for parsing S/MIME e-mail and some other signed or encrypted
objects. This issue was addressed through improved validity checking.
CVE-ID
CVE-2013-1741
SQLite
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflows existed in SQLite's printf
implementation. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-3717 : Peter Rutenbar working with HP's Zero Day Initiative
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted SIM cards may lead to arbitrary code
execution
Description: Multiple input validation issues existed in the parsing
of SIM/UIM payloads. These issues were addressed through improved
payload validation.
CVE-ID
CVE-2015-3726 : Matt Spisak of Endgame
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website by clicking a link may lead to
user interface spoofing
Description: An issue existed in the handling of the rel attribute
in anchor elements. Target objects could get unauthorized access to
link objects. This issue was addressed through improved link type
adherence.
CVE-ID
CVE-2015-1156 : Zachary Durber of Moodle
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1152 : Apple
CVE-2015-1153 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: An insufficient comparison issue existed in SQLite
authorizer which allowed invocation of arbitrary SQL functions. This
issue was addressed with improved authorization checks.
CVE-ID
CVE-2015-3659 : Peter Rutenbar working with HP's Zero Day Initiative
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted website can access the WebSQL
databases of other websites
Description: An issue existed in the authorization checks for
renaming WebSQL tables which could have allowed a maliciously crafted
website to access databases belonging to other websites. This was
addressed through improved authorization checks.
CVE-ID
CVE-2015-3727 : Peter Rutenbar working with HP's Zero Day Initiative
WiFi Connectivity
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: iOS devices may auto-associate with untrusted access points
advertising a known ESSID but with a downgraded security type
Description: An insufficient comparison issue existed in WiFi
manager's evaluation of known access point advertisements. This issue
was addressed through improved matching of security parameters.
CVE-ID
CVE-2015-3728 : Brian W. Gray of Carnegie Mellon University, Craig
Young from TripWire
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.4".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVkr+6AAoJEBcWfLTuOo7tfDwP/1db2KLgQP+Pyb6av5awgS4m
hQul1ihU0JO8jAI2ww345v6jMFq7MIAs82DobbRwqtI97aTep5bieqr5qUautlFz
NtC4VQ5PsAyEoTo0cOSpvFOV3av6BdwFeNTI4w39n+bvKn6YUSJD0zswknUtI/G7
lpFx/KxvKBkXBhWWCg3cyVlo3Jap88svlyh9MZ+C0BYFyjZ+ZjYMlDZ6FdzRyBxI
4RHaXUFrtMQk3JAeIadSbevOH2mUwlCB9vDmFOC5BFTrMYV8nd3gyXMy924wLQli
l3gtx+Kgq3+i71Zay7HGmshv06vZop8X82fC/lNZmTQFfNABLLug0ve0tLH9+IRm
516Yb4UxUZ51Pnhbv1wvwqATGoJpK4oFXHsTx0rCVpkcxGMLmeYRyaxQYBUzh+ns
+9tcuqIBsvVudY8LGAF4yUxkmt2K5N6mqu9x+KqVmiI9M7DbBoc+AUNVJpoiEGmt
qB/eqkpGYKvHal3UEV6P3sSM3gBrzb5aFYNa8R31/cE8U+INeKTwd99KNoixJa9y
/rNOSnuwKsuD33NFUpOJo/MW70ts3BrjN8eIvtnZ7/GHVljkQde7LCCJ2k2iQWTW
lp+C5jWsR/2qXoCkG1p2oipBP/2OKo9wRzklkOo+1LJiWY18r/FlRMWqfkFUyMrK
+NEpxWhe8ytzIFIkrXDt
=iv++
-----END PGP SIGNATURE-----
| VAR-201507-0448 | CVE-2015-3685 | Apple iOS and Apple OS X of CoreText Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted text file, a different vulnerability than CVE-2015-3686, CVE-2015-3687, CVE-2015-3688, and CVE-2015-3689. Multiple memory-corruption vulnerabilities
2. Multiple information-disclosure vulnerabilities
3. A security vulnerability
4. Multiple buffer-overflow vulnerabilities
An attacker can leverage these issues to obtain sensitive information, and execute arbitrary code with system privileges. Failed exploit attempts will likely result in denial-of-service conditions. in the United States. CoreText is one of the text engines that can control text formatting and text layout. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-06-30-1 iOS 8.4
iOS 8.4 is now available and addresses the following:
Application Store
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app may prevent
apps from launching
Description: An issue existed in the install logic for universal
provisioning profile apps, which allowed a collision to occur with
existing bundle IDs. This issue was addressed through improved
collision checking.
CVE-ID
CVE-2015-3722 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to intercept network traffic
Description: An intermediate certificate was incorrectly issued by
the certificate authority CNNIC. This issue was addressed through the
addition of a mechanism to trust only a subset of certificates issued
prior to the mis-issuance of the intermediate. Further details are
available at https://support.apple.com/en-us/HT204938
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork HTTPAuthentication
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Following a maliciously crafted URL may lead to arbitrary
code execution
Description: A memory corruption issue existed in handling of
certain URL credentials. This issue was addressed with improved
memory handling.
CVE-ID
CVE-2015-3684 : Apple
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of ICC profiles. These issues were addressed through
improved memory handling.
CVE-ID
CVE-2015-3723 : chaithanya (SegFault) working with HP's Zero Day
Initiative
CVE-2015-3724 : WanderingGlitch of HP's Zero Day Initiative
CoreText
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1157
CVE-2015-3685 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3689 : Apple
coreTLS
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: coreTLS accepted short ephemeral Diffie-Hellman (DH)
keys, as used in export-strength ephemeral DH cipher suites. This
issue, also known as Logjam, allowed an attacker with a privileged
network position to downgrade security to 512-bit DH if the server
supported an export-strength ephemeral DH cipher suite. The issue was
addressed by increasing the default minimum size allowed for DH
ephemeral keys to 768 bits.
CVE-ID
CVE-2015-4000 : The weakdh team at weakdh.org, Hanno Boeck
DiskImages
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue existed in the
processing of disk images. This issue was addressed through improved
memory management.
CVE-ID
CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved input validation.
CVE-ID
CVE-2015-3694 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3719 : John Villamil (@day6reak), Yahoo Pentest Team
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted .tiff file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
.tiff files. This issue was addressed with improved bounds checking.
CVE-ID
CVE-2015-3703 : Apple
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities exist in libtiff, the most serious
of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in libtiff versions
prior to 4.0.4. They were addressed by updating libtiff to version
4.0.4.
CVE-ID
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
HFS parameters which could have led to the disclosure of kernel
memory layout. This issue was addressed through improved memory
management.
CVE-ID
CVE-2015-3721 : Ian Beer of Google Project Zero
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted email can replace the message content
with an arbitrary webpage when the message is viewed
Description: An issue existed in the support for HTML email which
allowed message content to be refreshed with an arbitrary webpage.
The issue was addressed through restricted support for HTML content.
CVE-ID
CVE-2015-3710 : Aaron Sigel of vtty.com, Jan Soucek
MobileInstallation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app can prevent a
Watch app from launching
Description: An issue existed in the install logic for universal
provisioning profile apps on the Watch which allowed a collision to
occur with existing bundle IDs. This issue was addressed through
improved collision checking.
CVE-ID
CVE-2015-3725 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may compromise user
information on the filesystem
Description: A state management issue existed in Safari that allowed
unprivileged origins to access contents on the filesystem. This issue
was addressed through improved state management.
CVE-ID
CVE-2015-1155 : Joe Vennix of Rapid7 Inc. working with HP's Zero Day
Initiative
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to account
takeover
Description: An issue existed where Safari would preserve the Origin
request header for cross-origin redirects, allowing malicious
websites to circumvent CSRF protections. The issue was addressed
through improved handling of redirects.
CVE-ID
CVE-2015-3658 : Brad Hill of Facebook
Security
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework
code for parsing S/MIME e-mail and some other signed or encrypted
objects. This issue was addressed through improved validity checking.
CVE-ID
CVE-2013-1741
SQLite
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflows existed in SQLite's printf
implementation. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-3717 : Peter Rutenbar working with HP's Zero Day Initiative
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted SIM cards may lead to arbitrary code
execution
Description: Multiple input validation issues existed in the parsing
of SIM/UIM payloads. These issues were addressed through improved
payload validation.
CVE-ID
CVE-2015-3726 : Matt Spisak of Endgame
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website by clicking a link may lead to
user interface spoofing
Description: An issue existed in the handling of the rel attribute
in anchor elements. Target objects could get unauthorized access to
link objects. This issue was addressed through improved link type
adherence.
CVE-ID
CVE-2015-1156 : Zachary Durber of Moodle
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1152 : Apple
CVE-2015-1153 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: An insufficient comparison issue existed in SQLite
authorizer which allowed invocation of arbitrary SQL functions. This
issue was addressed with improved authorization checks.
CVE-ID
CVE-2015-3659 : Peter Rutenbar working with HP's Zero Day Initiative
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted website can access the WebSQL
databases of other websites
Description: An issue existed in the authorization checks for
renaming WebSQL tables which could have allowed a maliciously crafted
website to access databases belonging to other websites. This was
addressed through improved authorization checks.
CVE-ID
CVE-2015-3727 : Peter Rutenbar working with HP's Zero Day Initiative
WiFi Connectivity
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: iOS devices may auto-associate with untrusted access points
advertising a known ESSID but with a downgraded security type
Description: An insufficient comparison issue existed in WiFi
manager's evaluation of known access point advertisements. This issue
was addressed through improved matching of security parameters.
CVE-ID
CVE-2015-3728 : Brian W. Gray of Carnegie Mellon University, Craig
Young from TripWire
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.4".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVkr+6AAoJEBcWfLTuOo7tfDwP/1db2KLgQP+Pyb6av5awgS4m
hQul1ihU0JO8jAI2ww345v6jMFq7MIAs82DobbRwqtI97aTep5bieqr5qUautlFz
NtC4VQ5PsAyEoTo0cOSpvFOV3av6BdwFeNTI4w39n+bvKn6YUSJD0zswknUtI/G7
lpFx/KxvKBkXBhWWCg3cyVlo3Jap88svlyh9MZ+C0BYFyjZ+ZjYMlDZ6FdzRyBxI
4RHaXUFrtMQk3JAeIadSbevOH2mUwlCB9vDmFOC5BFTrMYV8nd3gyXMy924wLQli
l3gtx+Kgq3+i71Zay7HGmshv06vZop8X82fC/lNZmTQFfNABLLug0ve0tLH9+IRm
516Yb4UxUZ51Pnhbv1wvwqATGoJpK4oFXHsTx0rCVpkcxGMLmeYRyaxQYBUzh+ns
+9tcuqIBsvVudY8LGAF4yUxkmt2K5N6mqu9x+KqVmiI9M7DbBoc+AUNVJpoiEGmt
qB/eqkpGYKvHal3UEV6P3sSM3gBrzb5aFYNa8R31/cE8U+INeKTwd99KNoixJa9y
/rNOSnuwKsuD33NFUpOJo/MW70ts3BrjN8eIvtnZ7/GHVljkQde7LCCJ2k2iQWTW
lp+C5jWsR/2qXoCkG1p2oipBP/2OKo9wRzklkOo+1LJiWY18r/FlRMWqfkFUyMrK
+NEpxWhe8ytzIFIkrXDt
=iv++
-----END PGP SIGNATURE-----
| VAR-201507-0453 | CVE-2015-3690 | Apple iOS and Apple OS X of DiskImages Vulnerability in obtaining important kernel memory layout information in subsystem |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The DiskImages subsystem in Apple iOS before 8.4 and OS X before 10.10.4 allows attackers to obtain sensitive memory-layout information for the kernel via a crafted app. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of DMG files. The issue lies in the handling of GZIP compressed streams. An attacker can leverage this vulnerability to leak the sensitive contents of physical memory. Apple Mac OS X and iOS are prone to the following security vulnerabilities:
1. Multiple memory-corruption vulnerabilities
2. Multiple information-disclosure vulnerabilities
3. A security vulnerability
4. Multiple buffer-overflow vulnerabilities
An attacker can leverage these issues to obtain sensitive information, and execute arbitrary code with system privileges. Failed exploit attempts will likely result in denial-of-service conditions. in the United States. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-06-30-1 iOS 8.4
iOS 8.4 is now available and addresses the following:
Application Store
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app may prevent
apps from launching
Description: An issue existed in the install logic for universal
provisioning profile apps, which allowed a collision to occur with
existing bundle IDs. This issue was addressed through improved
collision checking.
CVE-ID
CVE-2015-3722 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to intercept network traffic
Description: An intermediate certificate was incorrectly issued by
the certificate authority CNNIC. This issue was addressed through the
addition of a mechanism to trust only a subset of certificates issued
prior to the mis-issuance of the intermediate. Further details are
available at https://support.apple.com/en-us/HT204938
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork HTTPAuthentication
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Following a maliciously crafted URL may lead to arbitrary
code execution
Description: A memory corruption issue existed in handling of
certain URL credentials. This issue was addressed with improved
memory handling.
CVE-ID
CVE-2015-3684 : Apple
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of ICC profiles. These issues were addressed through
improved memory handling.
CVE-ID
CVE-2015-3723 : chaithanya (SegFault) working with HP's Zero Day
Initiative
CVE-2015-3724 : WanderingGlitch of HP's Zero Day Initiative
CoreText
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1157
CVE-2015-3685 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3689 : Apple
coreTLS
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: coreTLS accepted short ephemeral Diffie-Hellman (DH)
keys, as used in export-strength ephemeral DH cipher suites. This
issue, also known as Logjam, allowed an attacker with a privileged
network position to downgrade security to 512-bit DH if the server
supported an export-strength ephemeral DH cipher suite. The issue was
addressed by increasing the default minimum size allowed for DH
ephemeral keys to 768 bits.
CVE-ID
CVE-2015-4000 : The weakdh team at weakdh.org, Hanno Boeck
DiskImages
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue existed in the
processing of disk images. This issue was addressed through improved
memory management.
CVE-ID
CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved input validation.
CVE-ID
CVE-2015-3694 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3719 : John Villamil (@day6reak), Yahoo Pentest Team
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted .tiff file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
.tiff files. This issue was addressed with improved bounds checking.
CVE-ID
CVE-2015-3703 : Apple
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities exist in libtiff, the most serious
of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in libtiff versions
prior to 4.0.4. They were addressed by updating libtiff to version
4.0.4.
CVE-ID
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
HFS parameters which could have led to the disclosure of kernel
memory layout. This issue was addressed through improved memory
management.
CVE-ID
CVE-2015-3721 : Ian Beer of Google Project Zero
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted email can replace the message content
with an arbitrary webpage when the message is viewed
Description: An issue existed in the support for HTML email which
allowed message content to be refreshed with an arbitrary webpage.
The issue was addressed through restricted support for HTML content.
CVE-ID
CVE-2015-3710 : Aaron Sigel of vtty.com, Jan Soucek
MobileInstallation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app can prevent a
Watch app from launching
Description: An issue existed in the install logic for universal
provisioning profile apps on the Watch which allowed a collision to
occur with existing bundle IDs. This issue was addressed through
improved collision checking.
CVE-ID
CVE-2015-3725 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may compromise user
information on the filesystem
Description: A state management issue existed in Safari that allowed
unprivileged origins to access contents on the filesystem. This issue
was addressed through improved state management.
CVE-ID
CVE-2015-1155 : Joe Vennix of Rapid7 Inc. working with HP's Zero Day
Initiative
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to account
takeover
Description: An issue existed where Safari would preserve the Origin
request header for cross-origin redirects, allowing malicious
websites to circumvent CSRF protections. The issue was addressed
through improved handling of redirects.
CVE-ID
CVE-2015-3658 : Brad Hill of Facebook
Security
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework
code for parsing S/MIME e-mail and some other signed or encrypted
objects. This issue was addressed through improved validity checking.
CVE-ID
CVE-2013-1741
SQLite
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflows existed in SQLite's printf
implementation. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-3717 : Peter Rutenbar working with HP's Zero Day Initiative
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted SIM cards may lead to arbitrary code
execution
Description: Multiple input validation issues existed in the parsing
of SIM/UIM payloads. These issues were addressed through improved
payload validation.
CVE-ID
CVE-2015-3726 : Matt Spisak of Endgame
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website by clicking a link may lead to
user interface spoofing
Description: An issue existed in the handling of the rel attribute
in anchor elements. Target objects could get unauthorized access to
link objects. This issue was addressed through improved link type
adherence.
CVE-ID
CVE-2015-1156 : Zachary Durber of Moodle
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1152 : Apple
CVE-2015-1153 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: An insufficient comparison issue existed in SQLite
authorizer which allowed invocation of arbitrary SQL functions. This
issue was addressed with improved authorization checks.
CVE-ID
CVE-2015-3659 : Peter Rutenbar working with HP's Zero Day Initiative
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted website can access the WebSQL
databases of other websites
Description: An issue existed in the authorization checks for
renaming WebSQL tables which could have allowed a maliciously crafted
website to access databases belonging to other websites. This was
addressed through improved authorization checks.
CVE-ID
CVE-2015-3727 : Peter Rutenbar working with HP's Zero Day Initiative
WiFi Connectivity
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: iOS devices may auto-associate with untrusted access points
advertising a known ESSID but with a downgraded security type
Description: An insufficient comparison issue existed in WiFi
manager's evaluation of known access point advertisements. This issue
was addressed through improved matching of security parameters.
CVE-ID
CVE-2015-3728 : Brian W. Gray of Carnegie Mellon University, Craig
Young from TripWire
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.4".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVkr+6AAoJEBcWfLTuOo7tfDwP/1db2KLgQP+Pyb6av5awgS4m
hQul1ihU0JO8jAI2ww345v6jMFq7MIAs82DobbRwqtI97aTep5bieqr5qUautlFz
NtC4VQ5PsAyEoTo0cOSpvFOV3av6BdwFeNTI4w39n+bvKn6YUSJD0zswknUtI/G7
lpFx/KxvKBkXBhWWCg3cyVlo3Jap88svlyh9MZ+C0BYFyjZ+ZjYMlDZ6FdzRyBxI
4RHaXUFrtMQk3JAeIadSbevOH2mUwlCB9vDmFOC5BFTrMYV8nd3gyXMy924wLQli
l3gtx+Kgq3+i71Zay7HGmshv06vZop8X82fC/lNZmTQFfNABLLug0ve0tLH9+IRm
516Yb4UxUZ51Pnhbv1wvwqATGoJpK4oFXHsTx0rCVpkcxGMLmeYRyaxQYBUzh+ns
+9tcuqIBsvVudY8LGAF4yUxkmt2K5N6mqu9x+KqVmiI9M7DbBoc+AUNVJpoiEGmt
qB/eqkpGYKvHal3UEV6P3sSM3gBrzb5aFYNa8R31/cE8U+INeKTwd99KNoixJa9y
/rNOSnuwKsuD33NFUpOJo/MW70ts3BrjN8eIvtnZ7/GHVljkQde7LCCJ2k2iQWTW
lp+C5jWsR/2qXoCkG1p2oipBP/2OKo9wRzklkOo+1LJiWY18r/FlRMWqfkFUyMrK
+NEpxWhe8ytzIFIkrXDt
=iv++
-----END PGP SIGNATURE-----
| VAR-201507-0452 | CVE-2015-3689 | Apple iOS and Apple OS X of CoreText Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted text file, a different vulnerability than CVE-2015-3685, CVE-2015-3686, CVE-2015-3687, and CVE-2015-3688. Multiple memory-corruption vulnerabilities
2. Multiple information-disclosure vulnerabilities
3. A security vulnerability
4. Multiple buffer-overflow vulnerabilities
An attacker can leverage these issues to obtain sensitive information, and execute arbitrary code with system privileges. Failed exploit attempts will likely result in denial-of-service conditions. in the United States. CoreText is one of the text engines that can control text formatting and text layout. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-06-30-1 iOS 8.4
iOS 8.4 is now available and addresses the following:
Application Store
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app may prevent
apps from launching
Description: An issue existed in the install logic for universal
provisioning profile apps, which allowed a collision to occur with
existing bundle IDs. This issue was addressed through improved
collision checking.
CVE-ID
CVE-2015-3722 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to intercept network traffic
Description: An intermediate certificate was incorrectly issued by
the certificate authority CNNIC. This issue was addressed through the
addition of a mechanism to trust only a subset of certificates issued
prior to the mis-issuance of the intermediate. Further details are
available at https://support.apple.com/en-us/HT204938
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork HTTPAuthentication
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Following a maliciously crafted URL may lead to arbitrary
code execution
Description: A memory corruption issue existed in handling of
certain URL credentials. This issue was addressed with improved
memory handling.
CVE-ID
CVE-2015-3684 : Apple
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of ICC profiles. These issues were addressed through
improved memory handling.
CVE-ID
CVE-2015-3723 : chaithanya (SegFault) working with HP's Zero Day
Initiative
CVE-2015-3724 : WanderingGlitch of HP's Zero Day Initiative
CoreText
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1157
CVE-2015-3685 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3689 : Apple
coreTLS
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: coreTLS accepted short ephemeral Diffie-Hellman (DH)
keys, as used in export-strength ephemeral DH cipher suites. This
issue, also known as Logjam, allowed an attacker with a privileged
network position to downgrade security to 512-bit DH if the server
supported an export-strength ephemeral DH cipher suite. The issue was
addressed by increasing the default minimum size allowed for DH
ephemeral keys to 768 bits.
CVE-ID
CVE-2015-4000 : The weakdh team at weakdh.org, Hanno Boeck
DiskImages
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue existed in the
processing of disk images. This issue was addressed through improved
memory management.
CVE-ID
CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved input validation.
CVE-ID
CVE-2015-3694 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3719 : John Villamil (@day6reak), Yahoo Pentest Team
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted .tiff file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
.tiff files. This issue was addressed with improved bounds checking.
CVE-ID
CVE-2015-3703 : Apple
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities exist in libtiff, the most serious
of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in libtiff versions
prior to 4.0.4. They were addressed by updating libtiff to version
4.0.4.
CVE-ID
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
HFS parameters which could have led to the disclosure of kernel
memory layout. This issue was addressed through improved memory
management.
CVE-ID
CVE-2015-3721 : Ian Beer of Google Project Zero
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted email can replace the message content
with an arbitrary webpage when the message is viewed
Description: An issue existed in the support for HTML email which
allowed message content to be refreshed with an arbitrary webpage.
The issue was addressed through restricted support for HTML content.
CVE-ID
CVE-2015-3710 : Aaron Sigel of vtty.com, Jan Soucek
MobileInstallation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app can prevent a
Watch app from launching
Description: An issue existed in the install logic for universal
provisioning profile apps on the Watch which allowed a collision to
occur with existing bundle IDs. This issue was addressed through
improved collision checking.
CVE-ID
CVE-2015-3725 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may compromise user
information on the filesystem
Description: A state management issue existed in Safari that allowed
unprivileged origins to access contents on the filesystem. This issue
was addressed through improved state management.
CVE-ID
CVE-2015-1155 : Joe Vennix of Rapid7 Inc. working with HP's Zero Day
Initiative
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to account
takeover
Description: An issue existed where Safari would preserve the Origin
request header for cross-origin redirects, allowing malicious
websites to circumvent CSRF protections. The issue was addressed
through improved handling of redirects.
CVE-ID
CVE-2015-3658 : Brad Hill of Facebook
Security
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework
code for parsing S/MIME e-mail and some other signed or encrypted
objects. This issue was addressed through improved validity checking.
CVE-ID
CVE-2013-1741
SQLite
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflows existed in SQLite's printf
implementation. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-3717 : Peter Rutenbar working with HP's Zero Day Initiative
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted SIM cards may lead to arbitrary code
execution
Description: Multiple input validation issues existed in the parsing
of SIM/UIM payloads. These issues were addressed through improved
payload validation.
CVE-ID
CVE-2015-3726 : Matt Spisak of Endgame
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website by clicking a link may lead to
user interface spoofing
Description: An issue existed in the handling of the rel attribute
in anchor elements. Target objects could get unauthorized access to
link objects. This issue was addressed through improved link type
adherence.
CVE-ID
CVE-2015-1156 : Zachary Durber of Moodle
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1152 : Apple
CVE-2015-1153 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: An insufficient comparison issue existed in SQLite
authorizer which allowed invocation of arbitrary SQL functions. This
issue was addressed with improved authorization checks.
CVE-ID
CVE-2015-3659 : Peter Rutenbar working with HP's Zero Day Initiative
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted website can access the WebSQL
databases of other websites
Description: An issue existed in the authorization checks for
renaming WebSQL tables which could have allowed a maliciously crafted
website to access databases belonging to other websites. This was
addressed through improved authorization checks.
CVE-ID
CVE-2015-3727 : Peter Rutenbar working with HP's Zero Day Initiative
WiFi Connectivity
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: iOS devices may auto-associate with untrusted access points
advertising a known ESSID but with a downgraded security type
Description: An insufficient comparison issue existed in WiFi
manager's evaluation of known access point advertisements. This issue
was addressed through improved matching of security parameters.
CVE-ID
CVE-2015-3728 : Brian W. Gray of Carnegie Mellon University, Craig
Young from TripWire
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.4".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVkr+6AAoJEBcWfLTuOo7tfDwP/1db2KLgQP+Pyb6av5awgS4m
hQul1ihU0JO8jAI2ww345v6jMFq7MIAs82DobbRwqtI97aTep5bieqr5qUautlFz
NtC4VQ5PsAyEoTo0cOSpvFOV3av6BdwFeNTI4w39n+bvKn6YUSJD0zswknUtI/G7
lpFx/KxvKBkXBhWWCg3cyVlo3Jap88svlyh9MZ+C0BYFyjZ+ZjYMlDZ6FdzRyBxI
4RHaXUFrtMQk3JAeIadSbevOH2mUwlCB9vDmFOC5BFTrMYV8nd3gyXMy924wLQli
l3gtx+Kgq3+i71Zay7HGmshv06vZop8X82fC/lNZmTQFfNABLLug0ve0tLH9+IRm
516Yb4UxUZ51Pnhbv1wvwqATGoJpK4oFXHsTx0rCVpkcxGMLmeYRyaxQYBUzh+ns
+9tcuqIBsvVudY8LGAF4yUxkmt2K5N6mqu9x+KqVmiI9M7DbBoc+AUNVJpoiEGmt
qB/eqkpGYKvHal3UEV6P3sSM3gBrzb5aFYNa8R31/cE8U+INeKTwd99KNoixJa9y
/rNOSnuwKsuD33NFUpOJo/MW70ts3BrjN8eIvtnZ7/GHVljkQde7LCCJ2k2iQWTW
lp+C5jWsR/2qXoCkG1p2oipBP/2OKo9wRzklkOo+1LJiWY18r/FlRMWqfkFUyMrK
+NEpxWhe8ytzIFIkrXDt
=iv++
-----END PGP SIGNATURE-----
| VAR-201507-0424 | CVE-2015-3660 | Apple Safari Used in etc. WebKit of PDF Cross-site scripting vulnerability in functionality |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the PDF functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7 allows remote attackers to inject arbitrary web script or HTML via a crafted URL in embedded PDF content. Apple Safari Used in etc.
Successful exploits may allow the attacker to gain access to sensitive information. Information obtained may lead to further attacks. Apple Safari is a web browser of Apple (Apple), the default browser included with Mac OS X and iOS operating systems. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. The following versions are affected: Apple Safari prior to 6.2.7, 7.x prior to 7.1.7, and 8.x prior to 8.0.7. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-06-30-4 Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7
Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7 are now available and
address the following:
WebKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.3
Impact: A maliciously crafted website can access the WebSQL
databases of other websites
Description: An issue existed in the authorization checks for
renaming WebSQL tables. This could have allowed a maliciously crafted
website to access databases belonging to other websites. The issue
was addressed with improved authorization checks.
CVE-ID
CVE-2015-3727 : Peter Rutenbar working with HP's Zero Day Initiative
WebKit Page Loading
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.3
Impact: Visiting a maliciously crafted website may lead to account
account takeover
Description: An issue existed where Safari would preserve the Origin
request header for cross-origin redirects, allowing malicious
websites to circumvent CSRF protections. This issue was addressed
through improved handling of redirects.
CVE-ID
CVE-2015-3658 : Brad Hill of Facebook
WebKit PDF
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.3
Impact: Clicking a maliciously crafted link in a PDF embedded in a
webpage may lead to cookie theft or user information leakage
Description: An issue existed with PDF-embedded links which could
execute JavaScript in a hosting webpage's context. This issue was
addressed by restricting the support for JavaScript links.
CVE-ID
CVE-2015-3660 : Apple
WebKit Storage
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.3
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: An insufficient comparison issue existed in SQLite
authorizer which allowed invocation of arbitrary SQL functions. This
issue was addressed with improved authorization checks.
CVE-ID
CVE-2015-3659 : Peter Rutenbar working with HP's Zero Day Initiative
Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7 may be obtained from
the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVke9DAAoJEBcWfLTuOo7tE7oP/0PWt+3zpRGevnWaTR1cdCSR
ixlIqZ+OrwfGluIpnQIrMx8Lw2F954/Afcv68QW5pDwU02UYIiHXFiryFG2YYu6k
+n1mnqY/5n3uo3+V18Tfi7q8WFoEfi607PbXUt/Q3FCu+NuQBl3nrVWo53f+a44v
Pb08QVMyj+g0KWNoMudA7T/G9yXsnZFm6rBKkl1D+2Cwyx/DB2i4guHleJNawM/m
8vCgIc4FReFOz03EqW3Vzqp3qWd4AovRLX8iG+62mUU8AgAVVurJdhxPNjqzmoAi
Zg1MDM2un4Op6QvLpJzG9zwW5/s+H8GVLPIYnK+uASu5UR0EU3yqb0UOCHbyG6iI
DFaRDyHXaNBWglFxRdl/Lvbz/ZQyAdc3MJMaHOSHchvu7CX3x2szTKkPr1nd/7bS
RB5JWTBKjz9G0zOp4d44u49oW4/43yV/kcjs7isBKyzPpO67dzukMDjjeKlkYAVE
gOoYtQMcorh2PrMEAW7MN2jB9R0f7gEOr2txRLgy0NakI/W+WVK8wysbDNvsjEE4
9UynLpQHqmlEL68ZyXGPrbn7Q4dO3qdL3fYsCp/57o7wDkIfASBehTet4Va3yobr
ZikiQkMU9QnYYWiN0whHzgtq+ONFg8B3hroD9XgfpG8kldjXyI6cOj6QY9e276m4
U31+XzCwLCTXylgolNOw
=9Wfv
-----END PGP SIGNATURE-----
| VAR-201507-0422 | CVE-2015-3728 | Apple iOS Wireless LAN Vulnerabilities that automatically trigger association with any security type in the connection function |
CVSS V2: 4.8 CVSS V3: - Severity: MEDIUM |
The WiFi Connectivity feature in Apple iOS before 8.4 allows remote Wi-Fi access points to trigger an automatic association, with an arbitrary security type, by operating with a recognized ESSID within an 802.11 network's coverage area. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. Apple iOS is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, bypass security restrictions, and perform other attacks.
Versions prior to iOS 8.4 are vulnerable. Apple iOS is an operating system developed by Apple (Apple) for mobile devices
| VAR-201507-0449 | CVE-2015-3686 | Apple iOS and Apple OS X of CoreText Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted text file, a different vulnerability than CVE-2015-3685, CVE-2015-3687, CVE-2015-3688, and CVE-2015-3689. Multiple memory-corruption vulnerabilities
2. Multiple information-disclosure vulnerabilities
3. A security vulnerability
4. Multiple buffer-overflow vulnerabilities
An attacker can leverage these issues to obtain sensitive information, and execute arbitrary code with system privileges. Failed exploit attempts will likely result in denial-of-service conditions. in the United States. CoreText is one of the text engines that can control text formatting and text layout.
CVE-ID
CVE-2015-1152 : Apple
CVE-2015-1153 : Apple
CVE-2015-3730 : Apple
CVE-2015-3731 : Apple
CVE-2015-3733 : Apple
CVE-2015-3734 : Apple
CVE-2015-3735 : Apple
CVE-2015-3736 : Apple
CVE-2015-3737 : Apple
CVE-2015-3738 : Apple
CVE-2015-3739 : Apple
CVE-2015-3740 : Apple
CVE-2015-3741 : Apple
CVE-2015-3742 : Apple
CVE-2015-3743 : Apple
CVE-2015-3744 : Apple
CVE-2015-3745 : Apple
CVE-2015-3746 : Apple
CVE-2015-3747 : Apple
CVE-2015-3748 : Apple
CVE-2015-3749 : Apple
CVE-2015-5789 : Apple
CVE-2015-5790 : Apple
CVE-2015-5791 : Apple
CVE-2015-5792 : Apple
CVE-2015-5793 : Apple
CVE-2015-5794 : Apple
CVE-2015-5795 : Apple
CVE-2015-5796 : Apple
CVE-2015-5797 : Apple
CVE-2015-5798 : Apple
CVE-2015-5799 : Apple
CVE-2015-5800 : Apple
CVE-2015-5801 : Apple
CVE-2015-5802 : Apple
CVE-2015-5803 : Apple
CVE-2015-5804 : Apple
CVE-2015-5805
CVE-2015-5806 : Apple
CVE-2015-5807 : Apple
CVE-2015-5808 : Joe Vennix
CVE-2015-5809 : Apple
CVE-2015-5810 : Apple
CVE-2015-5811 : Apple
CVE-2015-5812 : Apple
CVE-2015-5813 : Apple
CVE-2015-5814 : Apple
CVE-2015-5815 : Apple
CVE-2015-5816 : Apple
CVE-2015-5817 : Apple
CVE-2015-5818 : Apple
CVE-2015-5819 : Apple
CVE-2015-5821 : Apple
CVE-2015-5822 : Mark S. Miller of Google
CVE-2015-5823 : Apple
Software Update
Impact: An attacker in a privileged network position may be able to
obtain encrypted SMB credentials
Description: A redirection issue existed in the handling of certain
network connections. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-06-30-1 iOS 8.4
iOS 8.4 is now available and addresses the following:
Application Store
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app may prevent
apps from launching
Description: An issue existed in the install logic for universal
provisioning profile apps, which allowed a collision to occur with
existing bundle IDs. This issue was addressed through improved
collision checking.
CVE-ID
CVE-2015-3722 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to intercept network traffic
Description: An intermediate certificate was incorrectly issued by
the certificate authority CNNIC. This issue was addressed through the
addition of a mechanism to trust only a subset of certificates issued
prior to the mis-issuance of the intermediate. Further details are
available at https://support.apple.com/en-us/HT204938
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork HTTPAuthentication
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Following a maliciously crafted URL may lead to arbitrary
code execution
Description: A memory corruption issue existed in handling of
certain URL credentials. This issue was addressed with improved
memory handling.
CVE-ID
CVE-2015-3684 : Apple
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of ICC profiles. These issues were addressed through
improved memory handling.
CVE-ID
CVE-2015-3723 : chaithanya (SegFault) working with HP's Zero Day
Initiative
CVE-2015-3724 : WanderingGlitch of HP's Zero Day Initiative
CoreText
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1157
CVE-2015-3685 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3689 : Apple
coreTLS
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: coreTLS accepted short ephemeral Diffie-Hellman (DH)
keys, as used in export-strength ephemeral DH cipher suites. This
issue, also known as Logjam, allowed an attacker with a privileged
network position to downgrade security to 512-bit DH if the server
supported an export-strength ephemeral DH cipher suite. The issue was
addressed by increasing the default minimum size allowed for DH
ephemeral keys to 768 bits.
CVE-ID
CVE-2015-4000 : The weakdh team at weakdh.org, Hanno Boeck
DiskImages
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue existed in the
processing of disk images. This issue was addressed through improved
memory management.
CVE-ID
CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved input validation.
CVE-ID
CVE-2015-3694 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3719 : John Villamil (@day6reak), Yahoo Pentest Team
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted .tiff file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
.tiff files. This issue was addressed with improved bounds checking.
CVE-ID
CVE-2015-3703 : Apple
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities exist in libtiff, the most serious
of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in libtiff versions
prior to 4.0.4. They were addressed by updating libtiff to version
4.0.4.
CVE-ID
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
HFS parameters which could have led to the disclosure of kernel
memory layout. This issue was addressed through improved memory
management.
CVE-ID
CVE-2015-3721 : Ian Beer of Google Project Zero
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted email can replace the message content
with an arbitrary webpage when the message is viewed
Description: An issue existed in the support for HTML email which
allowed message content to be refreshed with an arbitrary webpage.
The issue was addressed through restricted support for HTML content.
CVE-ID
CVE-2015-3710 : Aaron Sigel of vtty.com, Jan Soucek
MobileInstallation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app can prevent a
Watch app from launching
Description: An issue existed in the install logic for universal
provisioning profile apps on the Watch which allowed a collision to
occur with existing bundle IDs. This issue was addressed through
improved collision checking.
CVE-ID
CVE-2015-3725 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may compromise user
information on the filesystem
Description: A state management issue existed in Safari that allowed
unprivileged origins to access contents on the filesystem. This issue
was addressed through improved state management.
CVE-ID
CVE-2015-1155 : Joe Vennix of Rapid7 Inc. working with HP's Zero Day
Initiative
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to account
takeover
Description: An issue existed where Safari would preserve the Origin
request header for cross-origin redirects, allowing malicious
websites to circumvent CSRF protections. The issue was addressed
through improved handling of redirects.
CVE-ID
CVE-2015-3658 : Brad Hill of Facebook
Security
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework
code for parsing S/MIME e-mail and some other signed or encrypted
objects. This issue was addressed through improved validity checking.
CVE-ID
CVE-2013-1741
SQLite
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflows existed in SQLite's printf
implementation. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-3717 : Peter Rutenbar working with HP's Zero Day Initiative
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted SIM cards may lead to arbitrary code
execution
Description: Multiple input validation issues existed in the parsing
of SIM/UIM payloads. These issues were addressed through improved
payload validation.
CVE-ID
CVE-2015-3726 : Matt Spisak of Endgame
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website by clicking a link may lead to
user interface spoofing
Description: An issue existed in the handling of the rel attribute
in anchor elements. Target objects could get unauthorized access to
link objects. This issue was addressed through improved link type
adherence.
CVE-ID
CVE-2015-1156 : Zachary Durber of Moodle
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1152 : Apple
CVE-2015-1153 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: An insufficient comparison issue existed in SQLite
authorizer which allowed invocation of arbitrary SQL functions. This
issue was addressed with improved authorization checks.
CVE-ID
CVE-2015-3659 : Peter Rutenbar working with HP's Zero Day Initiative
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted website can access the WebSQL
databases of other websites
Description: An issue existed in the authorization checks for
renaming WebSQL tables which could have allowed a maliciously crafted
website to access databases belonging to other websites. This was
addressed through improved authorization checks.
CVE-ID
CVE-2015-3727 : Peter Rutenbar working with HP's Zero Day Initiative
WiFi Connectivity
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: iOS devices may auto-associate with untrusted access points
advertising a known ESSID but with a downgraded security type
Description: An insufficient comparison issue existed in WiFi
manager's evaluation of known access point advertisements. This issue
was addressed through improved matching of security parameters.
CVE-ID
CVE-2015-3728 : Brian W. Gray of Carnegie Mellon University, Craig
Young from TripWire
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.4".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVkr+6AAoJEBcWfLTuOo7tfDwP/1db2KLgQP+Pyb6av5awgS4m
hQul1ihU0JO8jAI2ww345v6jMFq7MIAs82DobbRwqtI97aTep5bieqr5qUautlFz
NtC4VQ5PsAyEoTo0cOSpvFOV3av6BdwFeNTI4w39n+bvKn6YUSJD0zswknUtI/G7
lpFx/KxvKBkXBhWWCg3cyVlo3Jap88svlyh9MZ+C0BYFyjZ+ZjYMlDZ6FdzRyBxI
4RHaXUFrtMQk3JAeIadSbevOH2mUwlCB9vDmFOC5BFTrMYV8nd3gyXMy924wLQli
l3gtx+Kgq3+i71Zay7HGmshv06vZop8X82fC/lNZmTQFfNABLLug0ve0tLH9+IRm
516Yb4UxUZ51Pnhbv1wvwqATGoJpK4oFXHsTx0rCVpkcxGMLmeYRyaxQYBUzh+ns
+9tcuqIBsvVudY8LGAF4yUxkmt2K5N6mqu9x+KqVmiI9M7DbBoc+AUNVJpoiEGmt
qB/eqkpGYKvHal3UEV6P3sSM3gBrzb5aFYNa8R31/cE8U+INeKTwd99KNoixJa9y
/rNOSnuwKsuD33NFUpOJo/MW70ts3BrjN8eIvtnZ7/GHVljkQde7LCCJ2k2iQWTW
lp+C5jWsR/2qXoCkG1p2oipBP/2OKo9wRzklkOo+1LJiWY18r/FlRMWqfkFUyMrK
+NEpxWhe8ytzIFIkrXDt
=iv++
-----END PGP SIGNATURE-----
| VAR-201507-0420 | CVE-2015-3726 | Apple iOS of Telephony Vulnerability to execute arbitrary code in subsystem |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
The Telephony subsystem in Apple iOS before 8.4 allows physically proximate attackers to execute arbitrary code via a crafted (1) SIM or (2) UIM card. Apple iOS is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, bypass security restrictions, and perform other attacks.
Versions prior to iOS 8.4 are vulnerable. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. Telephony is one of the components that provides telephony functionality
| VAR-201507-0419 | CVE-2015-3725 | Apple iOS of MobileInstallation Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
MobileInstallation in Apple iOS before 8.4 does not ensure the uniqueness of Watch bundle IDs, which allows attackers to cause a denial of service (ID collision and Watch launch outage) via a crafted universal provisioning profile app. Apple iOS is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, perform unauthorized actions, bypass security restrictions, and perform other attacks.
Versions prior to iOS 8.4 are vulnerable. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. MobileInstallation is a necessary component to install AppStore cracked software. The vulnerability stems from the program's failure to properly handle the installation logic of the Universal Provisioning Profile application on the Watch
| VAR-201507-0622 | CVE-2015-3658 | Apple iOS and Apple OS X Run on Apple Safari Used in etc. WebKit of Page Loading In function CSRF Vulnerabilities that circumvent protection mechanisms |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
The Page Loading functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS before 8.4 and other products, does not properly consider redirects during decisions about sending an Origin header, which makes it easier for remote attackers to bypass CSRF protection mechanisms via a crafted web site. Apple iOS and Apple OS X Run on Apple Safari Used in etc. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. http://cwe.mitre.org/data/definitions/254.htmlSkillfully crafted by a third party Web Through the site, CSRF Protection mechanisms may be bypassed. WebKit is prone to the following multiple security vulnerabilities.
1. An information-disclosure vulnerability
2. A security-bypass vulnerability
3. An arbitrary code-execution vulnerability
Attackers can exploit these issues to bypass security restrictions, to access sensitive information, to execute arbitrary code in the context of the currently logged-in user, and to redirect to an attacker-controlled site. Failed attacks will cause denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. A remote attacker can use a specially crafted website to exploit this vulnerability to bypass the CSRF protection mechanism. The following products and versions are affected: Apple iOS prior to 8.4, Apple Safari prior to 6.2.7, 7.x prior to 7.1.7, and 8.x prior to 8.0.7.
CVE-ID
CVE-2015-3658 : Brad Hill of Facebook
WebKit PDF
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.3
Impact: Clicking a maliciously crafted link in a PDF embedded in a
webpage may lead to cookie theft or user information leakage
Description: An issue existed with PDF-embedded links which could
execute JavaScript in a hosting webpage's context.
CVE-ID
CVE-2015-3659 : Peter Rutenbar working with HP's Zero Day Initiative
Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7 may be obtained from
the Mac App Store. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-06-30-1 iOS 8.4
iOS 8.4 is now available and addresses the following:
Application Store
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app may prevent
apps from launching
Description: An issue existed in the install logic for universal
provisioning profile apps, which allowed a collision to occur with
existing bundle IDs. This issue was addressed through improved
collision checking.
CVE-ID
CVE-2015-3722 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to intercept network traffic
Description: An intermediate certificate was incorrectly issued by
the certificate authority CNNIC. This issue was addressed through the
addition of a mechanism to trust only a subset of certificates issued
prior to the mis-issuance of the intermediate. Further details are
available at https://support.apple.com/en-us/HT204938
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork HTTPAuthentication
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Following a maliciously crafted URL may lead to arbitrary
code execution
Description: A memory corruption issue existed in handling of
certain URL credentials. This issue was addressed with improved
memory handling.
CVE-ID
CVE-2015-3684 : Apple
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of ICC profiles. These issues were addressed through
improved memory handling.
CVE-ID
CVE-2015-3723 : chaithanya (SegFault) working with HP's Zero Day
Initiative
CVE-2015-3724 : WanderingGlitch of HP's Zero Day Initiative
CoreText
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1157
CVE-2015-3685 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3689 : Apple
coreTLS
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: coreTLS accepted short ephemeral Diffie-Hellman (DH)
keys, as used in export-strength ephemeral DH cipher suites. This
issue, also known as Logjam, allowed an attacker with a privileged
network position to downgrade security to 512-bit DH if the server
supported an export-strength ephemeral DH cipher suite. The issue was
addressed by increasing the default minimum size allowed for DH
ephemeral keys to 768 bits.
CVE-ID
CVE-2015-4000 : The weakdh team at weakdh.org, Hanno Boeck
DiskImages
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue existed in the
processing of disk images. This issue was addressed through improved
memory management.
CVE-ID
CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved input validation.
CVE-ID
CVE-2015-3694 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3719 : John Villamil (@day6reak), Yahoo Pentest Team
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted .tiff file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
.tiff files. This issue was addressed with improved bounds checking.
CVE-ID
CVE-2015-3703 : Apple
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities exist in libtiff, the most serious
of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in libtiff versions
prior to 4.0.4. They were addressed by updating libtiff to version
4.0.4.
CVE-ID
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
HFS parameters which could have led to the disclosure of kernel
memory layout. This issue was addressed through improved memory
management.
CVE-ID
CVE-2015-3721 : Ian Beer of Google Project Zero
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted email can replace the message content
with an arbitrary webpage when the message is viewed
Description: An issue existed in the support for HTML email which
allowed message content to be refreshed with an arbitrary webpage.
The issue was addressed through restricted support for HTML content.
CVE-ID
CVE-2015-3710 : Aaron Sigel of vtty.com, Jan Soucek
MobileInstallation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app can prevent a
Watch app from launching
Description: An issue existed in the install logic for universal
provisioning profile apps on the Watch which allowed a collision to
occur with existing bundle IDs. This issue was addressed through
improved collision checking.
CVE-ID
CVE-2015-3725 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may compromise user
information on the filesystem
Description: A state management issue existed in Safari that allowed
unprivileged origins to access contents on the filesystem. This issue
was addressed through improved state management.
CVE-ID
CVE-2015-1155 : Joe Vennix of Rapid7 Inc. working with HP's Zero Day
Initiative
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to account
takeover
Description: An issue existed where Safari would preserve the Origin
request header for cross-origin redirects, allowing malicious
websites to circumvent CSRF protections. The issue was addressed
through improved handling of redirects.
CVE-ID
CVE-2015-3658 : Brad Hill of Facebook
Security
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework
code for parsing S/MIME e-mail and some other signed or encrypted
objects. This issue was addressed through improved validity checking.
CVE-ID
CVE-2013-1741
SQLite
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflows existed in SQLite's printf
implementation. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-3717 : Peter Rutenbar working with HP's Zero Day Initiative
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted SIM cards may lead to arbitrary code
execution
Description: Multiple input validation issues existed in the parsing
of SIM/UIM payloads. These issues were addressed through improved
payload validation.
CVE-ID
CVE-2015-3726 : Matt Spisak of Endgame
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website by clicking a link may lead to
user interface spoofing
Description: An issue existed in the handling of the rel attribute
in anchor elements. Target objects could get unauthorized access to
link objects. This issue was addressed through improved link type
adherence.
CVE-ID
CVE-2015-1156 : Zachary Durber of Moodle
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1152 : Apple
CVE-2015-1153 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: An insufficient comparison issue existed in SQLite
authorizer which allowed invocation of arbitrary SQL functions. This
issue was addressed with improved authorization checks.
CVE-ID
CVE-2015-3659 : Peter Rutenbar working with HP's Zero Day Initiative
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted website can access the WebSQL
databases of other websites
Description: An issue existed in the authorization checks for
renaming WebSQL tables which could have allowed a maliciously crafted
website to access databases belonging to other websites. This was
addressed through improved authorization checks.
CVE-ID
CVE-2015-3727 : Peter Rutenbar working with HP's Zero Day Initiative
WiFi Connectivity
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: iOS devices may auto-associate with untrusted access points
advertising a known ESSID but with a downgraded security type
Description: An insufficient comparison issue existed in WiFi
manager's evaluation of known access point advertisements. This issue
was addressed through improved matching of security parameters.
CVE-ID
CVE-2015-3728 : Brian W. Gray of Carnegie Mellon University, Craig
Young from TripWire
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.4".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVkr+6AAoJEBcWfLTuOo7tfDwP/1db2KLgQP+Pyb6av5awgS4m
hQul1ihU0JO8jAI2ww345v6jMFq7MIAs82DobbRwqtI97aTep5bieqr5qUautlFz
NtC4VQ5PsAyEoTo0cOSpvFOV3av6BdwFeNTI4w39n+bvKn6YUSJD0zswknUtI/G7
lpFx/KxvKBkXBhWWCg3cyVlo3Jap88svlyh9MZ+C0BYFyjZ+ZjYMlDZ6FdzRyBxI
4RHaXUFrtMQk3JAeIadSbevOH2mUwlCB9vDmFOC5BFTrMYV8nd3gyXMy924wLQli
l3gtx+Kgq3+i71Zay7HGmshv06vZop8X82fC/lNZmTQFfNABLLug0ve0tLH9+IRm
516Yb4UxUZ51Pnhbv1wvwqATGoJpK4oFXHsTx0rCVpkcxGMLmeYRyaxQYBUzh+ns
+9tcuqIBsvVudY8LGAF4yUxkmt2K5N6mqu9x+KqVmiI9M7DbBoc+AUNVJpoiEGmt
qB/eqkpGYKvHal3UEV6P3sSM3gBrzb5aFYNa8R31/cE8U+INeKTwd99KNoixJa9y
/rNOSnuwKsuD33NFUpOJo/MW70ts3BrjN8eIvtnZ7/GHVljkQde7LCCJ2k2iQWTW
lp+C5jWsR/2qXoCkG1p2oipBP/2OKo9wRzklkOo+1LJiWY18r/FlRMWqfkFUyMrK
+NEpxWhe8ytzIFIkrXDt
=iv++
-----END PGP SIGNATURE-----
. ============================================================================
Ubuntu Security Notice USN-2937-1
March 21, 2016
webkitgtk vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.10
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in WebKitGTK+.
Software Description:
- webkitgtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.10:
libjavascriptcoregtk-1.0-0 2.4.10-0ubuntu0.15.10.1
libjavascriptcoregtk-3.0-0 2.4.10-0ubuntu0.15.10.1
libwebkitgtk-1.0-0 2.4.10-0ubuntu0.15.10.1
libwebkitgtk-3.0-0 2.4.10-0ubuntu0.15.10.1
Ubuntu 14.04 LTS:
libjavascriptcoregtk-1.0-0 2.4.10-0ubuntu0.14.04.1
libjavascriptcoregtk-3.0-0 2.4.10-0ubuntu0.14.04.1
libwebkitgtk-1.0-0 2.4.10-0ubuntu0.14.04.1
libwebkitgtk-3.0-0 2.4.10-0ubuntu0.14.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany and Evolution, to make all the
necessary changes.
References:
http://www.ubuntu.com/usn/usn-2937-1
CVE-2014-1748, CVE-2015-1071, CVE-2015-1076, CVE-2015-1081,
CVE-2015-1083, CVE-2015-1120, CVE-2015-1122, CVE-2015-1127,
CVE-2015-1153, CVE-2015-1155, CVE-2015-3658, CVE-2015-3659,
CVE-2015-3727, CVE-2015-3731, CVE-2015-3741, CVE-2015-3743,
CVE-2015-3745, CVE-2015-3747, CVE-2015-3748, CVE-2015-3749,
CVE-2015-3752, CVE-2015-5788, CVE-2015-5794, CVE-2015-5801,
CVE-2015-5809, CVE-2015-5822, CVE-2015-5928
Package Information:
https://launchpad.net/ubuntu/+source/webkitgtk/2.4.10-0ubuntu0.15.10.1
https://launchpad.net/ubuntu/+source/webkitgtk/2.4.10-0ubuntu0.14.04.1
| VAR-201507-0450 | CVE-2015-3687 | Apple iOS and Apple OS X of CoreText Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted text file, a different vulnerability than CVE-2015-3685, CVE-2015-3686, CVE-2015-3688, and CVE-2015-3689. Multiple memory-corruption vulnerabilities
2. Multiple information-disclosure vulnerabilities
3. A security vulnerability
4. Multiple buffer-overflow vulnerabilities
An attacker can leverage these issues to obtain sensitive information, and execute arbitrary code with system privileges. Failed exploit attempts will likely result in denial-of-service conditions. in the United States. CoreText is one of the text engines that can control text formatting and text layout.
CVE-ID
CVE-2015-1152 : Apple
CVE-2015-1153 : Apple
CVE-2015-3730 : Apple
CVE-2015-3731 : Apple
CVE-2015-3733 : Apple
CVE-2015-3734 : Apple
CVE-2015-3735 : Apple
CVE-2015-3736 : Apple
CVE-2015-3737 : Apple
CVE-2015-3738 : Apple
CVE-2015-3739 : Apple
CVE-2015-3740 : Apple
CVE-2015-3741 : Apple
CVE-2015-3742 : Apple
CVE-2015-3743 : Apple
CVE-2015-3744 : Apple
CVE-2015-3745 : Apple
CVE-2015-3746 : Apple
CVE-2015-3747 : Apple
CVE-2015-3748 : Apple
CVE-2015-3749 : Apple
CVE-2015-5789 : Apple
CVE-2015-5790 : Apple
CVE-2015-5791 : Apple
CVE-2015-5792 : Apple
CVE-2015-5793 : Apple
CVE-2015-5794 : Apple
CVE-2015-5795 : Apple
CVE-2015-5796 : Apple
CVE-2015-5797 : Apple
CVE-2015-5798 : Apple
CVE-2015-5799 : Apple
CVE-2015-5800 : Apple
CVE-2015-5801 : Apple
CVE-2015-5802 : Apple
CVE-2015-5803 : Apple
CVE-2015-5804 : Apple
CVE-2015-5805
CVE-2015-5806 : Apple
CVE-2015-5807 : Apple
CVE-2015-5808 : Joe Vennix
CVE-2015-5809 : Apple
CVE-2015-5810 : Apple
CVE-2015-5811 : Apple
CVE-2015-5812 : Apple
CVE-2015-5813 : Apple
CVE-2015-5814 : Apple
CVE-2015-5815 : Apple
CVE-2015-5816 : Apple
CVE-2015-5817 : Apple
CVE-2015-5818 : Apple
CVE-2015-5819 : Apple
CVE-2015-5821 : Apple
CVE-2015-5822 : Mark S. Miller of Google
CVE-2015-5823 : Apple
Software Update
Impact: An attacker in a privileged network position may be able to
obtain encrypted SMB credentials
Description: A redirection issue existed in the handling of certain
network connections. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-06-30-1 iOS 8.4
iOS 8.4 is now available and addresses the following:
Application Store
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app may prevent
apps from launching
Description: An issue existed in the install logic for universal
provisioning profile apps, which allowed a collision to occur with
existing bundle IDs. This issue was addressed through improved
collision checking.
CVE-ID
CVE-2015-3722 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to intercept network traffic
Description: An intermediate certificate was incorrectly issued by
the certificate authority CNNIC. This issue was addressed through the
addition of a mechanism to trust only a subset of certificates issued
prior to the mis-issuance of the intermediate. Further details are
available at https://support.apple.com/en-us/HT204938
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork HTTPAuthentication
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Following a maliciously crafted URL may lead to arbitrary
code execution
Description: A memory corruption issue existed in handling of
certain URL credentials. This issue was addressed with improved
memory handling.
CVE-ID
CVE-2015-3684 : Apple
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of ICC profiles. These issues were addressed through
improved memory handling.
CVE-ID
CVE-2015-3723 : chaithanya (SegFault) working with HP's Zero Day
Initiative
CVE-2015-3724 : WanderingGlitch of HP's Zero Day Initiative
CoreText
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1157
CVE-2015-3685 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3689 : Apple
coreTLS
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: coreTLS accepted short ephemeral Diffie-Hellman (DH)
keys, as used in export-strength ephemeral DH cipher suites. This
issue, also known as Logjam, allowed an attacker with a privileged
network position to downgrade security to 512-bit DH if the server
supported an export-strength ephemeral DH cipher suite. The issue was
addressed by increasing the default minimum size allowed for DH
ephemeral keys to 768 bits.
CVE-ID
CVE-2015-4000 : The weakdh team at weakdh.org, Hanno Boeck
DiskImages
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue existed in the
processing of disk images. This issue was addressed through improved
memory management.
CVE-ID
CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved input validation.
CVE-ID
CVE-2015-3694 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3719 : John Villamil (@day6reak), Yahoo Pentest Team
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted .tiff file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
.tiff files. This issue was addressed with improved bounds checking.
CVE-ID
CVE-2015-3703 : Apple
ImageIO
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities exist in libtiff, the most serious
of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in libtiff versions
prior to 4.0.4. They were addressed by updating libtiff to version
4.0.4.
CVE-ID
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
HFS parameters which could have led to the disclosure of kernel
memory layout. This issue was addressed through improved memory
management.
CVE-ID
CVE-2015-3721 : Ian Beer of Google Project Zero
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted email can replace the message content
with an arbitrary webpage when the message is viewed
Description: An issue existed in the support for HTML email which
allowed message content to be refreshed with an arbitrary webpage.
The issue was addressed through restricted support for HTML content.
CVE-ID
CVE-2015-3710 : Aaron Sigel of vtty.com, Jan Soucek
MobileInstallation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious universal provisioning profile app can prevent a
Watch app from launching
Description: An issue existed in the install logic for universal
provisioning profile apps on the Watch which allowed a collision to
occur with existing bundle IDs. This issue was addressed through
improved collision checking.
CVE-ID
CVE-2015-3725 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei from
FireEye, Inc.
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may compromise user
information on the filesystem
Description: A state management issue existed in Safari that allowed
unprivileged origins to access contents on the filesystem. This issue
was addressed through improved state management.
CVE-ID
CVE-2015-1155 : Joe Vennix of Rapid7 Inc. working with HP's Zero Day
Initiative
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to account
takeover
Description: An issue existed where Safari would preserve the Origin
request header for cross-origin redirects, allowing malicious
websites to circumvent CSRF protections. The issue was addressed
through improved handling of redirects.
CVE-ID
CVE-2015-3658 : Brad Hill of Facebook
Security
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework
code for parsing S/MIME e-mail and some other signed or encrypted
objects. This issue was addressed through improved validity checking.
CVE-ID
CVE-2013-1741
SQLite
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflows existed in SQLite's printf
implementation. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-3717 : Peter Rutenbar working with HP's Zero Day Initiative
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted SIM cards may lead to arbitrary code
execution
Description: Multiple input validation issues existed in the parsing
of SIM/UIM payloads. These issues were addressed through improved
payload validation.
CVE-ID
CVE-2015-3726 : Matt Spisak of Endgame
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website by clicking a link may lead to
user interface spoofing
Description: An issue existed in the handling of the rel attribute
in anchor elements. Target objects could get unauthorized access to
link objects. This issue was addressed through improved link type
adherence.
CVE-ID
CVE-2015-1156 : Zachary Durber of Moodle
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1152 : Apple
CVE-2015-1153 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: An insufficient comparison issue existed in SQLite
authorizer which allowed invocation of arbitrary SQL functions. This
issue was addressed with improved authorization checks.
CVE-ID
CVE-2015-3659 : Peter Rutenbar working with HP's Zero Day Initiative
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted website can access the WebSQL
databases of other websites
Description: An issue existed in the authorization checks for
renaming WebSQL tables which could have allowed a maliciously crafted
website to access databases belonging to other websites. This was
addressed through improved authorization checks.
CVE-ID
CVE-2015-3727 : Peter Rutenbar working with HP's Zero Day Initiative
WiFi Connectivity
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: iOS devices may auto-associate with untrusted access points
advertising a known ESSID but with a downgraded security type
Description: An insufficient comparison issue existed in WiFi
manager's evaluation of known access point advertisements. This issue
was addressed through improved matching of security parameters.
CVE-ID
CVE-2015-3728 : Brian W. Gray of Carnegie Mellon University, Craig
Young from TripWire
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.4".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVkr+6AAoJEBcWfLTuOo7tfDwP/1db2KLgQP+Pyb6av5awgS4m
hQul1ihU0JO8jAI2ww345v6jMFq7MIAs82DobbRwqtI97aTep5bieqr5qUautlFz
NtC4VQ5PsAyEoTo0cOSpvFOV3av6BdwFeNTI4w39n+bvKn6YUSJD0zswknUtI/G7
lpFx/KxvKBkXBhWWCg3cyVlo3Jap88svlyh9MZ+C0BYFyjZ+ZjYMlDZ6FdzRyBxI
4RHaXUFrtMQk3JAeIadSbevOH2mUwlCB9vDmFOC5BFTrMYV8nd3gyXMy924wLQli
l3gtx+Kgq3+i71Zay7HGmshv06vZop8X82fC/lNZmTQFfNABLLug0ve0tLH9+IRm
516Yb4UxUZ51Pnhbv1wvwqATGoJpK4oFXHsTx0rCVpkcxGMLmeYRyaxQYBUzh+ns
+9tcuqIBsvVudY8LGAF4yUxkmt2K5N6mqu9x+KqVmiI9M7DbBoc+AUNVJpoiEGmt
qB/eqkpGYKvHal3UEV6P3sSM3gBrzb5aFYNa8R31/cE8U+INeKTwd99KNoixJa9y
/rNOSnuwKsuD33NFUpOJo/MW70ts3BrjN8eIvtnZ7/GHVljkQde7LCCJ2k2iQWTW
lp+C5jWsR/2qXoCkG1p2oipBP/2OKo9wRzklkOo+1LJiWY18r/FlRMWqfkFUyMrK
+NEpxWhe8ytzIFIkrXDt
=iv++
-----END PGP SIGNATURE-----
| VAR-201507-0421 | CVE-2015-3727 | Apple iOS and Apple OS X Run on Apple Safari Used in etc. WebKit Any in Web Vulnerabilities accessing the site database |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS before 8.4 and other products, does not properly restrict rename operations on WebSQL tables, which allows remote attackers to access an arbitrary web site's database via a crafted web site. Apple iOS and Apple OS X Run on Apple Safari Used in etc. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WebKit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of WebSQL. The issue lies in the failure to properly utilize SQLite's authorization code. An attacker can leverage this vulnerability to execute restricted SQL statements under the context of the current process. WebKit is prone to the following multiple security vulnerabilities.
1. An information-disclosure vulnerability
2. A security-bypass vulnerability
3. Failed attacks will cause denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. The following products and versions are affected: Apple iOS prior to 8.4, Apple Safari prior to 6.2.7, 7.x prior to 7.1.7, and 8.x prior to 8.0.7. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-06-30-4 Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7
Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7 are now available and
address the following:
WebKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.3
Impact: A maliciously crafted website can access the WebSQL
databases of other websites
Description: An issue existed in the authorization checks for
renaming WebSQL tables. This could have allowed a maliciously crafted
website to access databases belonging to other websites. The issue
was addressed with improved authorization checks.
CVE-ID
CVE-2015-3727 : Peter Rutenbar working with HP's Zero Day Initiative
WebKit Page Loading
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.3
Impact: Visiting a maliciously crafted website may lead to account
account takeover
Description: An issue existed where Safari would preserve the Origin
request header for cross-origin redirects, allowing malicious
websites to circumvent CSRF protections. This issue was addressed
through improved handling of redirects.
CVE-ID
CVE-2015-3658 : Brad Hill of Facebook
WebKit PDF
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.3
Impact: Clicking a maliciously crafted link in a PDF embedded in a
webpage may lead to cookie theft or user information leakage
Description: An issue existed with PDF-embedded links which could
execute JavaScript in a hosting webpage's context. This issue was
addressed by restricting the support for JavaScript links.
CVE-ID
CVE-2015-3660 : Apple
WebKit Storage
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.3
Impact: Visiting a maliciously crafted webpage may lead to an
unexpected application termination or arbitrary code execution
Description: An insufficient comparison issue existed in SQLite
authorizer which allowed invocation of arbitrary SQL functions. This
issue was addressed with improved authorization checks.
CVE-ID
CVE-2015-3659 : Peter Rutenbar working with HP's Zero Day Initiative
Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7 may be obtained from
the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVke9DAAoJEBcWfLTuOo7tE7oP/0PWt+3zpRGevnWaTR1cdCSR
ixlIqZ+OrwfGluIpnQIrMx8Lw2F954/Afcv68QW5pDwU02UYIiHXFiryFG2YYu6k
+n1mnqY/5n3uo3+V18Tfi7q8WFoEfi607PbXUt/Q3FCu+NuQBl3nrVWo53f+a44v
Pb08QVMyj+g0KWNoMudA7T/G9yXsnZFm6rBKkl1D+2Cwyx/DB2i4guHleJNawM/m
8vCgIc4FReFOz03EqW3Vzqp3qWd4AovRLX8iG+62mUU8AgAVVurJdhxPNjqzmoAi
Zg1MDM2un4Op6QvLpJzG9zwW5/s+H8GVLPIYnK+uASu5UR0EU3yqb0UOCHbyG6iI
DFaRDyHXaNBWglFxRdl/Lvbz/ZQyAdc3MJMaHOSHchvu7CX3x2szTKkPr1nd/7bS
RB5JWTBKjz9G0zOp4d44u49oW4/43yV/kcjs7isBKyzPpO67dzukMDjjeKlkYAVE
gOoYtQMcorh2PrMEAW7MN2jB9R0f7gEOr2txRLgy0NakI/W+WVK8wysbDNvsjEE4
9UynLpQHqmlEL68ZyXGPrbn7Q4dO3qdL3fYsCp/57o7wDkIfASBehTet4Va3yobr
ZikiQkMU9QnYYWiN0whHzgtq+ONFg8B3hroD9XgfpG8kldjXyI6cOj6QY9e276m4
U31+XzCwLCTXylgolNOw
=9Wfv
-----END PGP SIGNATURE-----
. ============================================================================
Ubuntu Security Notice USN-2937-1
March 21, 2016
webkitgtk vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.10
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in WebKitGTK+.
Software Description:
- webkitgtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.10:
libjavascriptcoregtk-1.0-0 2.4.10-0ubuntu0.15.10.1
libjavascriptcoregtk-3.0-0 2.4.10-0ubuntu0.15.10.1
libwebkitgtk-1.0-0 2.4.10-0ubuntu0.15.10.1
libwebkitgtk-3.0-0 2.4.10-0ubuntu0.15.10.1
Ubuntu 14.04 LTS:
libjavascriptcoregtk-1.0-0 2.4.10-0ubuntu0.14.04.1
libjavascriptcoregtk-3.0-0 2.4.10-0ubuntu0.14.04.1
libwebkitgtk-1.0-0 2.4.10-0ubuntu0.14.04.1
libwebkitgtk-3.0-0 2.4.10-0ubuntu0.14.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany and Evolution, to make all the
necessary changes.
References:
http://www.ubuntu.com/usn/usn-2937-1
CVE-2014-1748, CVE-2015-1071, CVE-2015-1076, CVE-2015-1081,
CVE-2015-1083, CVE-2015-1120, CVE-2015-1122, CVE-2015-1127,
CVE-2015-1153, CVE-2015-1155, CVE-2015-3658, CVE-2015-3659,
CVE-2015-3727, CVE-2015-3731, CVE-2015-3741, CVE-2015-3743,
CVE-2015-3745, CVE-2015-3747, CVE-2015-3748, CVE-2015-3749,
CVE-2015-3752, CVE-2015-5788, CVE-2015-5794, CVE-2015-5801,
CVE-2015-5809, CVE-2015-5822, CVE-2015-5928
Package Information:
https://launchpad.net/ubuntu/+source/webkitgtk/2.4.10-0ubuntu0.15.10.1
https://launchpad.net/ubuntu/+source/webkitgtk/2.4.10-0ubuntu0.14.04.1
| VAR-201507-0436 | CVE-2015-3673 | Apple OS X of Admin Framework In root Privileged vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Admin Framework in Apple OS X before 10.10.4 does not properly restrict the location of writeconfig clients, which allows local users to obtain root privileges by moving and then modifying Directory Utility. Apple Mac OS X is prone to multiple security vulnerabilities.
The update addresses new vulnerabilities that affect Admin Framework, afpserver, apache, AppleGraphicsControl, AppleFSCompression, AppleThunderboltEDMService, ATS, Bluetooth, Display Drivers, Intel Graphics Driver, IOAcceleratorFamily, IOFireWireFamily, Kernel, Install Framework Legacy, kext tools, ntfs, QuickTime, Security, Spotlight, and System Stats components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information, and perform other attacks.
These issues affect OS X prior to 10.10.4. Admin Framework is one of the administrator frameworks. The vulnerability stems from the fact that the program does not properly restrict the location of the writeconfig client. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-06-30-2 OS X Yosemite v10.10.4 and Security Update
2015-005
OS X Yosemite v10.10.4 and Security Update 2015-005 are now available
and address the following:
Admin Framework
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A process may gain admin privileges without proper
authentication
Description: An issue existed when checking XPC entitlements. This
issue was addressed through improved entitlement checking.
CVE-ID
CVE-2015-3671 : Emil Kvarnhammar at TrueSec
Admin Framework
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A non-admin user may obtain admin rights
Description: An issue existed in the handling of user
authentication. This issue was addressed through improved error
checking. This issue was
addressed by limiting the disk location that writeconfig clients may
be executed from.
CVE-ID
CVE-2015-3673 : Patrick Wardle of Synack, Emil Kvarnhammar at TrueSec
afpserver
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the AFP server.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3674 : Dean Jerkovich of NCC Group
apache
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: An attacker may be able to access directories that are
protected with HTTP authentication without knowing the correct
credentials
Description: The default Apache configuration did not include
mod_hfs_apple. If Apache was manually enabled and the configuration
was not changed, some files that should not be accessible might have
been accessible using a specially crafted URL. This issue was
addressed by enabling mod_hfs_apple. These were addressed by updating PHP to
versions 5.5.24 and 5.4.40.
CVE-ID
CVE-2015-0235
CVE-2015-0273
AppleGraphicsControl
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in AppleGraphicsControl which could
have led to the disclosure of kernel memory layout. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2015-3676 : Chen Liang of KEEN Team
AppleFSCompression
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in LZVN compression that could have
led to the disclosure of kernel memory content. This issue was
addressed through improved memory handling.
CVE-ID
CVE-2015-3677 : an anonymous researcher working with HP's Zero Day
Initiative
AppleThunderboltEDMService
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the handling of
certain Thunderbolt commands from local processes. This issue was
addressed through improved memory handling.
CVE-ID
CVE-2015-3678 : Apple
ATS
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in handling
of certain fonts. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-3679 : Pawel Wylecial working with HP's Zero Day Initiative
CVE-2015-3680 : Pawel Wylecial working with HP's Zero Day Initiative
CVE-2015-3681 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3682 : Nuode Wei
Bluetooth
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the Bluetooth HCI
interface. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3683 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Certificate Trust Policy
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: An attacker with a privileged network position may be able
to intercept network traffic
Description: An intermediate certificate was incorrectly issued by
the certificate authority CNNIC. This issue was addressed through the
addition of a mechanism to trust only a subset of certificates issued
prior to the mis-issuance of the intermediate. Further details are
available at https://support.apple.com/en-us/HT204938
Certificate Trust Policy
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT202858.
CFNetwork HTTPAuthentication
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Following a maliciously crafted URL may lead to arbitrary
code execution
Description: A memory corruption issue existed in handling of
certain URL credentials. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3684 : Apple
CoreText
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1157
CVE-2015-3685 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3689 : Apple
coreTLS
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: coreTLS accepted short ephemeral Diffie-Hellman (DH)
keys, as used in export-strength ephemeral DH cipher suites. This
issue, also known as Logjam, allowed an attacker with a privileged
network position to downgrade security to 512-bit DH if the server
supported an export-strength ephemeral DH cipher suite. The issue was
addressed by increasing the default minimum size allowed for DH
ephemeral keys to 768 bits.
CVE-ID
CVE-2015-4000 : The weakdh team at weakdh.org, Hanno Boeck
DiskImages
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue existed in the
processing of disk images. This issue was addressed through improved
memory management.
CVE-ID
CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative
Display Drivers
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An issue existed in the Monitor Control Command Set
kernel extension by which a userland process could control the value
of a function pointer within the kernel. The issue was addressed by
removing the affected interface.
CVE-ID
CVE-2015-3691 : Roberto Paleari and Aristide Fattori of Emaze
Networks
EFI
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application with root privileges may be able to
modify EFI flash memory
Description: An insufficient locking issue existed with EFI flash
when resuming from sleep states. This issue was addressed through
improved locking.
CVE-ID
CVE-2015-3692 : Trammell Hudson of Two Sigma Investments, Xeno Kovah
and Corey Kallenberg of LegbaCore LLC, Pedro Vilaca
EFI
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may induce memory corruption to
escalate privileges
Description: A disturbance error, also known as Rowhammer, exists
with some DDR3 RAM that could have led to memory corruption. This
issue was mitigated by increasing memory refresh rates.
CVE-ID
CVE-2015-3693 : Mark Seaborn and Thomas Dullien of Google, working
from original research by Yoongu Kim et al (2014)
FontParser
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3694 : John Villamil (@day6reak), Yahoo Pentest Team
Graphics Driver
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An out of bounds write issue existed in NVIDIA graphics
driver. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2015-3712 : Ian Beer of Google Project Zero
Intel Graphics Driver
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Multiple buffer overflow issues exist in the Intel graphics
driver, the most serious of which may lead to arbitrary code
execution with system privileges
Description: Multiple buffer overflow issues existed in the Intel
graphics driver. These were addressed through additional bounds
checks.
CVE-ID
CVE-2015-3695 : Ian Beer of Google Project Zero
CVE-2015-3696 : Ian Beer of Google Project Zero
CVE-2015-3697 : Ian Beer of Google Project Zero
CVE-2015-3698 : Ian Beer of Google Project Zero
CVE-2015-3699 : Ian Beer of Google Project Zero
CVE-2015-3700 : Ian Beer of Google Project Zero
CVE-2015-3701 : Ian Beer of Google Project Zero
CVE-2015-3702 : KEEN Team
ImageIO
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Multiple vulnerabilities existed in libtiff, the most
serious of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in libtiff versions
prior to 4.0.4. They were addressed by updating libtiff to version
4.0.4.
CVE-ID
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130
ImageIO
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted .tiff file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
.tiff files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-3703 : Apple
Install Framework Legacy
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Several issues existed in how Install.framework's
'runner' setuid binary dropped privileges. This was addressed by
properly dropping privileges.
CVE-ID
CVE-2015-3704 : Ian Beer of Google Project Zero
IOAcceleratorFamily
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Multiple memory corruption issues existed in
IOAcceleratorFamily. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-3705 : KEEN Team
CVE-2015-3706 : KEEN Team
IOFireWireFamily
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Multiple null pointer dereference issues existed in the
FireWire driver. These issues were addressed through improved error
checking.
CVE-ID
CVE-2015-3707 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Kernel
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
APIs related to kernel extensions which could have led to the
disclosure of kernel memory layout. This issue was addressed through
improved memory management.
CVE-ID
CVE-2015-3720 : Stefan Esser
Kernel
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
HFS parameters which could have led to the disclosure of kernel
memory layout. This issue was addressed through improved memory
management.
CVE-ID
CVE-2015-3721 : Ian Beer of Google Project Zero
kext tools
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to overwrite arbitrary
files
Description: kextd followed symbolic links while creating a new
file. This issue was addressed through improved handling of symbolic
links.
CVE-ID
CVE-2015-3708 : Ian Beer of Google Project Zero
kext tools
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A local user may be able to load unsigned kernel extensions
Description: A time-of-check time-of-use (TOCTOU) race condition
condition existed while validating the paths of kernel extensions.
This issue was addressed through improved checks to validate the path
of the kernel extensions.
CVE-ID
CVE-2015-3709 : Ian Beer of Google Project Zero
Mail
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A maliciously crafted email can replace the message content
with an arbitrary webpage when the message is viewed
Description: An issue existed in the support for HTML email which
allowed message content to be refreshed with an arbitrary webpage.
The issue was addressed through restricted support for HTML content.
CVE-ID
CVE-2015-3710 : Aaron Sigel of vtty.com, Jan Soucek
ntfs
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in NTFS that could have led to the
disclosure of kernel memory content. This issue was addressed through
improved memory handling.
CVE-ID
CVE-2015-3711 : Peter Rutenbar working with HP's Zero Day Initiative
ntp
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: An attacker in a privileged position may be able to perform
a denial of service attack against two ntp clients
Description: Multiple issues existed in the authentication of ntp
packets being received by configured end-points. These issues were
addressed through improved connection state management.
CVE-ID
CVE-2015-1798
CVE-2015-1799
OpenSSL
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Multiple issues exist in OpenSSL, including one that may
allow an attacker to intercept connections to a server that supports
export-grade ciphers
Description: Multiple issues existed in OpenSSL 0.9.8zd which were
addressed by updating OpenSSL to version 0.9.8zf.
CVE-ID
CVE-2015-0209
CVE-2015-0286
CVE-2015-0287
CVE-2015-0288
CVE-2015-0289
CVE-2015-0293
QuickTime
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3661 : G. Geshev working with HP's Zero Day Initiative
CVE-2015-3662 : kdot working with HP's Zero Day Initiative
CVE-2015-3663 : kdot working with HP's Zero Day Initiative
CVE-2015-3666 : Steven Seeley of Source Incite working with HP's Zero
Day Initiative
CVE-2015-3667 : Ryan Pentney, Richard Johnson of Cisco Talos and Kai
Lu of Fortinet's FortiGuard Labs, Ryan Pentney, and Richard Johnson
of Cisco Talos and Kai Lu of Fortinet's FortiGuard Labs
CVE-2015-3668 : Kai Lu of Fortinet's FortiGuard Labs
CVE-2015-3713 : Apple
Security
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework
code for parsing S/MIME e-mail and some other signed or encrypted
objects. This issue was addressed through improved validity checking.
CVE-ID
CVE-2013-1741
Security
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Tampered applications may not be prevented from launching
Description: Apps using custom resource rules may have been
susceptible to tampering that would not have invalidated the
signature. This issue was addressed with improved resource
validation.
CVE-ID
CVE-2015-3714 : Joshua Pitts of Leviathan Security Group
Security
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to bypass code signing
checks
Description: An issue existed where code signing did not verify
libraries loaded outside the application bundle. This issue was
addressed with improved bundle verification.
CVE-ID
CVE-2015-3715 : Patrick Wardle of Synack
Spotlight
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Searching for a malicious file with Spotlight may lead to
command injection
Description: A command injection vulnerability existed in the
handling of filenames of photos added to the local photo library.
This issue was addressed through improved input validation.
CVE-ID
CVE-2015-3716 : Apple
SQLite
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflows existed in SQLite's printf
implementation. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-3717 : Peter Rutenbar working with HP's Zero Day Initiative
System Stats
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious app may be able to compromise systemstatsd
Description: A type confusion issue existed in systemstatsd's
handling of interprocess communication. By sending a maliciously
formatted message to systemstatsd, it may have been possible to
execute arbitrary code as the systemstatsd process. The issue was
addressed through additional type checking.
CVE-ID
CVE-2015-3718 : Roberto Paleari and Aristide Fattori of Emaze
Networks
TrueTypeScaler
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3719 : John Villamil (@day6reak), Yahoo Pentest Team
zip
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Extracting a maliciously crafted zip file using the unzip
tool may lead to an unexpected application termination or arbitrary
code execution
Description: Multiple memory corruption issues existed in the
handling of zip files. These issues were addressed through improved
memory handling.
https://support.apple.com/en-us/HT204950
OS X Yosemite 10.10.4 and Security Update 2015-005 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVksFmAAoJEBcWfLTuOo7tV1AQAIYpkOMpHp181b+70sgyZ/Ue
mFM527FFGDfLLuIW6LTcBsEFe9cfZxumB8eOFPirTNRK7krsVMo1W+faHXyWOnx7
kbWylHdhaoxnX+A6Gj0vP71V6TNNsTi9+2dmdmHUnwxZ7Ws5QCNKebumUG3MMXXo
EKxE5SNSNKyMSSYmliS26cdl8fWrmg9qTxiZQnxjOCrg/CNAolgVIRRfdMUL7i4w
aGAyrlJXOxFOuNkqdHX2luccuHFV7aW/dIXQ4MyjiRNl/bWrBQmQlneLLpPdFZlH
cMfGa2/baaNaCbU/GqhNKbO4fKYVaqQWzfUrtqX0+bRv2wmOq33ARy9KE23bYTvL
U4E9x9z87LsLXGAdjUi6MDe5g87DcmwIEigfF6/EHbDYa/2VvSdIa74XRv/JCN1+
aftHLotin76h4qV/dCAPf5J/Fr/1KFCM0IphhG7p+7fVTfyy7YDXNBiKCEZzLf8U
TUWLUCgQhobtakqwzQJ5qyF8u63xzVXj8oeTOw6iiY/BLlj9def5LMm/z6ZKGTyC
3c4+Sy5XvBHZoeiwdcndTVpnFbmmjZRdeqtdW/zX5mHnxXPa3lZiGoBDhHQgIg6J
1tTVtnO1JSLXVYDR6Evx1EH10Vgkt2wAGTLjljSLwtckoEqc78qMAT1G5U4nFffI
+gGm5FbAxjxElgA/gbaq
=KLda
-----END PGP SIGNATURE-----
| VAR-201507-0435 | CVE-2015-3672 | Apple OS X of Admin Framework Vulnerabilities in which administrator privileges are obtained |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Admin Framework in Apple OS X before 10.10.4 does not properly handle authentication errors, which allows local users to obtain admin privileges via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlAdministrator privileges may be obtained by local users. Apple Mac OS X is prone to multiple security vulnerabilities.
The update addresses new vulnerabilities that affect Admin Framework, afpserver, apache, AppleGraphicsControl, AppleFSCompression, AppleThunderboltEDMService, ATS, Bluetooth, Display Drivers, Intel Graphics Driver, IOAcceleratorFamily, IOFireWireFamily, Kernel, Install Framework Legacy, kext tools, ntfs, QuickTime, Security, Spotlight, and System Stats components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information, and perform other attacks.
These issues affect OS X prior to 10.10.4. Admin Framework is one of the administrator frameworks. A local attacker could exploit this vulnerability to gain administrator privileges. This
issue was addressed through improved entitlement checking. This issue was addressed through improved error
checking.
CVE-ID
CVE-2015-3672 : Emil Kvarnhammar at TrueSec
Admin Framework
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: An attacker may abuse Directory Utility to gain root
privileges
Description: Directory Utility was able to be moved and modified to
achieve code execution within an entitled process. This issue was
addressed by limiting the disk location that writeconfig clients may
be executed from.
CVE-ID
CVE-2015-3673 : Patrick Wardle of Synack, Emil Kvarnhammar at TrueSec
afpserver
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the AFP server.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3674 : Dean Jerkovich of NCC Group
apache
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: An attacker may be able to access directories that are
protected with HTTP authentication without knowing the correct
credentials
Description: The default Apache configuration did not include
mod_hfs_apple. If Apache was manually enabled and the configuration
was not changed, some files that should not be accessible might have
been accessible using a specially crafted URL. This issue was
addressed by enabling mod_hfs_apple. These were addressed by updating PHP to
versions 5.5.24 and 5.4.40.
CVE-ID
CVE-2015-0235
CVE-2015-0273
AppleGraphicsControl
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in AppleGraphicsControl which could
have led to the disclosure of kernel memory layout. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2015-3676 : Chen Liang of KEEN Team
AppleFSCompression
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in LZVN compression that could have
led to the disclosure of kernel memory content. This issue was
addressed through improved memory handling.
CVE-ID
CVE-2015-3677 : an anonymous researcher working with HP's Zero Day
Initiative
AppleThunderboltEDMService
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the handling of
certain Thunderbolt commands from local processes. This issue was
addressed through improved memory handling.
CVE-ID
CVE-2015-3678 : Apple
ATS
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in handling
of certain fonts. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-3679 : Pawel Wylecial working with HP's Zero Day Initiative
CVE-2015-3680 : Pawel Wylecial working with HP's Zero Day Initiative
CVE-2015-3681 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3682 : Nuode Wei
Bluetooth
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the Bluetooth HCI
interface. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3683 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Certificate Trust Policy
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: An attacker with a privileged network position may be able
to intercept network traffic
Description: An intermediate certificate was incorrectly issued by
the certificate authority CNNIC. This issue was addressed through the
addition of a mechanism to trust only a subset of certificates issued
prior to the mis-issuance of the intermediate. Further details are
available at https://support.apple.com/en-us/HT204938
Certificate Trust Policy
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT202858.
CFNetwork HTTPAuthentication
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Following a maliciously crafted URL may lead to arbitrary
code execution
Description: A memory corruption issue existed in handling of
certain URL credentials. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3684 : Apple
CoreText
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1157
CVE-2015-3685 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3689 : Apple
coreTLS
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: coreTLS accepted short ephemeral Diffie-Hellman (DH)
keys, as used in export-strength ephemeral DH cipher suites. This
issue, also known as Logjam, allowed an attacker with a privileged
network position to downgrade security to 512-bit DH if the server
supported an export-strength ephemeral DH cipher suite. The issue was
addressed by increasing the default minimum size allowed for DH
ephemeral keys to 768 bits.
CVE-ID
CVE-2015-4000 : The weakdh team at weakdh.org, Hanno Boeck
DiskImages
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue existed in the
processing of disk images. This issue was addressed through improved
memory management.
CVE-ID
CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative
Display Drivers
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An issue existed in the Monitor Control Command Set
kernel extension by which a userland process could control the value
of a function pointer within the kernel. The issue was addressed by
removing the affected interface.
CVE-ID
CVE-2015-3691 : Roberto Paleari and Aristide Fattori of Emaze
Networks
EFI
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application with root privileges may be able to
modify EFI flash memory
Description: An insufficient locking issue existed with EFI flash
when resuming from sleep states. This issue was addressed through
improved locking.
CVE-ID
CVE-2015-3692 : Trammell Hudson of Two Sigma Investments, Xeno Kovah
and Corey Kallenberg of LegbaCore LLC, Pedro Vilaca
EFI
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may induce memory corruption to
escalate privileges
Description: A disturbance error, also known as Rowhammer, exists
with some DDR3 RAM that could have led to memory corruption. This
issue was mitigated by increasing memory refresh rates.
CVE-ID
CVE-2015-3693 : Mark Seaborn and Thomas Dullien of Google, working
from original research by Yoongu Kim et al (2014)
FontParser
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3694 : John Villamil (@day6reak), Yahoo Pentest Team
Graphics Driver
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An out of bounds write issue existed in NVIDIA graphics
driver. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2015-3712 : Ian Beer of Google Project Zero
Intel Graphics Driver
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Multiple buffer overflow issues exist in the Intel graphics
driver, the most serious of which may lead to arbitrary code
execution with system privileges
Description: Multiple buffer overflow issues existed in the Intel
graphics driver. These were addressed through additional bounds
checks.
CVE-ID
CVE-2015-3695 : Ian Beer of Google Project Zero
CVE-2015-3696 : Ian Beer of Google Project Zero
CVE-2015-3697 : Ian Beer of Google Project Zero
CVE-2015-3698 : Ian Beer of Google Project Zero
CVE-2015-3699 : Ian Beer of Google Project Zero
CVE-2015-3700 : Ian Beer of Google Project Zero
CVE-2015-3701 : Ian Beer of Google Project Zero
CVE-2015-3702 : KEEN Team
ImageIO
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Multiple vulnerabilities existed in libtiff, the most
serious of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in libtiff versions
prior to 4.0.4. They were addressed by updating libtiff to version
4.0.4.
CVE-ID
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130
ImageIO
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted .tiff file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
.tiff files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-3703 : Apple
Install Framework Legacy
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Several issues existed in how Install.framework's
'runner' setuid binary dropped privileges. This was addressed by
properly dropping privileges.
CVE-ID
CVE-2015-3704 : Ian Beer of Google Project Zero
IOAcceleratorFamily
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Multiple memory corruption issues existed in
IOAcceleratorFamily. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-3705 : KEEN Team
CVE-2015-3706 : KEEN Team
IOFireWireFamily
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Multiple null pointer dereference issues existed in the
FireWire driver. These issues were addressed through improved error
checking.
CVE-ID
CVE-2015-3707 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Kernel
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
APIs related to kernel extensions which could have led to the
disclosure of kernel memory layout. This issue was addressed through
improved memory management.
CVE-ID
CVE-2015-3720 : Stefan Esser
Kernel
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
HFS parameters which could have led to the disclosure of kernel
memory layout. This issue was addressed through improved memory
management.
CVE-ID
CVE-2015-3721 : Ian Beer of Google Project Zero
kext tools
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to overwrite arbitrary
files
Description: kextd followed symbolic links while creating a new
file. This issue was addressed through improved handling of symbolic
links.
CVE-ID
CVE-2015-3708 : Ian Beer of Google Project Zero
kext tools
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A local user may be able to load unsigned kernel extensions
Description: A time-of-check time-of-use (TOCTOU) race condition
condition existed while validating the paths of kernel extensions.
This issue was addressed through improved checks to validate the path
of the kernel extensions.
CVE-ID
CVE-2015-3709 : Ian Beer of Google Project Zero
Mail
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A maliciously crafted email can replace the message content
with an arbitrary webpage when the message is viewed
Description: An issue existed in the support for HTML email which
allowed message content to be refreshed with an arbitrary webpage.
The issue was addressed through restricted support for HTML content.
CVE-ID
CVE-2015-3710 : Aaron Sigel of vtty.com, Jan Soucek
ntfs
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in NTFS that could have led to the
disclosure of kernel memory content. This issue was addressed through
improved memory handling.
CVE-ID
CVE-2015-3711 : Peter Rutenbar working with HP's Zero Day Initiative
ntp
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: An attacker in a privileged position may be able to perform
a denial of service attack against two ntp clients
Description: Multiple issues existed in the authentication of ntp
packets being received by configured end-points. These issues were
addressed through improved connection state management.
CVE-ID
CVE-2015-1798
CVE-2015-1799
OpenSSL
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Multiple issues exist in OpenSSL, including one that may
allow an attacker to intercept connections to a server that supports
export-grade ciphers
Description: Multiple issues existed in OpenSSL 0.9.8zd which were
addressed by updating OpenSSL to version 0.9.8zf.
CVE-ID
CVE-2015-0209
CVE-2015-0286
CVE-2015-0287
CVE-2015-0288
CVE-2015-0289
CVE-2015-0293
QuickTime
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3661 : G. Geshev working with HP's Zero Day Initiative
CVE-2015-3662 : kdot working with HP's Zero Day Initiative
CVE-2015-3663 : kdot working with HP's Zero Day Initiative
CVE-2015-3666 : Steven Seeley of Source Incite working with HP's Zero
Day Initiative
CVE-2015-3667 : Ryan Pentney, Richard Johnson of Cisco Talos and Kai
Lu of Fortinet's FortiGuard Labs, Ryan Pentney, and Richard Johnson
of Cisco Talos and Kai Lu of Fortinet's FortiGuard Labs
CVE-2015-3668 : Kai Lu of Fortinet's FortiGuard Labs
CVE-2015-3713 : Apple
Security
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework
code for parsing S/MIME e-mail and some other signed or encrypted
objects. This issue was addressed through improved validity checking.
CVE-ID
CVE-2013-1741
Security
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Tampered applications may not be prevented from launching
Description: Apps using custom resource rules may have been
susceptible to tampering that would not have invalidated the
signature. This issue was addressed with improved resource
validation.
CVE-ID
CVE-2015-3714 : Joshua Pitts of Leviathan Security Group
Security
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to bypass code signing
checks
Description: An issue existed where code signing did not verify
libraries loaded outside the application bundle. This issue was
addressed with improved bundle verification.
CVE-ID
CVE-2015-3715 : Patrick Wardle of Synack
Spotlight
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Searching for a malicious file with Spotlight may lead to
command injection
Description: A command injection vulnerability existed in the
handling of filenames of photos added to the local photo library.
This issue was addressed through improved input validation.
CVE-ID
CVE-2015-3716 : Apple
SQLite
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflows existed in SQLite's printf
implementation. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-3717 : Peter Rutenbar working with HP's Zero Day Initiative
System Stats
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious app may be able to compromise systemstatsd
Description: A type confusion issue existed in systemstatsd's
handling of interprocess communication. By sending a maliciously
formatted message to systemstatsd, it may have been possible to
execute arbitrary code as the systemstatsd process. The issue was
addressed through additional type checking.
CVE-ID
CVE-2015-3718 : Roberto Paleari and Aristide Fattori of Emaze
Networks
TrueTypeScaler
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3719 : John Villamil (@day6reak), Yahoo Pentest Team
zip
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Extracting a maliciously crafted zip file using the unzip
tool may lead to an unexpected application termination or arbitrary
code execution
Description: Multiple memory corruption issues existed in the
handling of zip files. These issues were addressed through improved
memory handling.
https://support.apple.com/en-us/HT204950
OS X Yosemite 10.10.4 and Security Update 2015-005 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVksFmAAoJEBcWfLTuOo7tV1AQAIYpkOMpHp181b+70sgyZ/Ue
mFM527FFGDfLLuIW6LTcBsEFe9cfZxumB8eOFPirTNRK7krsVMo1W+faHXyWOnx7
kbWylHdhaoxnX+A6Gj0vP71V6TNNsTi9+2dmdmHUnwxZ7Ws5QCNKebumUG3MMXXo
EKxE5SNSNKyMSSYmliS26cdl8fWrmg9qTxiZQnxjOCrg/CNAolgVIRRfdMUL7i4w
aGAyrlJXOxFOuNkqdHX2luccuHFV7aW/dIXQ4MyjiRNl/bWrBQmQlneLLpPdFZlH
cMfGa2/baaNaCbU/GqhNKbO4fKYVaqQWzfUrtqX0+bRv2wmOq33ARy9KE23bYTvL
U4E9x9z87LsLXGAdjUi6MDe5g87DcmwIEigfF6/EHbDYa/2VvSdIa74XRv/JCN1+
aftHLotin76h4qV/dCAPf5J/Fr/1KFCM0IphhG7p+7fVTfyy7YDXNBiKCEZzLf8U
TUWLUCgQhobtakqwzQJ5qyF8u63xzVXj8oeTOw6iiY/BLlj9def5LMm/z6ZKGTyC
3c4+Sy5XvBHZoeiwdcndTVpnFbmmjZRdeqtdW/zX5mHnxXPa3lZiGoBDhHQgIg6J
1tTVtnO1JSLXVYDR6Evx1EH10Vgkt2wAGTLjljSLwtckoEqc78qMAT1G5U4nFffI
+gGm5FbAxjxElgA/gbaq
=KLda
-----END PGP SIGNATURE-----
| VAR-201507-0414 | CVE-2015-3720 | Apple OS X Vulnerability in obtaining important memory layout information in the kernel |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The kernel in Apple OS X before 10.10.4 does not properly manage memory in kernel-extension APIs, which allows attackers to obtain sensitive memory-layout information via a crafted app. Apple Mac OS X is prone to multiple security vulnerabilities.
The update addresses new vulnerabilities that affect Admin Framework, afpserver, apache, AppleGraphicsControl, AppleFSCompression, AppleThunderboltEDMService, ATS, Bluetooth, Display Drivers, Intel Graphics Driver, IOAcceleratorFamily, IOFireWireFamily, Kernel, Install Framework Legacy, kext tools, ntfs, QuickTime, Security, Spotlight, and System Stats components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information, and perform other attacks.
These issues affect OS X prior to 10.10.4. The vulnerability stems from the program not properly managing memory in the kernel-extension API. An attacker could exploit this vulnerability with a specially crafted application to obtain sensitive memory-layout information
| VAR-201507-0412 | CVE-2015-3718 | Apple OS X of System Stats Subsystem systemstatsd In systemstatsd Vulnerability to execute arbitrary code with privileges |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
systemstatsd in the System Stats subsystem in Apple OS X before 10.10.4 does not properly interpret data types encountered in interprocess communication, which allows attackers to execute arbitrary code with systemstatsd privileges via a crafted app, related to a "type confusion" issue. Supplementary information : CWE Vulnerability type by CWE-843:Access of Resource Using Incompatible Type ( Mixing of molds ) Has been identified. http://cwe.mitre.org/data/definitions/843.htmlThrough a crafted application by an attacker, systemstatsd An arbitrary code may be executed with privileges. Apple Mac OS X is prone to multiple security vulnerabilities.
The update addresses new vulnerabilities that affect Admin Framework, afpserver, apache, AppleGraphicsControl, AppleFSCompression, AppleThunderboltEDMService, ATS, Bluetooth, Display Drivers, Intel Graphics Driver, IOAcceleratorFamily, IOFireWireFamily, Kernel, Install Framework Legacy, kext tools, ntfs, QuickTime, Security, Spotlight, and System Stats components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information, and perform other attacks.
These issues affect OS X prior to 10.10.4