VARIoT IoT vulnerabilities database

Cross-site scripting (XSS) vulnerability in the vCloud Director component in Cisco Nexus 1000V InterCloud for VMware allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuq90524. Cisco Nexus 1000V InterCloud for VMware is a set of virtual switch software from Cisco Systems that provides Cisco Catalyst switches such as QoS, ACLs, and SPAN in a VMware virtualized environment. vCloud Director is one of the VMware virtual cloud infrastructure tools components. The program did not adequately filter the user-submitted input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuq90524

TRENDnet TEW-818DRU is a routing device. There are unexplained vulnerabilities in TRENDnet TEW-818DRU and no detailed vulnerability details are available.

Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed RSVP packet, aka Bug ID CSCuq12031. Cisco IOS XR is a fully modular, distributed network operating system from Cisco's IOS software family. This issue is being tracked by Cisco Bug ID CSCuq12031

snmpd in Cisco IOS XR 5.1 and earlier allows remote authenticated users to cause a denial of service (process reload) via a malformed SNMPv2 packet, aka Bug ID CSCun67791. Cisco IOS XR is a fully modular, distributed network operating system from Cisco's IOS software family. This issue is being tracked by Cisco Bug ID CSCun67791

tacacsd in Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed TACACS+ packet, aka Bug ID CSCum00468. Cisco IOS XR is a fully modular, distributed network operating system from Cisco's IOS software family. Attackers can exploit this issue to cause the TACACS+ process on the affected device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCum00468

Cisco IOS XR 5.1 and earlier on Network Convergence System 6000 devices allows remote attackers to cause a denial of service (NPU and card hang or reload) via a malformed MPLS packet, aka Bug ID CSCuq10466. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. This issue is being tracked by Cisco Bug ID CSCuq10466

Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. ClearSCADA is an integrated SCADA host platform that includes a rotation training engine, real-time database, web server, alarm processor and reporting software. A cross-site scripting vulnerability exists in the ClearSCADA WEB interface that allows an attacker to exploit a vulnerability to construct a malicious URI, to induce user resolution, and to perform system management operations. Scada Expert Clearscada is prone to a cross-site scripting vulnerability. Schneider Electric StruxureWare SCADA Expert ClearSCADA is a set of energy efficiency management software monitoring platform of French Schneider Electric (Schneider Electric). The platform is primarily used for remote management of critical infrastructure

Cross-site scripting (XSS) vulnerability in Xcode Server in CoreCollaboration in Apple OS X Server before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. This issue is fixed in Mac OS X Server version 3.2.1. The software enables file sharing, meeting scheduling, website hosting, network remote access, and more. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-10-16-3 OS X Server v4.0 OS X Server v4.0 is now available and addresses the following: BIND Available for: OS X Yosemite v10.10 or later Impact: Multiple vulnerabilities in BIND, the most serious of which may lead to a denial of service Description: Multiple vulnerabilities existed in BIND. These issues were addressed by updating BIND to version 9.9.2-P2 CVE-ID CVE-2013-3919 CVE-2013-4854 CVE-2014-0591 CoreCollaboration Available for: OS X Yosemite v10.10 or later Impact: A remote attacker may be able to execute arbitrary SQL queries Description: A SQL injection issue existed in Wiki Server. This issue was addressed through additional validation of SQL queries. CVE-ID CVE-2014-4424 : Sajjad Pourali (sajjad@securation.com) of CERT of Ferdowsi University of Mashhad CoreCollaboration Available for: OS X Yosemite v10.10 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-site scripting issue existed in Xcode Server. This issue was addressed through improved encoding of HTML output. CVE-ID CVE-2014-4406 : David Hoyt of Hoyt LLC CoreCollaboration Available for: OS X Yosemite v10.10 or later Impact: Multiple vulnerabilities in PostgreSQL, the most serious of which may lead to arbitrary code execution Description: Multiple vulnerabilities existed in PostgreSQL. These issues were addressed by updating PostgreSQL to version 9.2.7. CVE-ID CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 Mail Service Available for: OS X Yosemite v10.10 or later Impact: Group SACL changes for Mail may not be respected until after a restart of the Mail service Description: SACL settings for Mail were cached and changes to the SACLs were not respected until after a restart of the Mail service. This issue was addressed by resetting the cache upon changes to the SACLs. CVE-ID CVE-2014-4446 : Craig Courtney Profile Manager Available for: OS X Yosemite v10.10 or later Impact: Multiple vulnerabilities in LibYAML, the most serious of which may lead to arbitrary code execution Description: Multiple vulnerabilities existed in LibYAML. These issues were addressed by switching from YAML to JSON as Profile Manager's internal serialization format. CVE-ID CVE-2013-4164 CVE-2013-6393 Profile Manager Available for: OS X Yosemite v10.10 or later Impact: A local user may obtain passwords after setting up or editing profiles in Profile Manager Description: In certain circumstances, setting up or editing profiles in Profile Manager may have logged passwords to a file. This issue was addressed through improved handling of credentials. CVE-ID CVE-2014-4447 : Mayo Jordanov Server Available for: OS X Yosemite v10.10 or later Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling SSL 3.0 support in Web Server, Calendar & Contacts Server, and Remote Administration. CVE-ID CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of Google Security Team ServerRuby Available for: OS X Yosemite v10.10 or later Impact: Running a Ruby script that handles untrusted YAML tags may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in LibYAML's handling of YAML tags. This issue was addressed through additional validation of YAML tags. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUQCLKAAoJEBcWfLTuOo7tqr0P/1fGVeD8xAAgMRpH/hYYkKpj CGKAUBfTXM9clAhUHP1Es+T1qG67JX9CNrrl5yKMQCupojgNIkO1D0Pj5QlLZzkL HR6AgI8eYeykiw8VRFI8DC7f3q/A1aRrijj8bPQ6BoPUq28Vya/GjEAMxV1l21l1 qLyNiDH8X8DC/CWyxOXVMD4yqIpzCOPEIAvgV1aB0z1UEdw7fLLBCEIAkNR3tL9M 5OlRT8X4dzpx3YpTvlB9s7zIAPtLgTjcVpPbkT2yJ9OZsewml2aFM7NWDYpYhIRg z7bOMmKZep15a+XeXH7cdqXMfHW/XGdkYF/4Z85wHG44Kebaikq+K0XoTxjHlqXi 9rtNdcwh+p4DxTQNO0fK7WbfAo7FiF6aonY9D9hp47jbhB9KODVeOpqo6B7sOudq tBAAS1pBbrsULUWRCZRaN3LlPigtInqIIPuLGVQx4ApUo1guxXb0A88ZU3yiR+Bl RJHAEoevKjqhLiZDt1V8sSk6sPAh7p02deP5RDIwNJfapP+RrXoJ6knexRD44kNb MwVD6a2EcOoRFgwcjvgFZ1etpoHT/VAs7Ql/GjWN5snDLsZ/vlGtSPn1i3kjkxBZ oYDmJfC91RoC6exW7img3H9csN0sgtVGJRLrf6cdg41EjVjQaUUVQfBn/DVVyMb8 fIWnhQEvESJVqfrk3Q3X =LbVb -----END PGP SIGNATURE-----

BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbitrary files via a STOR operation, or obtain sensitive database-location information via a PMODE operation, a different vulnerability than CVE-2014-0784. Provided by Yokogawa Electric Corporation CENTUM and Exaopc Is BKBCopyD.exe There is a problem in the processing of the file, and there is a vulnerability that can access arbitrary files. In addition, National Vulnerability Database (NVD) Then CWE-284 It is published as Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlCrafted communication frame 20111/tcp By sending to, arbitrary files may be obtained or created with the user's authority. Yokogawa CENTUM CS3000 is a production control system. If Yokogawa CENTUM's multiple products have Batch Management installed, they will start the BKBCopyD.exe service and listen on the 20111 / TCP port. There is no verification mechanism, allowing attackers to use the vulnerability to perform malicious operations, such as reading and writing files. Multiple Yokogawa products are prone to a security weakness. An attacker may leverage this issue to obtain potentially sensitive information and perform unauthorized actions in the context of the affected application. Yokogawa CENTUM CS, etc. are all products of Japan's Yokogawa Electric (Yokogawa) company. Exaopc is an OPC data access server. The vulnerability is caused by the program not requiring authentication. The following products and versions are affected: Yokogawa CENTUM CS 3000 R3.09.50 and earlier, CENTUM VP R4.03.00 and earlier, R5.x R5.04.00 and earlier, Exaopc R3.72.10 and earlier

Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.x before 10.1-129.11 and 10.5 before 10.5-50.10 allows remote attackers to execute arbitrary code via unknown vectors. Successful exploits will compromise the application and possibly the underlying device

QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of RLE encoded data in the mdat atom. An attacker can use this flaw to write outside the allocated buffer, which could allow for the execution of arbitrary code in the context of the current process. Apple Mac OS X is prone to a memory-corruption vulnerability because it fails to perform adequate bounds checks on user-supplied input. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. Apple OS X is a dedicated operating system developed by Apple for Mac computers. A security vulnerability exists in QT Media Foundation versions prior to Apple OS X 10.9.5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-3 OS X Mavericks 10.9.5 and Security Update 2014-004 OS X Mavericks 10.9.5 and Security Update 2014-004 are now available and address the following: apache_mod_php Available for: OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in PHP 5.4.24 Description: Multiple vulnerabilities existed in PHP 5.4.24, the most serious of which may have led to arbitrary code execution. This update addresses the issues by updating PHP to version 5.4.30 CVE-ID CVE-2013-7345 CVE-2014-0185 CVE-2014-0207 CVE-2014-0237 CVE-2014-0238 CVE-2014-1943 CVE-2014-2270 CVE-2014-3478 CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3515 CVE-2014-3981 CVE-2014-4049 Bluetooth Available for: OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of a Bluetooth API call. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4390 : Ian Beer of Google Project Zero CoreGraphics Available for: OS X Mavericks 10.9 to 10.9.4 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or an information disclosure Description: An out of bounds memory read existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program CoreGraphics Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Foundation Available for: OS X Mavericks 10.9 to 10.9.4 Impact: An application using NSXMLParser may be misused to disclose information Description: An XML External Entity issue existed in NSXMLParser's handling of XML. This issue was addressed by not loading external entities across origins. CVE-ID CVE-2014-4374 : George Gal of VSR (http://www.vsecurity.com/) Intel Graphics Driver Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Compiling untrusted GLSL shaders may lead to an unexpected application termination or arbitrary code execution Description: A user-space buffer overflow existed in the shader compiler. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4393 : Apple Intel Graphics Driver Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple validation issues existed in some integrated graphics driver routines. These issues were addressed through improved bounds checking. CVE-ID CVE-2014-4394 : Ian Beer of Google Project Zero CVE-2014-4395 : Ian Beer of Google Project Zero CVE-2014-4396 : Ian Beer of Google Project Zero CVE-2014-4397 : Ian Beer of Google Project Zero CVE-2014-4398 : Ian Beer of Google Project Zero CVE-2014-4399 : Ian Beer of Google Project Zero CVE-2014-4400 : Ian Beer of Google Project Zero CVE-2014-4401 : Ian Beer of Google Project Zero CVE-2014-4416 : Ian Beer of Google Project Zero IOAcceleratorFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in the handling of IOKit API arguments. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2014-4376 : Ian Beer of Google Project Zero IOAcceleratorFamily Available for: OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An out-of-bounds read issue existed in the handling of an IOAcceleratorFamily function. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4402 : Ian Beer of Google Project Zero IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: A local user can read kernel pointers, which can be used to bypass kernel address space layout randomization Description: An out-of-bounds read issue existed in the handling of an IOHIDFamily function. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4379 : Ian Beer of Google Project Zero IOKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4388 : @PanguTeam IOKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4389 : Ian Beer of Google Project Zero Kernel Available for: OS X Mavericks 10.9 to 10.9.4 Impact: A local user can infer kernel addresses and bypass kernel address space layout randomization Description: In some cases, the CPU Global Descriptor Table was allocated at a predictable address. This issue was addressed through always allocating the Global Descriptor Table at random addresses. CVE-ID CVE-2014-4403 : Ian Beer of Google Project Zero Libnotify Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with root privileges Description: An out-of-bounds write issue existed in Libnotify. This issue was addressed through improved bounds checking CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero OpenSSL Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in OpenSSL 0.9.8y, including one that may lead to arbitrary code execution Description: Multiple vulnerabilities existed in OpenSSL 0.9.8y. This update was addressed by updating OpenSSL to version 0.9.8za. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1391 : Fernando Munoz working with iDefense VCP, Tom Gallagher & Paul Bates working with HP's Zero Day Initiative QT Media Foundation Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Playing a maliciously crafted MIDI file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of MIDI files. This issue was addressed through improved bounds checking. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4979 : Andrea Micalizzi aka rgod working with HP's Zero Day Initiative ruby Available for: OS X Mavericks 10.9 to 10.9.4 Impact: A remote attacker may be able to cause arbitrary code execution Description: A heap buffer overflow existed in LibYAML's handling of percent-encoded characters in a URI. This issue was addressed through improved bounds checking. This update addresses the issues by updating LibYAML to version 0.1.6 CVE-ID CVE-2014-2525 Note: OS X Mavericks 10.9.5 includes the security content of Safari 7.0.6: http://support.apple.com/kb/HT6367 OS X Mavericks v10.9.5 and Security Update 2014-004 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUGkP0AAoJEBcWfLTuOo7tygQP/1vHYXtWy6492Tjj6ycymWa+ Ct0eCCBU/AUi5ODNDeV9ddWkuFeXKbgQSHoPU19IPcIBAKnYUupVJSJ/cEHfSthh CiROjJw8Bt8comn04BgggHieLveN1xQCXQDcO29kBIpQr394XKS0lNXP//Z0oG5V sCnEDPz/0R92mwT5XkKD9WC7G/WjybS5V7BjEbdzDOn4qdTVje05xI5pof+fkeQ1 hFHo7uTCDkSzLH2YxrQHifNVyItz8AgnNHwH7zc6XmNtiNFkiFP/KU6BYyr8WiTQ Jb3pyLB/Xvmbd0kuETnDNvV0oJc88G38a++xZPnuM7zQrW/TQkkKQpiqKtYAiJuw ZhUoky620/7HULegcYtsTyuDFyEN6whdSmHLFCJzk2oZXZ7MPA8ywCFB8Y79rohW 5MTe/zVUSxxYBgVXpkmhPwXYSTINeUJGJA1RQtXhC2Hh6O2jeqJP2H0hTmgsCBRA 3X/2CGoyAAgoKTJwgXk07tBbJWf+wQwAvUN9L1Yph+uOvvUzqFt8LNEGw9jVPsZl QHcSEW/Ef/HK/OLwVZiPqse6lRJAdRZl5//vm4408jnXfJCy6KnvxcsO4Z1yTyoP kCXdWlSLBiidcRRWBfoQBSC3gANcx9a56ItWieEvJrdNOiyhb+gqEk7XraOlb/gf k4w2RKNm0Fv+kdNoFAnd =gpVc -----END PGP SIGNATURE-----

The Assets subsystem in Apple iOS before 8 and Apple TV before 7 allows man-in-the-middle attackers to spoof a device's update status via a crafted Last-Modified HTTP response header. Apple iOS and TV are prone to multiple security vulnerabilities. These issues affect the following components: 802.1X, Accounts, Accessibility, Accounts Framework, Address Book, App Installation, Assets, Bluetooth, CoreGraphics, Foundation, Home & Lock Screen, iMessage, IOAcceleratorFamily, IOAcceleratorFamily, IOHIDFamily, IOHIDFamily, IOKit, Kernel, Libnotify, Mail, Profiles, Safari, Sandbox Profiles, syslog and WebKit components. Successfully exploiting these issues may allow attackers to crash the affected device, bypass security restrictions, obtain sensitive information, or execute arbitrary code. Other attacks are also possible. This BID is being retired. The following individual records exist to better document the issues: 69913 Apple iOS and TV CVE-2014-4364 Spoofing Vulnerability 69917 Apple iOS CVE-2014-4423 Information Disclosure Vulnerability 69926 Apple iOS Lock Screen CVE-2014-4368 Security Bypass Vulnerability 69930 Apple iOS and TV CVE-2014-4357 Local Information Disclosure Security Vulnerability 69932 Apple iOS CVE-2014-4352 Local Information Disclosure Security Vulnerability 69936 Apple iOS CVE-2014-4386 Local Privilege Escalation Vulnerability 69940 Apple iOS CVE-2014-4384 Local Privilege Escalation Vulnerability 69941 Apple iOS and TV CVE-2014-4383 Security Bypass Vulnerability 69943 Apple iOS CVE-2014-4354 Unspecified Security Vulnerability 69903 Multiple Apple Products CVE-2014-4377 PDF Handling Integer Overflow Vulnerability 69915 Apple TV/Mac OS X/iOS CVE-2014-4378 Out of Bounds Read Memory Corruption Vulnerability 69905 Apple Mac OS X and iOS CVE-2014-4374 XML External Entity Information Disclosure Vulnerability 69921 Apple TV/Mac OS X/iOS CVE-2014-4379 Out of Bounds Read Memory Corruption Vulnerability 69929 Apple TV and iOS CVE-2014-4369 NULL Pointer Dereference Denial of Service Vulnerability 69934 Apple TV and iOS CVE-2014-4373 NULL Pointer Dereference Denial of Service Vulnerability 69938 Apple TV and iOS CVE-2014-4405 NULL Pointer Dereference Remote Code Execution Vulnerability 69942 Apple TV and iOS CVE-2014-4380 Out of Bounds Read Write Remote Code Execution Vulnerability 69947 Apple TV and iOS CVE-2014-4404 Heap Based Buffer Overflow Vulnerability 69949 Apple iOS CVE-2014-4361 Security Bypass Vulnerability 69951 Apple iOS CVE-2014-4353 Race Condition Local Information Disclosure Vulnerability 69912 Apple iOS and TV CVE-2014-4407 Information Disclosure Security Vulnerability 69919 Apple iOS and TV CVE-2014-4371 Unspecified Security Vulnerability 69924 Apple iOS and TV CVE-2014-4421 Unspecified Security Vulnerability 69927 Apple iOS and TV CVE-2014-4420 Unspecified Security Vulnerability 69928 Apple iOS and TV CVE-2014-4419 Unspecified Security Vulnerability 69939 Apple iOS and TV CVE-2014-4408 Out of Bounds Read Local Memory Corruption Vulnerability 69944 Apple iOS and TV CVE-2014-4375 Local Memory Corruption Vulnerability 69946 Apple iOS and TV CVE-2014-4418 Remote Code Execution Vulnerability 69948 Apple TV/Mac OS X/iOS CVE-2014-4388 Remote Code Execution Vulnerability 69950 Apple TV/Mac OS X/iOS CVE-2014-4389 Integer Buffer Overflow Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability 69911 Apple iOS and TV CVE-2014-4422 Security Bypass Vulnerability 69931 Apple TV/Mac OS X/iOS CVE-2014-4381 Arbitrary Code Execution Vulnerability 69914 Apple iOS CVE-2014-4366 Information Disclosure Vulnerability 69945 Apple iOS CVE-2014-4367 Security Vulnerability 69920 Apple iOS CVE-2014-4362 Information Disclosure Vulnerability 69922 Apple iOS CVE-2014-4356 Local Information Disclosure Vulnerability 69923 Apple iOS and TV CVE-2014-4372 Local Security Bypass Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-2 Apple TV 7 Apple TV 7 is now available and addresses the following: Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker can obtain WiFi credentials Description: An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by removing support for LEAP. CVE-ID CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim Lamotte of Universiteit Hasselt Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with access to an device may access sensitive user information from logs Description: Sensitive user information was logged. This issue was addressed by logging less information. CVE-ID CVE-2014-4357 : Heli Myllykoski of OP-Pohjola Group Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with a privileged network position may be able to cause a device to think that it is up to date even when it is not Description: A validation issue existed in the handling of update check responses. Spoofed dates from Last-Modified response headers set to future dates were used for If-Modified-Since checks in subsequent update requests. This issue was addressed by validation of the Last-Modified header. CVE-ID CVE-2014-4383 : Raul Siles of DinoSec Apple TV Available for: Apple TV 3rd generation and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Apple TV Available for: Apple TV 3rd generation and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or an information disclosure Description: An out of bounds memory read existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Apple TV Available for: Apple TV 3rd generation and later Impact: An application may cause an unexpected system termination Description: A null pointer dereference existed in the handling of IOAcceleratorFamily API arguments. This issue was addressed through improved validation of IOAcceleratorFamily API arguments. CVE-ID CVE-2014-4369 : Catherine aka winocm Apple TV Available for: Apple TV 3rd generation and later Impact: The device may unexpectedly restart Description: A NULL pointer dereference was present in the IntelAccelerator driver. The issue was addressed by improved error handling. CVE-ID CVE-2014-4373 : cunzhang from Adlab of Venustech Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to read kernel pointers, which can be used to bypass kernel address space layout randomization Description: An out-of-bounds read issue existed in the handling of an IOHIDFamily function. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4379 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A heap buffer overflow existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4404 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties. CVE-ID CVE-2014-4405 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue existed in the IOHIDFamily kernel extension. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4380 : cunzhang from Adlab of Venustech Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to read uninitialized data from kernel memory Description: An uninitialized memory access issue existed in the handling of IOKit functions. This issue was addressed through improved memory initialization CVE-ID CVE-2014-4407 : @PanguTeam Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4418 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4388 : @PanguTeam Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2014-4389 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to determine kernel memory layout Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization. CVE-ID CVE-2014-4371 : Fermin J. Serna of the Google Security Team CVE-2014-4419 : Fermin J. Serna of the Google Security Team CVE-2014-4420 : Fermin J. Serna of the Google Security Team CVE-2014-4421 : Fermin J. Serna of the Google Security Team Apple TV Available for: Apple TV 3rd generation and later Impact: A person with a privileged network position may cause a denial of service Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking. CVE-ID CVE-2011-2391 : Marc Heuse Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports. CVE-ID CVE-2014-4375 Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: An out-of-bounds read issue existed in rt_setgate. This may lead to memory disclosure or memory corruption. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4408 Apple TV Available for: Apple TV 3rd generation and later Impact: Some kernel hardening measures may be bypassed Description: The 'early' random number generator used in some kernel hardening measures was not cryptographically secure, and some of its output was exposed to user space, allowing bypass of the hardening measures. This issue was addressed by replacing the random number generator with a cryptographically secure algorithm, and using a 16-byte seed. CVE-ID CVE-2014-4422 : Tarjei Mandt of Azimuth Security Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with root privileges Description: An out-of-bounds write issue existed in Libnotify. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to change permissions on arbitrary files Description: syslogd followed symbolic links while changing permissions on files. This issue was addressed through improved handling of symbolic links. CVE-ID CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech Information Security Center (GTISC) Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-6663 : Atte Kettunen of OUSPG CVE-2014-1384 : Apple CVE-2014-1385 : Apple CVE-2014-1387 : Google Chrome Security Team CVE-2014-1388 : Apple CVE-2014-1389 : Apple CVE-2014-4410 : Eric Seidel of Google CVE-2014-4411 : Google Chrome Security Team CVE-2014-4412 : Apple CVE-2014-4413 : Apple CVE-2014-4414 : Apple CVE-2014-4415 : Apple Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> General -> Update Software". To check the current version of software, select "Settings -> General -> About". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUGMh1AAoJEBcWfLTuOo7tSWgP/j19RyvhyRDhJJyBozeK/pN6 6pgKhW3R++yi3COOjYX9oGmupiDNlIz5Rd7pkZMxq+f6BbwBh+hzXoPDdHw33yRO pQ9nV32gDIBlQRjvqmJgU/w6ODJWdPukcGBZqqjTjywce/tDxC9ZQBZLcRRuifXl dQdCYmXpkIcyZ3Yh9uF6sSXy0vngZr7kvvyJnst4WTmjqF3X9Sak75/s8Xa4oLyg naD+o2ITisuMk7dEmY6p1vqhbbQIxIeg315VyQxoGfsml9IPtOI5SWOPO+wi6nNd PyHKTFuhmlqjE+tKdBLulBMQPNreF0bCP+iNipBtAUS8RUyR19dfkDDjJeBbcqp7 Lsl4+6XsXABKPjrj66pBl7M7NZR+9mRfJbr83gmDN7hXu2OZJ7PxH49UKmr7JkeK OWlMyiyd4NfigtlasUTnom+Jky+uIDy/JYBGkumgoCG50cdt+BAQgb8CiPCS11LK OX0Ra4X8juRxh9TajQ+afx6r5Ma0Zdhj+ONzGJaTCCV+/NVjSKb/o+MfxlSiRYBN ot4R5cbQFHFDxcpMW+5S8EYt8mgUmn7oCxBm21mj9hzo9pqDVWTABaIUywI4+4n4 uWnZKxtit873cik8gE+NtbngtF3/q40n0Wvf3UzP6RTedl9g56wmjZ8NPvKWL8rE vHsGbux+Eb0CYjDTQqqS =98h5 -----END PGP SIGNATURE-----

Libnotify in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking on write operations, which allows attackers to execute arbitrary code as root via a crafted application. An attacker can leverage this issue to execute arbitrary code with system privileges. Failed exploit attempts will likely result in denial-of-service conditions. Apple iOS and TV are prone to multiple security vulnerabilities. These issues affect the following components: 802.1X, Accounts, Accessibility, Accounts Framework, Address Book, App Installation, Assets, Bluetooth, CoreGraphics, Foundation, Home & Lock Screen, iMessage, IOAcceleratorFamily, IOAcceleratorFamily, IOHIDFamily, IOHIDFamily, IOKit, Kernel, Libnotify, Mail, Profiles, Safari, Sandbox Profiles, syslog and WebKit components. Successfully exploiting these issues may allow attackers to crash the affected device, bypass security restrictions, obtain sensitive information, or execute arbitrary code. Other attacks are also possible. This BID is being retired. The following individual records exist to better document the issues: 69913 Apple iOS and TV CVE-2014-4364 Spoofing Vulnerability 69917 Apple iOS CVE-2014-4423 Information Disclosure Vulnerability 69926 Apple iOS Lock Screen CVE-2014-4368 Security Bypass Vulnerability 69930 Apple iOS and TV CVE-2014-4357 Local Information Disclosure Security Vulnerability 69932 Apple iOS CVE-2014-4352 Local Information Disclosure Security Vulnerability 69936 Apple iOS CVE-2014-4386 Local Privilege Escalation Vulnerability 69940 Apple iOS CVE-2014-4384 Local Privilege Escalation Vulnerability 69941 Apple iOS and TV CVE-2014-4383 Security Bypass Vulnerability 69943 Apple iOS CVE-2014-4354 Unspecified Security Vulnerability 69903 Multiple Apple Products CVE-2014-4377 PDF Handling Integer Overflow Vulnerability 69915 Apple TV/Mac OS X/iOS CVE-2014-4378 Out of Bounds Read Memory Corruption Vulnerability 69905 Apple Mac OS X and iOS CVE-2014-4374 XML External Entity Information Disclosure Vulnerability 69921 Apple TV/Mac OS X/iOS CVE-2014-4379 Out of Bounds Read Memory Corruption Vulnerability 69929 Apple TV and iOS CVE-2014-4369 NULL Pointer Dereference Denial of Service Vulnerability 69934 Apple TV and iOS CVE-2014-4373 NULL Pointer Dereference Denial of Service Vulnerability 69938 Apple TV and iOS CVE-2014-4405 NULL Pointer Dereference Remote Code Execution Vulnerability 69942 Apple TV and iOS CVE-2014-4380 Out of Bounds Read Write Remote Code Execution Vulnerability 69947 Apple TV and iOS CVE-2014-4404 Heap Based Buffer Overflow Vulnerability 69949 Apple iOS CVE-2014-4361 Security Bypass Vulnerability 69951 Apple iOS CVE-2014-4353 Race Condition Local Information Disclosure Vulnerability 69912 Apple iOS and TV CVE-2014-4407 Information Disclosure Security Vulnerability 69919 Apple iOS and TV CVE-2014-4371 Unspecified Security Vulnerability 69924 Apple iOS and TV CVE-2014-4421 Unspecified Security Vulnerability 69927 Apple iOS and TV CVE-2014-4420 Unspecified Security Vulnerability 69928 Apple iOS and TV CVE-2014-4419 Unspecified Security Vulnerability 69939 Apple iOS and TV CVE-2014-4408 Out of Bounds Read Local Memory Corruption Vulnerability 69944 Apple iOS and TV CVE-2014-4375 Local Memory Corruption Vulnerability 69946 Apple iOS and TV CVE-2014-4418 Remote Code Execution Vulnerability 69948 Apple TV/Mac OS X/iOS CVE-2014-4388 Remote Code Execution Vulnerability 69950 Apple TV/Mac OS X/iOS CVE-2014-4389 Integer Buffer Overflow Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability 69911 Apple iOS and TV CVE-2014-4422 Security Bypass Vulnerability 69931 Apple TV/Mac OS X/iOS CVE-2014-4381 Arbitrary Code Execution Vulnerability 69914 Apple iOS CVE-2014-4366 Information Disclosure Vulnerability 69945 Apple iOS CVE-2014-4367 Security Vulnerability 69920 Apple iOS CVE-2014-4362 Information Disclosure Vulnerability 69922 Apple iOS CVE-2014-4356 Local Information Disclosure Vulnerability 69923 Apple iOS and TV CVE-2014-4372 Local Security Bypass Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-2 Apple TV 7 Apple TV 7 is now available and addresses the following: Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker can obtain WiFi credentials Description: An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by removing support for LEAP. CVE-ID CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim Lamotte of Universiteit Hasselt Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with access to an device may access sensitive user information from logs Description: Sensitive user information was logged. This issue was addressed by logging less information. CVE-ID CVE-2014-4357 : Heli Myllykoski of OP-Pohjola Group Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with a privileged network position may be able to cause a device to think that it is up to date even when it is not Description: A validation issue existed in the handling of update check responses. Spoofed dates from Last-Modified response headers set to future dates were used for If-Modified-Since checks in subsequent update requests. This issue was addressed by validation of the Last-Modified header. CVE-ID CVE-2014-4383 : Raul Siles of DinoSec Apple TV Available for: Apple TV 3rd generation and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Apple TV Available for: Apple TV 3rd generation and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or an information disclosure Description: An out of bounds memory read existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Apple TV Available for: Apple TV 3rd generation and later Impact: An application may cause an unexpected system termination Description: A null pointer dereference existed in the handling of IOAcceleratorFamily API arguments. This issue was addressed through improved validation of IOAcceleratorFamily API arguments. CVE-ID CVE-2014-4369 : Catherine aka winocm Apple TV Available for: Apple TV 3rd generation and later Impact: The device may unexpectedly restart Description: A NULL pointer dereference was present in the IntelAccelerator driver. The issue was addressed by improved error handling. CVE-ID CVE-2014-4373 : cunzhang from Adlab of Venustech Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to read kernel pointers, which can be used to bypass kernel address space layout randomization Description: An out-of-bounds read issue existed in the handling of an IOHIDFamily function. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4379 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A heap buffer overflow existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4404 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties. CVE-ID CVE-2014-4405 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue existed in the IOHIDFamily kernel extension. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4380 : cunzhang from Adlab of Venustech Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to read uninitialized data from kernel memory Description: An uninitialized memory access issue existed in the handling of IOKit functions. This issue was addressed through improved memory initialization CVE-ID CVE-2014-4407 : @PanguTeam Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4418 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2014-4389 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to determine kernel memory layout Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization. CVE-ID CVE-2014-4371 : Fermin J. Serna of the Google Security Team CVE-2014-4419 : Fermin J. Serna of the Google Security Team CVE-2014-4420 : Fermin J. Serna of the Google Security Team CVE-2014-4421 : Fermin J. Serna of the Google Security Team Apple TV Available for: Apple TV 3rd generation and later Impact: A person with a privileged network position may cause a denial of service Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking. CVE-ID CVE-2011-2391 : Marc Heuse Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports. CVE-ID CVE-2014-4375 Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: An out-of-bounds read issue existed in rt_setgate. This may lead to memory disclosure or memory corruption. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4408 Apple TV Available for: Apple TV 3rd generation and later Impact: Some kernel hardening measures may be bypassed Description: The 'early' random number generator used in some kernel hardening measures was not cryptographically secure, and some of its output was exposed to user space, allowing bypass of the hardening measures. This issue was addressed by replacing the random number generator with a cryptographically secure algorithm, and using a 16-byte seed. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to change permissions on arbitrary files Description: syslogd followed symbolic links while changing permissions on files. This issue was addressed through improved handling of symbolic links. CVE-ID CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech Information Security Center (GTISC) Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-6663 : Atte Kettunen of OUSPG CVE-2014-1384 : Apple CVE-2014-1385 : Apple CVE-2014-1387 : Google Chrome Security Team CVE-2014-1388 : Apple CVE-2014-1389 : Apple CVE-2014-4410 : Eric Seidel of Google CVE-2014-4411 : Google Chrome Security Team CVE-2014-4412 : Apple CVE-2014-4413 : Apple CVE-2014-4414 : Apple CVE-2014-4415 : Apple Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> General -> Update Software". To check the current version of software, select "Settings -> General -> About". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUGMh1AAoJEBcWfLTuOo7tSWgP/j19RyvhyRDhJJyBozeK/pN6 6pgKhW3R++yi3COOjYX9oGmupiDNlIz5Rd7pkZMxq+f6BbwBh+hzXoPDdHw33yRO pQ9nV32gDIBlQRjvqmJgU/w6ODJWdPukcGBZqqjTjywce/tDxC9ZQBZLcRRuifXl dQdCYmXpkIcyZ3Yh9uF6sSXy0vngZr7kvvyJnst4WTmjqF3X9Sak75/s8Xa4oLyg naD+o2ITisuMk7dEmY6p1vqhbbQIxIeg315VyQxoGfsml9IPtOI5SWOPO+wi6nNd PyHKTFuhmlqjE+tKdBLulBMQPNreF0bCP+iNipBtAUS8RUyR19dfkDDjJeBbcqp7 Lsl4+6XsXABKPjrj66pBl7M7NZR+9mRfJbr83gmDN7hXu2OZJ7PxH49UKmr7JkeK OWlMyiyd4NfigtlasUTnom+Jky+uIDy/JYBGkumgoCG50cdt+BAQgb8CiPCS11LK OX0Ra4X8juRxh9TajQ+afx6r5Ma0Zdhj+ONzGJaTCCV+/NVjSKb/o+MfxlSiRYBN ot4R5cbQFHFDxcpMW+5S8EYt8mgUmn7oCxBm21mj9hzo9pqDVWTABaIUywI4+4n4 uWnZKxtit873cik8gE+NtbngtF3/q40n0Wvf3UzP6RTedl9g56wmjZ8NPvKWL8rE vHsGbux+Eb0CYjDTQqqS =98h5 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-3 OS X Mavericks 10.9.5 and Security Update 2014-004 OS X Mavericks 10.9.5 and Security Update 2014-004 are now available and address the following: apache_mod_php Available for: OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in PHP 5.4.24 Description: Multiple vulnerabilities existed in PHP 5.4.24, the most serious of which may have led to arbitrary code execution. This issue was addressed through always allocating the Global Descriptor Table at random addresses. This issue was addressed through improved bounds checking CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero OpenSSL Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in OpenSSL 0.9.8y, including one that may lead to arbitrary code execution Description: Multiple vulnerabilities existed in OpenSSL 0.9.8y. This update was addressed by updating OpenSSL to version 0.9.8za

IOKit in IOAcceleratorFamily in Apple OS X before 10.9.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted API arguments. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. Apple Mac OS X is prone to an arbitrary code-execution vulnerability because it fails to properly validate user-supplied input. Attackers can exploit this issue to execute arbitrary code in the context of the system privileges. Failed exploit attempts may result in a denial-of-service condition. Apple OS X is a dedicated operating system developed by Apple for Mac computers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-3 OS X Mavericks 10.9.5 and Security Update 2014-004 OS X Mavericks 10.9.5 and Security Update 2014-004 are now available and address the following: apache_mod_php Available for: OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in PHP 5.4.24 Description: Multiple vulnerabilities existed in PHP 5.4.24, the most serious of which may have led to arbitrary code execution. This update addresses the issues by updating PHP to version 5.4.30 CVE-ID CVE-2013-7345 CVE-2014-0185 CVE-2014-0207 CVE-2014-0237 CVE-2014-0238 CVE-2014-1943 CVE-2014-2270 CVE-2014-3478 CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3515 CVE-2014-3981 CVE-2014-4049 Bluetooth Available for: OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of a Bluetooth API call. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4390 : Ian Beer of Google Project Zero CoreGraphics Available for: OS X Mavericks 10.9 to 10.9.4 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or an information disclosure Description: An out of bounds memory read existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program CoreGraphics Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Foundation Available for: OS X Mavericks 10.9 to 10.9.4 Impact: An application using NSXMLParser may be misused to disclose information Description: An XML External Entity issue existed in NSXMLParser's handling of XML. This issue was addressed by not loading external entities across origins. CVE-ID CVE-2014-4374 : George Gal of VSR (http://www.vsecurity.com/) Intel Graphics Driver Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Compiling untrusted GLSL shaders may lead to an unexpected application termination or arbitrary code execution Description: A user-space buffer overflow existed in the shader compiler. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4393 : Apple Intel Graphics Driver Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple validation issues existed in some integrated graphics driver routines. These issues were addressed through improved bounds checking. CVE-ID CVE-2014-4394 : Ian Beer of Google Project Zero CVE-2014-4395 : Ian Beer of Google Project Zero CVE-2014-4396 : Ian Beer of Google Project Zero CVE-2014-4397 : Ian Beer of Google Project Zero CVE-2014-4398 : Ian Beer of Google Project Zero CVE-2014-4399 : Ian Beer of Google Project Zero CVE-2014-4400 : Ian Beer of Google Project Zero CVE-2014-4401 : Ian Beer of Google Project Zero CVE-2014-4416 : Ian Beer of Google Project Zero IOAcceleratorFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in the handling of IOKit API arguments. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2014-4376 : Ian Beer of Google Project Zero IOAcceleratorFamily Available for: OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An out-of-bounds read issue existed in the handling of an IOAcceleratorFamily function. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4402 : Ian Beer of Google Project Zero IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: A local user can read kernel pointers, which can be used to bypass kernel address space layout randomization Description: An out-of-bounds read issue existed in the handling of an IOHIDFamily function. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4379 : Ian Beer of Google Project Zero IOKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4388 : @PanguTeam IOKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4389 : Ian Beer of Google Project Zero Kernel Available for: OS X Mavericks 10.9 to 10.9.4 Impact: A local user can infer kernel addresses and bypass kernel address space layout randomization Description: In some cases, the CPU Global Descriptor Table was allocated at a predictable address. This issue was addressed through always allocating the Global Descriptor Table at random addresses. CVE-ID CVE-2014-4403 : Ian Beer of Google Project Zero Libnotify Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: A malicious application may be able to execute arbitrary code with root privileges Description: An out-of-bounds write issue existed in Libnotify. This issue was addressed through improved bounds checking CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero OpenSSL Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in OpenSSL 0.9.8y, including one that may lead to arbitrary code execution Description: Multiple vulnerabilities existed in OpenSSL 0.9.8y. This update was addressed by updating OpenSSL to version 0.9.8za. CVE-ID CVE-2014-0076 CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 QT Media Foundation Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of RLE encoded movie files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1391 : Fernando Munoz working with iDefense VCP, Tom Gallagher & Paul Bates working with HP's Zero Day Initiative QT Media Foundation Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Playing a maliciously crafted MIDI file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of MIDI files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4350 : s3tm3m working with HP's Zero Day Initiative QT Media Foundation Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of the 'mvhd' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4979 : Andrea Micalizzi aka rgod working with HP's Zero Day Initiative ruby Available for: OS X Mavericks 10.9 to 10.9.4 Impact: A remote attacker may be able to cause arbitrary code execution Description: A heap buffer overflow existed in LibYAML's handling of percent-encoded characters in a URI. This issue was addressed through improved bounds checking. This update addresses the issues by updating LibYAML to version 0.1.6 CVE-ID CVE-2014-2525 Note: OS X Mavericks 10.9.5 includes the security content of Safari 7.0.6: http://support.apple.com/kb/HT6367 OS X Mavericks v10.9.5 and Security Update 2014-004 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUGkP0AAoJEBcWfLTuOo7tygQP/1vHYXtWy6492Tjj6ycymWa+ Ct0eCCBU/AUi5ODNDeV9ddWkuFeXKbgQSHoPU19IPcIBAKnYUupVJSJ/cEHfSthh CiROjJw8Bt8comn04BgggHieLveN1xQCXQDcO29kBIpQr394XKS0lNXP//Z0oG5V sCnEDPz/0R92mwT5XkKD9WC7G/WjybS5V7BjEbdzDOn4qdTVje05xI5pof+fkeQ1 hFHo7uTCDkSzLH2YxrQHifNVyItz8AgnNHwH7zc6XmNtiNFkiFP/KU6BYyr8WiTQ Jb3pyLB/Xvmbd0kuETnDNvV0oJc88G38a++xZPnuM7zQrW/TQkkKQpiqKtYAiJuw ZhUoky620/7HULegcYtsTyuDFyEN6whdSmHLFCJzk2oZXZ7MPA8ywCFB8Y79rohW 5MTe/zVUSxxYBgVXpkmhPwXYSTINeUJGJA1RQtXhC2Hh6O2jeqJP2H0hTmgsCBRA 3X/2CGoyAAgoKTJwgXk07tBbJWf+wQwAvUN9L1Yph+uOvvUzqFt8LNEGw9jVPsZl QHcSEW/Ef/HK/OLwVZiPqse6lRJAdRZl5//vm4408jnXfJCy6KnvxcsO4Z1yTyoP kCXdWlSLBiidcRRWBfoQBSC3gANcx9a56ItWieEvJrdNOiyhb+gqEk7XraOlb/gf k4w2RKNm0Fv+kdNoFAnd =gpVc -----END PGP SIGNATURE-----

Integer overflow in CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document. Failed exploit attempts will result in a denial-of-service condition. Apple iOS and TV are prone to multiple security vulnerabilities. These issues affect the following components: 802.1X, Accounts, Accessibility, Accounts Framework, Address Book, App Installation, Assets, Bluetooth, CoreGraphics, Foundation, Home & Lock Screen, iMessage, IOAcceleratorFamily, IOAcceleratorFamily, IOHIDFamily, IOHIDFamily, IOKit, Kernel, Libnotify, Mail, Profiles, Safari, Sandbox Profiles, syslog and WebKit components. Successfully exploiting these issues may allow attackers to crash the affected device, bypass security restrictions, obtain sensitive information, or execute arbitrary code. Other attacks are also possible. This BID is being retired. The following individual records exist to better document the issues: 69913 Apple iOS and TV CVE-2014-4364 Spoofing Vulnerability 69917 Apple iOS CVE-2014-4423 Information Disclosure Vulnerability 69926 Apple iOS Lock Screen CVE-2014-4368 Security Bypass Vulnerability 69930 Apple iOS and TV CVE-2014-4357 Local Information Disclosure Security Vulnerability 69932 Apple iOS CVE-2014-4352 Local Information Disclosure Security Vulnerability 69936 Apple iOS CVE-2014-4386 Local Privilege Escalation Vulnerability 69940 Apple iOS CVE-2014-4384 Local Privilege Escalation Vulnerability 69941 Apple iOS and TV CVE-2014-4383 Security Bypass Vulnerability 69943 Apple iOS CVE-2014-4354 Unspecified Security Vulnerability 69903 Multiple Apple Products CVE-2014-4377 PDF Handling Integer Overflow Vulnerability 69915 Apple TV/Mac OS X/iOS CVE-2014-4378 Out of Bounds Read Memory Corruption Vulnerability 69905 Apple Mac OS X and iOS CVE-2014-4374 XML External Entity Information Disclosure Vulnerability 69921 Apple TV/Mac OS X/iOS CVE-2014-4379 Out of Bounds Read Memory Corruption Vulnerability 69929 Apple TV and iOS CVE-2014-4369 NULL Pointer Dereference Denial of Service Vulnerability 69934 Apple TV and iOS CVE-2014-4373 NULL Pointer Dereference Denial of Service Vulnerability 69938 Apple TV and iOS CVE-2014-4405 NULL Pointer Dereference Remote Code Execution Vulnerability 69942 Apple TV and iOS CVE-2014-4380 Out of Bounds Read Write Remote Code Execution Vulnerability 69947 Apple TV and iOS CVE-2014-4404 Heap Based Buffer Overflow Vulnerability 69949 Apple iOS CVE-2014-4361 Security Bypass Vulnerability 69951 Apple iOS CVE-2014-4353 Race Condition Local Information Disclosure Vulnerability 69912 Apple iOS and TV CVE-2014-4407 Information Disclosure Security Vulnerability 69919 Apple iOS and TV CVE-2014-4371 Unspecified Security Vulnerability 69924 Apple iOS and TV CVE-2014-4421 Unspecified Security Vulnerability 69927 Apple iOS and TV CVE-2014-4420 Unspecified Security Vulnerability 69928 Apple iOS and TV CVE-2014-4419 Unspecified Security Vulnerability 69939 Apple iOS and TV CVE-2014-4408 Out of Bounds Read Local Memory Corruption Vulnerability 69944 Apple iOS and TV CVE-2014-4375 Local Memory Corruption Vulnerability 69946 Apple iOS and TV CVE-2014-4418 Remote Code Execution Vulnerability 69948 Apple TV/Mac OS X/iOS CVE-2014-4388 Remote Code Execution Vulnerability 69950 Apple TV/Mac OS X/iOS CVE-2014-4389 Integer Buffer Overflow Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability 69911 Apple iOS and TV CVE-2014-4422 Security Bypass Vulnerability 69931 Apple TV/Mac OS X/iOS CVE-2014-4381 Arbitrary Code Execution Vulnerability 69914 Apple iOS CVE-2014-4366 Information Disclosure Vulnerability 69945 Apple iOS CVE-2014-4367 Security Vulnerability 69920 Apple iOS CVE-2014-4362 Information Disclosure Vulnerability 69922 Apple iOS CVE-2014-4356 Local Information Disclosure Vulnerability 69923 Apple iOS and TV CVE-2014-4372 Local Security Bypass Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-2 Apple TV 7 Apple TV 7 is now available and addresses the following: Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker can obtain WiFi credentials Description: An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by removing support for LEAP. CVE-ID CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim Lamotte of Universiteit Hasselt Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with access to an device may access sensitive user information from logs Description: Sensitive user information was logged. This issue was addressed by logging less information. CVE-ID CVE-2014-4357 : Heli Myllykoski of OP-Pohjola Group Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with a privileged network position may be able to cause a device to think that it is up to date even when it is not Description: A validation issue existed in the handling of update check responses. Spoofed dates from Last-Modified response headers set to future dates were used for If-Modified-Since checks in subsequent update requests. This issue was addressed by validation of the Last-Modified header. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Apple TV Available for: Apple TV 3rd generation and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or an information disclosure Description: An out of bounds memory read existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Apple TV Available for: Apple TV 3rd generation and later Impact: An application may cause an unexpected system termination Description: A null pointer dereference existed in the handling of IOAcceleratorFamily API arguments. This issue was addressed through improved validation of IOAcceleratorFamily API arguments. CVE-ID CVE-2014-4369 : Catherine aka winocm Apple TV Available for: Apple TV 3rd generation and later Impact: The device may unexpectedly restart Description: A NULL pointer dereference was present in the IntelAccelerator driver. The issue was addressed by improved error handling. CVE-ID CVE-2014-4373 : cunzhang from Adlab of Venustech Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to read kernel pointers, which can be used to bypass kernel address space layout randomization Description: An out-of-bounds read issue existed in the handling of an IOHIDFamily function. This issue was addressed through improved bounds checking. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4404 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties. CVE-ID CVE-2014-4405 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue existed in the IOHIDFamily kernel extension. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4380 : cunzhang from Adlab of Venustech Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to read uninitialized data from kernel memory Description: An uninitialized memory access issue existed in the handling of IOKit functions. This issue was addressed through improved memory initialization CVE-ID CVE-2014-4407 : @PanguTeam Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4418 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2014-4389 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to determine kernel memory layout Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization. CVE-ID CVE-2014-4371 : Fermin J. Serna of the Google Security Team CVE-2014-4419 : Fermin J. Serna of the Google Security Team CVE-2014-4420 : Fermin J. Serna of the Google Security Team CVE-2014-4421 : Fermin J. Serna of the Google Security Team Apple TV Available for: Apple TV 3rd generation and later Impact: A person with a privileged network position may cause a denial of service Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking. CVE-ID CVE-2011-2391 : Marc Heuse Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports. CVE-ID CVE-2014-4375 Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: An out-of-bounds read issue existed in rt_setgate. This may lead to memory disclosure or memory corruption. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4408 Apple TV Available for: Apple TV 3rd generation and later Impact: Some kernel hardening measures may be bypassed Description: The 'early' random number generator used in some kernel hardening measures was not cryptographically secure, and some of its output was exposed to user space, allowing bypass of the hardening measures. This issue was addressed by replacing the random number generator with a cryptographically secure algorithm, and using a 16-byte seed. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to change permissions on arbitrary files Description: syslogd followed symbolic links while changing permissions on files. This issue was addressed through improved handling of symbolic links. CVE-ID CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech Information Security Center (GTISC) Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-6663 : Atte Kettunen of OUSPG CVE-2014-1384 : Apple CVE-2014-1385 : Apple CVE-2014-1387 : Google Chrome Security Team CVE-2014-1388 : Apple CVE-2014-1389 : Apple CVE-2014-4410 : Eric Seidel of Google CVE-2014-4411 : Google Chrome Security Team CVE-2014-4412 : Apple CVE-2014-4413 : Apple CVE-2014-4414 : Apple CVE-2014-4415 : Apple Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> General -> Update Software". To check the current version of software, select "Settings -> General -> About". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUGMh1AAoJEBcWfLTuOo7tSWgP/j19RyvhyRDhJJyBozeK/pN6 6pgKhW3R++yi3COOjYX9oGmupiDNlIz5Rd7pkZMxq+f6BbwBh+hzXoPDdHw33yRO pQ9nV32gDIBlQRjvqmJgU/w6ODJWdPukcGBZqqjTjywce/tDxC9ZQBZLcRRuifXl dQdCYmXpkIcyZ3Yh9uF6sSXy0vngZr7kvvyJnst4WTmjqF3X9Sak75/s8Xa4oLyg naD+o2ITisuMk7dEmY6p1vqhbbQIxIeg315VyQxoGfsml9IPtOI5SWOPO+wi6nNd PyHKTFuhmlqjE+tKdBLulBMQPNreF0bCP+iNipBtAUS8RUyR19dfkDDjJeBbcqp7 Lsl4+6XsXABKPjrj66pBl7M7NZR+9mRfJbr83gmDN7hXu2OZJ7PxH49UKmr7JkeK OWlMyiyd4NfigtlasUTnom+Jky+uIDy/JYBGkumgoCG50cdt+BAQgb8CiPCS11LK OX0Ra4X8juRxh9TajQ+afx6r5Ma0Zdhj+ONzGJaTCCV+/NVjSKb/o+MfxlSiRYBN ot4R5cbQFHFDxcpMW+5S8EYt8mgUmn7oCxBm21mj9hzo9pqDVWTABaIUywI4+4n4 uWnZKxtit873cik8gE+NtbngtF3/q40n0Wvf3UzP6RTedl9g56wmjZ8NPvKWL8rE vHsGbux+Eb0CYjDTQqqS =98h5 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-3 OS X Mavericks 10.9.5 and Security Update 2014-004 OS X Mavericks 10.9.5 and Security Update 2014-004 are now available and address the following: apache_mod_php Available for: OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in PHP 5.4.24 Description: Multiple vulnerabilities existed in PHP 5.4.24, the most serious of which may have led to arbitrary code execution. This issue was addressed through always allocating the Global Descriptor Table at random addresses. This issue was addressed through improved bounds checking CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero OpenSSL Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in OpenSSL 0.9.8y, including one that may lead to arbitrary code execution Description: Multiple vulnerabilities existed in OpenSSL 0.9.8y. This update was addressed by updating OpenSSL to version 0.9.8za

CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a crafted PDF document. Attackers can exploit this issue to cause denial-of-service conditions or gain access to sensitive information. This issue is fixed in: Apple Mac Os X 10.9.5 Apple iOS 8 Apple TV 7. Apple iOS and TV are prone to multiple security vulnerabilities. These issues affect the following components: 802.1X, Accounts, Accessibility, Accounts Framework, Address Book, App Installation, Assets, Bluetooth, CoreGraphics, Foundation, Home & Lock Screen, iMessage, IOAcceleratorFamily, IOAcceleratorFamily, IOHIDFamily, IOHIDFamily, IOKit, Kernel, Libnotify, Mail, Profiles, Safari, Sandbox Profiles, syslog and WebKit components. Successfully exploiting these issues may allow attackers to crash the affected device, bypass security restrictions, obtain sensitive information, or execute arbitrary code. Other attacks are also possible. This BID is being retired. The following individual records exist to better document the issues: 69913 Apple iOS and TV CVE-2014-4364 Spoofing Vulnerability 69917 Apple iOS CVE-2014-4423 Information Disclosure Vulnerability 69926 Apple iOS Lock Screen CVE-2014-4368 Security Bypass Vulnerability 69930 Apple iOS and TV CVE-2014-4357 Local Information Disclosure Security Vulnerability 69932 Apple iOS CVE-2014-4352 Local Information Disclosure Security Vulnerability 69936 Apple iOS CVE-2014-4386 Local Privilege Escalation Vulnerability 69940 Apple iOS CVE-2014-4384 Local Privilege Escalation Vulnerability 69941 Apple iOS and TV CVE-2014-4383 Security Bypass Vulnerability 69943 Apple iOS CVE-2014-4354 Unspecified Security Vulnerability 69903 Multiple Apple Products CVE-2014-4377 PDF Handling Integer Overflow Vulnerability 69915 Apple TV/Mac OS X/iOS CVE-2014-4378 Out of Bounds Read Memory Corruption Vulnerability 69905 Apple Mac OS X and iOS CVE-2014-4374 XML External Entity Information Disclosure Vulnerability 69921 Apple TV/Mac OS X/iOS CVE-2014-4379 Out of Bounds Read Memory Corruption Vulnerability 69929 Apple TV and iOS CVE-2014-4369 NULL Pointer Dereference Denial of Service Vulnerability 69934 Apple TV and iOS CVE-2014-4373 NULL Pointer Dereference Denial of Service Vulnerability 69938 Apple TV and iOS CVE-2014-4405 NULL Pointer Dereference Remote Code Execution Vulnerability 69942 Apple TV and iOS CVE-2014-4380 Out of Bounds Read Write Remote Code Execution Vulnerability 69947 Apple TV and iOS CVE-2014-4404 Heap Based Buffer Overflow Vulnerability 69949 Apple iOS CVE-2014-4361 Security Bypass Vulnerability 69951 Apple iOS CVE-2014-4353 Race Condition Local Information Disclosure Vulnerability 69912 Apple iOS and TV CVE-2014-4407 Information Disclosure Security Vulnerability 69919 Apple iOS and TV CVE-2014-4371 Unspecified Security Vulnerability 69924 Apple iOS and TV CVE-2014-4421 Unspecified Security Vulnerability 69927 Apple iOS and TV CVE-2014-4420 Unspecified Security Vulnerability 69928 Apple iOS and TV CVE-2014-4419 Unspecified Security Vulnerability 69939 Apple iOS and TV CVE-2014-4408 Out of Bounds Read Local Memory Corruption Vulnerability 69944 Apple iOS and TV CVE-2014-4375 Local Memory Corruption Vulnerability 69946 Apple iOS and TV CVE-2014-4418 Remote Code Execution Vulnerability 69948 Apple TV/Mac OS X/iOS CVE-2014-4388 Remote Code Execution Vulnerability 69950 Apple TV/Mac OS X/iOS CVE-2014-4389 Integer Buffer Overflow Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability 69911 Apple iOS and TV CVE-2014-4422 Security Bypass Vulnerability 69931 Apple TV/Mac OS X/iOS CVE-2014-4381 Arbitrary Code Execution Vulnerability 69914 Apple iOS CVE-2014-4366 Information Disclosure Vulnerability 69945 Apple iOS CVE-2014-4367 Security Vulnerability 69920 Apple iOS CVE-2014-4362 Information Disclosure Vulnerability 69922 Apple iOS CVE-2014-4356 Local Information Disclosure Vulnerability 69923 Apple iOS and TV CVE-2014-4372 Local Security Bypass Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-2 Apple TV 7 Apple TV 7 is now available and addresses the following: Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker can obtain WiFi credentials Description: An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by removing support for LEAP. CVE-ID CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim Lamotte of Universiteit Hasselt Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with access to an device may access sensitive user information from logs Description: Sensitive user information was logged. This issue was addressed by logging less information. CVE-ID CVE-2014-4357 : Heli Myllykoski of OP-Pohjola Group Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with a privileged network position may be able to cause a device to think that it is up to date even when it is not Description: A validation issue existed in the handling of update check responses. Spoofed dates from Last-Modified response headers set to future dates were used for If-Modified-Since checks in subsequent update requests. This issue was addressed by validation of the Last-Modified header. CVE-ID CVE-2014-4383 : Raul Siles of DinoSec Apple TV Available for: Apple TV 3rd generation and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Apple TV Available for: Apple TV 3rd generation and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or an information disclosure Description: An out of bounds memory read existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Apple TV Available for: Apple TV 3rd generation and later Impact: An application may cause an unexpected system termination Description: A null pointer dereference existed in the handling of IOAcceleratorFamily API arguments. This issue was addressed through improved validation of IOAcceleratorFamily API arguments. CVE-ID CVE-2014-4369 : Catherine aka winocm Apple TV Available for: Apple TV 3rd generation and later Impact: The device may unexpectedly restart Description: A NULL pointer dereference was present in the IntelAccelerator driver. The issue was addressed by improved error handling. CVE-ID CVE-2014-4373 : cunzhang from Adlab of Venustech Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to read kernel pointers, which can be used to bypass kernel address space layout randomization Description: An out-of-bounds read issue existed in the handling of an IOHIDFamily function. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4379 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A heap buffer overflow existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4404 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties. CVE-ID CVE-2014-4405 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue existed in the IOHIDFamily kernel extension. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4380 : cunzhang from Adlab of Venustech Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to read uninitialized data from kernel memory Description: An uninitialized memory access issue existed in the handling of IOKit functions. This issue was addressed through improved memory initialization CVE-ID CVE-2014-4407 : @PanguTeam Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4418 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4388 : @PanguTeam Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2014-4389 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to determine kernel memory layout Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization. CVE-ID CVE-2014-4371 : Fermin J. Serna of the Google Security Team CVE-2014-4419 : Fermin J. Serna of the Google Security Team CVE-2014-4420 : Fermin J. Serna of the Google Security Team CVE-2014-4421 : Fermin J. Serna of the Google Security Team Apple TV Available for: Apple TV 3rd generation and later Impact: A person with a privileged network position may cause a denial of service Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking. CVE-ID CVE-2011-2391 : Marc Heuse Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports. CVE-ID CVE-2014-4375 Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: An out-of-bounds read issue existed in rt_setgate. This may lead to memory disclosure or memory corruption. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4408 Apple TV Available for: Apple TV 3rd generation and later Impact: Some kernel hardening measures may be bypassed Description: The 'early' random number generator used in some kernel hardening measures was not cryptographically secure, and some of its output was exposed to user space, allowing bypass of the hardening measures. This issue was addressed by replacing the random number generator with a cryptographically secure algorithm, and using a 16-byte seed. CVE-ID CVE-2014-4422 : Tarjei Mandt of Azimuth Security Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with root privileges Description: An out-of-bounds write issue existed in Libnotify. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to change permissions on arbitrary files Description: syslogd followed symbolic links while changing permissions on files. This issue was addressed through improved handling of symbolic links. CVE-ID CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech Information Security Center (GTISC) Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-6663 : Atte Kettunen of OUSPG CVE-2014-1384 : Apple CVE-2014-1385 : Apple CVE-2014-1387 : Google Chrome Security Team CVE-2014-1388 : Apple CVE-2014-1389 : Apple CVE-2014-4410 : Eric Seidel of Google CVE-2014-4411 : Google Chrome Security Team CVE-2014-4412 : Apple CVE-2014-4413 : Apple CVE-2014-4414 : Apple CVE-2014-4415 : Apple Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> General -> Update Software". To check the current version of software, select "Settings -> General -> About". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUGMh1AAoJEBcWfLTuOo7tSWgP/j19RyvhyRDhJJyBozeK/pN6 6pgKhW3R++yi3COOjYX9oGmupiDNlIz5Rd7pkZMxq+f6BbwBh+hzXoPDdHw33yRO pQ9nV32gDIBlQRjvqmJgU/w6ODJWdPukcGBZqqjTjywce/tDxC9ZQBZLcRRuifXl dQdCYmXpkIcyZ3Yh9uF6sSXy0vngZr7kvvyJnst4WTmjqF3X9Sak75/s8Xa4oLyg naD+o2ITisuMk7dEmY6p1vqhbbQIxIeg315VyQxoGfsml9IPtOI5SWOPO+wi6nNd PyHKTFuhmlqjE+tKdBLulBMQPNreF0bCP+iNipBtAUS8RUyR19dfkDDjJeBbcqp7 Lsl4+6XsXABKPjrj66pBl7M7NZR+9mRfJbr83gmDN7hXu2OZJ7PxH49UKmr7JkeK OWlMyiyd4NfigtlasUTnom+Jky+uIDy/JYBGkumgoCG50cdt+BAQgb8CiPCS11LK OX0Ra4X8juRxh9TajQ+afx6r5Ma0Zdhj+ONzGJaTCCV+/NVjSKb/o+MfxlSiRYBN ot4R5cbQFHFDxcpMW+5S8EYt8mgUmn7oCxBm21mj9hzo9pqDVWTABaIUywI4+4n4 uWnZKxtit873cik8gE+NtbngtF3/q40n0Wvf3UzP6RTedl9g56wmjZ8NPvKWL8rE vHsGbux+Eb0CYjDTQqqS =98h5 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-3 OS X Mavericks 10.9.5 and Security Update 2014-004 OS X Mavericks 10.9.5 and Security Update 2014-004 are now available and address the following: apache_mod_php Available for: OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in PHP 5.4.24 Description: Multiple vulnerabilities existed in PHP 5.4.24, the most serious of which may have led to arbitrary code execution. This issue was addressed through always allocating the Global Descriptor Table at random addresses. This issue was addressed through improved bounds checking CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero OpenSSL Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in OpenSSL 0.9.8y, including one that may lead to arbitrary code execution Description: Multiple vulnerabilities existed in OpenSSL 0.9.8y. This update was addressed by updating OpenSSL to version 0.9.8za

An unspecified IOHIDFamily function in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking to prevent reading of kernel pointers, which allows attackers to bypass the ASLR protection mechanism via a crafted application. Attackers can exploit this issue to cause denial-of-service conditions or gain access to sensitive information. This issue is fixed in: Apple Mac Os X 10.9.5 Apple iOS 8 Apple TV 7. Apple iOS and TV are prone to multiple security vulnerabilities. These issues affect the following components: 802.1X, Accounts, Accessibility, Accounts Framework, Address Book, App Installation, Assets, Bluetooth, CoreGraphics, Foundation, Home & Lock Screen, iMessage, IOAcceleratorFamily, IOAcceleratorFamily, IOHIDFamily, IOHIDFamily, IOKit, Kernel, Libnotify, Mail, Profiles, Safari, Sandbox Profiles, syslog and WebKit components. Successfully exploiting these issues may allow attackers to crash the affected device, bypass security restrictions, obtain sensitive information, or execute arbitrary code. Other attacks are also possible. This BID is being retired. The following individual records exist to better document the issues: 69913 Apple iOS and TV CVE-2014-4364 Spoofing Vulnerability 69917 Apple iOS CVE-2014-4423 Information Disclosure Vulnerability 69926 Apple iOS Lock Screen CVE-2014-4368 Security Bypass Vulnerability 69930 Apple iOS and TV CVE-2014-4357 Local Information Disclosure Security Vulnerability 69932 Apple iOS CVE-2014-4352 Local Information Disclosure Security Vulnerability 69936 Apple iOS CVE-2014-4386 Local Privilege Escalation Vulnerability 69940 Apple iOS CVE-2014-4384 Local Privilege Escalation Vulnerability 69941 Apple iOS and TV CVE-2014-4383 Security Bypass Vulnerability 69943 Apple iOS CVE-2014-4354 Unspecified Security Vulnerability 69903 Multiple Apple Products CVE-2014-4377 PDF Handling Integer Overflow Vulnerability 69915 Apple TV/Mac OS X/iOS CVE-2014-4378 Out of Bounds Read Memory Corruption Vulnerability 69905 Apple Mac OS X and iOS CVE-2014-4374 XML External Entity Information Disclosure Vulnerability 69921 Apple TV/Mac OS X/iOS CVE-2014-4379 Out of Bounds Read Memory Corruption Vulnerability 69929 Apple TV and iOS CVE-2014-4369 NULL Pointer Dereference Denial of Service Vulnerability 69934 Apple TV and iOS CVE-2014-4373 NULL Pointer Dereference Denial of Service Vulnerability 69938 Apple TV and iOS CVE-2014-4405 NULL Pointer Dereference Remote Code Execution Vulnerability 69942 Apple TV and iOS CVE-2014-4380 Out of Bounds Read Write Remote Code Execution Vulnerability 69947 Apple TV and iOS CVE-2014-4404 Heap Based Buffer Overflow Vulnerability 69949 Apple iOS CVE-2014-4361 Security Bypass Vulnerability 69951 Apple iOS CVE-2014-4353 Race Condition Local Information Disclosure Vulnerability 69912 Apple iOS and TV CVE-2014-4407 Information Disclosure Security Vulnerability 69919 Apple iOS and TV CVE-2014-4371 Unspecified Security Vulnerability 69924 Apple iOS and TV CVE-2014-4421 Unspecified Security Vulnerability 69927 Apple iOS and TV CVE-2014-4420 Unspecified Security Vulnerability 69928 Apple iOS and TV CVE-2014-4419 Unspecified Security Vulnerability 69939 Apple iOS and TV CVE-2014-4408 Out of Bounds Read Local Memory Corruption Vulnerability 69944 Apple iOS and TV CVE-2014-4375 Local Memory Corruption Vulnerability 69946 Apple iOS and TV CVE-2014-4418 Remote Code Execution Vulnerability 69948 Apple TV/Mac OS X/iOS CVE-2014-4388 Remote Code Execution Vulnerability 69950 Apple TV/Mac OS X/iOS CVE-2014-4389 Integer Buffer Overflow Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability 69911 Apple iOS and TV CVE-2014-4422 Security Bypass Vulnerability 69931 Apple TV/Mac OS X/iOS CVE-2014-4381 Arbitrary Code Execution Vulnerability 69914 Apple iOS CVE-2014-4366 Information Disclosure Vulnerability 69945 Apple iOS CVE-2014-4367 Security Vulnerability 69920 Apple iOS CVE-2014-4362 Information Disclosure Vulnerability 69922 Apple iOS CVE-2014-4356 Local Information Disclosure Vulnerability 69923 Apple iOS and TV CVE-2014-4372 Local Security Bypass Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-3 OS X Mavericks 10.9.5 and Security Update 2014-004 OS X Mavericks 10.9.5 and Security Update 2014-004 are now available and address the following: apache_mod_php Available for: OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in PHP 5.4.24 Description: Multiple vulnerabilities existed in PHP 5.4.24, the most serious of which may have led to arbitrary code execution. This issue was addressed through always allocating the Global Descriptor Table at random addresses. This issue was addressed through improved bounds checking CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero OpenSSL Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in OpenSSL 0.9.8y, including one that may lead to arbitrary code execution Description: Multiple vulnerabilities existed in OpenSSL 0.9.8y. This update was addressed by updating OpenSSL to version 0.9.8za. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-2 Apple TV 7 Apple TV 7 is now available and addresses the following: Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker can obtain WiFi credentials Description: An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by removing support for LEAP. CVE-ID CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim Lamotte of Universiteit Hasselt Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with access to an device may access sensitive user information from logs Description: Sensitive user information was logged. This issue was addressed by logging less information. CVE-ID CVE-2014-4357 : Heli Myllykoski of OP-Pohjola Group Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with a privileged network position may be able to cause a device to think that it is up to date even when it is not Description: A validation issue existed in the handling of update check responses. Spoofed dates from Last-Modified response headers set to future dates were used for If-Modified-Since checks in subsequent update requests. This issue was addressed by validation of the Last-Modified header. CVE-ID CVE-2014-4383 : Raul Siles of DinoSec Apple TV Available for: Apple TV 3rd generation and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Apple TV Available for: Apple TV 3rd generation and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or an information disclosure Description: An out of bounds memory read existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Apple TV Available for: Apple TV 3rd generation and later Impact: An application may cause an unexpected system termination Description: A null pointer dereference existed in the handling of IOAcceleratorFamily API arguments. This issue was addressed through improved validation of IOAcceleratorFamily API arguments. CVE-ID CVE-2014-4369 : Catherine aka winocm Apple TV Available for: Apple TV 3rd generation and later Impact: The device may unexpectedly restart Description: A NULL pointer dereference was present in the IntelAccelerator driver. The issue was addressed by improved error handling. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4379 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A heap buffer overflow existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4404 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties. CVE-ID CVE-2014-4405 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue existed in the IOHIDFamily kernel extension. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4380 : cunzhang from Adlab of Venustech Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to read uninitialized data from kernel memory Description: An uninitialized memory access issue existed in the handling of IOKit functions. This issue was addressed through improved memory initialization CVE-ID CVE-2014-4407 : @PanguTeam Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4418 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4388 : @PanguTeam Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2014-4389 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to determine kernel memory layout Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization. CVE-ID CVE-2014-4371 : Fermin J. Serna of the Google Security Team CVE-2014-4419 : Fermin J. Serna of the Google Security Team CVE-2014-4420 : Fermin J. Serna of the Google Security Team CVE-2014-4421 : Fermin J. Serna of the Google Security Team Apple TV Available for: Apple TV 3rd generation and later Impact: A person with a privileged network position may cause a denial of service Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking. CVE-ID CVE-2011-2391 : Marc Heuse Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports. CVE-ID CVE-2014-4375 Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: An out-of-bounds read issue existed in rt_setgate. This may lead to memory disclosure or memory corruption. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4408 Apple TV Available for: Apple TV 3rd generation and later Impact: Some kernel hardening measures may be bypassed Description: The 'early' random number generator used in some kernel hardening measures was not cryptographically secure, and some of its output was exposed to user space, allowing bypass of the hardening measures. This issue was addressed by replacing the random number generator with a cryptographically secure algorithm, and using a 16-byte seed. CVE-ID CVE-2014-4422 : Tarjei Mandt of Azimuth Security Apple TV Available for: Apple TV 3rd generation and later Impact: A malicious application may be able to execute arbitrary code with root privileges Description: An out-of-bounds write issue existed in Libnotify. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero Apple TV Available for: Apple TV 3rd generation and later Impact: A local user may be able to change permissions on arbitrary files Description: syslogd followed symbolic links while changing permissions on files. This issue was addressed through improved handling of symbolic links. CVE-ID CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech Information Security Center (GTISC) Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-6663 : Atte Kettunen of OUSPG CVE-2014-1384 : Apple CVE-2014-1385 : Apple CVE-2014-1387 : Google Chrome Security Team CVE-2014-1388 : Apple CVE-2014-1389 : Apple CVE-2014-4410 : Eric Seidel of Google CVE-2014-4411 : Google Chrome Security Team CVE-2014-4412 : Apple CVE-2014-4413 : Apple CVE-2014-4414 : Apple CVE-2014-4415 : Apple Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> General -> Update Software". To check the current version of software, select "Settings -> General -> About". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUGMh1AAoJEBcWfLTuOo7tSWgP/j19RyvhyRDhJJyBozeK/pN6 6pgKhW3R++yi3COOjYX9oGmupiDNlIz5Rd7pkZMxq+f6BbwBh+hzXoPDdHw33yRO pQ9nV32gDIBlQRjvqmJgU/w6ODJWdPukcGBZqqjTjywce/tDxC9ZQBZLcRRuifXl dQdCYmXpkIcyZ3Yh9uF6sSXy0vngZr7kvvyJnst4WTmjqF3X9Sak75/s8Xa4oLyg naD+o2ITisuMk7dEmY6p1vqhbbQIxIeg315VyQxoGfsml9IPtOI5SWOPO+wi6nNd PyHKTFuhmlqjE+tKdBLulBMQPNreF0bCP+iNipBtAUS8RUyR19dfkDDjJeBbcqp7 Lsl4+6XsXABKPjrj66pBl7M7NZR+9mRfJbr83gmDN7hXu2OZJ7PxH49UKmr7JkeK OWlMyiyd4NfigtlasUTnom+Jky+uIDy/JYBGkumgoCG50cdt+BAQgb8CiPCS11LK OX0Ra4X8juRxh9TajQ+afx6r5Ma0Zdhj+ONzGJaTCCV+/NVjSKb/o+MfxlSiRYBN ot4R5cbQFHFDxcpMW+5S8EYt8mgUmn7oCxBm21mj9hzo9pqDVWTABaIUywI4+4n4 uWnZKxtit873cik8gE+NtbngtF3/q40n0Wvf3UzP6RTedl9g56wmjZ8NPvKWL8rE vHsGbux+Eb0CYjDTQqqS =98h5 -----END PGP SIGNATURE-----

The IOHIDFamily kernel extension in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking on write operations, which allows attackers to execute arbitrary code in the kernel's context via a crafted application. Apple iOS and TV are prone to multiple security vulnerabilities. These issues affect the following components: 802.1X, Accounts, Accessibility, Accounts Framework, Address Book, App Installation, Assets, Bluetooth, CoreGraphics, Foundation, Home &amp; Lock Screen, iMessage, IOAcceleratorFamily, IOAcceleratorFamily, IOHIDFamily, IOHIDFamily, IOKit, Kernel, Libnotify, Mail, Profiles, Safari, Sandbox Profiles, syslog and WebKit components. Successfully exploiting these issues may allow attackers to crash the affected device, bypass security restrictions, obtain sensitive information, or execute arbitrary code. Other attacks are also possible. This BID is being retired. The following individual records exist to better document the issues: 69913 Apple iOS and TV CVE-2014-4364 Spoofing Vulnerability 69917 Apple iOS CVE-2014-4423 Information Disclosure Vulnerability 69926 Apple iOS Lock Screen CVE-2014-4368 Security Bypass Vulnerability 69930 Apple iOS and TV CVE-2014-4357 Local Information Disclosure Security Vulnerability 69932 Apple iOS CVE-2014-4352 Local Information Disclosure Security Vulnerability 69936 Apple iOS CVE-2014-4386 Local Privilege Escalation Vulnerability 69940 Apple iOS CVE-2014-4384 Local Privilege Escalation Vulnerability 69941 Apple iOS and TV CVE-2014-4383 Security Bypass Vulnerability 69943 Apple iOS CVE-2014-4354 Unspecified Security Vulnerability 69903 Multiple Apple Products CVE-2014-4377 PDF Handling Integer Overflow Vulnerability 69915 Apple TV/Mac OS X/iOS CVE-2014-4378 Out of Bounds Read Memory Corruption Vulnerability 69905 Apple Mac OS X and iOS CVE-2014-4374 XML External Entity Information Disclosure Vulnerability 69921 Apple TV/Mac OS X/iOS CVE-2014-4379 Out of Bounds Read Memory Corruption Vulnerability 69929 Apple TV and iOS CVE-2014-4369 NULL Pointer Dereference Denial of Service Vulnerability 69934 Apple TV and iOS CVE-2014-4373 NULL Pointer Dereference Denial of Service Vulnerability 69938 Apple TV and iOS CVE-2014-4405 NULL Pointer Dereference Remote Code Execution Vulnerability 69942 Apple TV and iOS CVE-2014-4380 Out of Bounds Read Write Remote Code Execution Vulnerability 69947 Apple TV and iOS CVE-2014-4404 Heap Based Buffer Overflow Vulnerability 69949 Apple iOS CVE-2014-4361 Security Bypass Vulnerability 69951 Apple iOS CVE-2014-4353 Race Condition Local Information Disclosure Vulnerability 69912 Apple iOS and TV CVE-2014-4407 Information Disclosure Security Vulnerability 69919 Apple iOS and TV CVE-2014-4371 Unspecified Security Vulnerability 69924 Apple iOS and TV CVE-2014-4421 Unspecified Security Vulnerability 69927 Apple iOS and TV CVE-2014-4420 Unspecified Security Vulnerability 69928 Apple iOS and TV CVE-2014-4419 Unspecified Security Vulnerability 69939 Apple iOS and TV CVE-2014-4408 Out of Bounds Read Local Memory Corruption Vulnerability 69944 Apple iOS and TV CVE-2014-4375 Local Memory Corruption Vulnerability 69946 Apple iOS and TV CVE-2014-4418 Remote Code Execution Vulnerability 69948 Apple TV/Mac OS X/iOS CVE-2014-4388 Remote Code Execution Vulnerability 69950 Apple TV/Mac OS X/iOS CVE-2014-4389 Integer Buffer Overflow Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability 69911 Apple iOS and TV CVE-2014-4422 Security Bypass Vulnerability 69931 Apple TV/Mac OS X/iOS CVE-2014-4381 Arbitrary Code Execution Vulnerability 69914 Apple iOS CVE-2014-4366 Information Disclosure Vulnerability 69945 Apple iOS CVE-2014-4367 Security Vulnerability 69920 Apple iOS CVE-2014-4362 Information Disclosure Vulnerability 69922 Apple iOS CVE-2014-4356 Local Information Disclosure Vulnerability 69923 Apple iOS and TV CVE-2014-4372 Local Security Bypass Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability. Failed exploit attempts will likely result in denial-of-service conditions. The vulnerability is caused by the program not properly performing bounds checking on write operations. CVE-ID CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim Lamotte of Universiteit Hasselt Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with access to an device may access sensitive user information from logs Description: Sensitive user information was logged. Spoofed dates from Last-Modified response headers set to future dates were used for If-Modified-Since checks in subsequent update requests. CVE-ID CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Apple TV Available for: Apple TV 3rd generation and later Impact: An application may cause an unexpected system termination Description: A null pointer dereference existed in the handling of IOAcceleratorFamily API arguments. CVE-ID CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech Information Security Center (GTISC) Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. Alternatively, you may manually check for software updates by selecting "Settings -> General -> Update Software". To check the current version of software, select "Settings -> General -> About". -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-10-16-1 OS X Yosemite v10.10 OS X Yosemite v10.10 is now available and addresses the following: 802.1X Impact: An attacker can obtain WiFi credentials Description: An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default. CVE-ID CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim Lamotte of Universiteit Hasselt AFP File Server Impact: A remote attacker could determine all the network addresses of the system Description: The AFP file server supported a command which returned all the network addresses of the system. This issue was addressed by removing the addresses from the result. CVE-ID CVE-2014-4426 : Craig Young of Tripwire VERT apache Impact: Multiple vulnerabilities in Apache Description: Multiple vulnerabilities existed in Apache, the most serious of which may lead to a denial of service. These issues were addressed by updating Apache to version 2.4.9. CVE-ID CVE-2013-6438 CVE-2014-0098 App Sandbox Impact: An application confined by sandbox restrictions may misuse the accessibility API Description: A sandboxed application could misuse the accessibility API without the user's knowledge. This has been addressed by requiring administrator approval to use the accessibility API on an per-application basis. CVE-ID CVE-2014-4427 : Paul S. Ziegler of Reflare UG Bash Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement. This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state. In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers. CVE-ID CVE-2014-6271 : Stephane Chazelas CVE-2014-7169 : Tavis Ormandy Bluetooth Impact: A malicious Bluetooth input device may bypass pairing Description: Unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy devices. If a Mac had paired with such a device, an attacker could spoof the legitimate device to establish a connection. The issue was addressed by denying unencrypted HID connections. CVE-ID CVE-2014-4428 : Mike Ryan of iSEC Partners CFPreferences Impact: The 'require password after sleep or screen saver begins' preference may not be respected until after a reboot Description: A session management issue existed in the handling of system preference settings. This issue was addressed through improved session tracking. CVE-ID CVE-2014-4425 Certificate Trust Policy Impact: Update to the certificate trust policy Description: The certificate trust policy was updated. The complete list of certificates may be viewed at http://support.apple.com/kb/HT6005. CoreStorage Impact: An encrypted volume may stay unlocked when ejected Description: When an encrypted volume was logically ejected while mounted, the volume was unmounted but the keys were retained, so it could have been mounted again without the password. This issue was addressed by erasing the keys on eject. CVE-ID CVE-2014-4430 : Benjamin King at See Ben Click Computer Services LLC, Karsten Iwen, Dustin Li (http://dustin.li/), Ken J. Takekoshi, and other anonymous researchers CUPS Impact: A local user can execute arbitrary code with system privileges Description: When the CUPS web interface served files, it would follow symlinks. A local user could create symlinks to arbitrary files and retrieve them through the web interface. This issue was addressed by disallowing symlinks to be served via the CUPS web interface. CVE-ID CVE-2014-3537 Dock Impact: In some circumstances, windows may be visible even when the screen is locked Description: A state management issue existed in the handling of the screen lock. This issue was addressed through improved state tracking. CVE-ID CVE-2014-4431 : Emil Sjolander of Umea University fdesetup Impact: The fdesetup command may provide misleading status for the state of encryption on disk Description: After updating settings, but before rebooting, the fdesetup command provided misleading status. This issue was addressed through improved status reporting. CVE-ID CVE-2014-4432 iCloud Find My Mac Impact: iCloud Lost mode PIN may be bruteforced Description: A state persistence issue in rate limiting allowed brute force attacks on iCloud Lost mode PIN. This issue was addressed through improved state persistence across reboots. CVE-ID CVE-2014-4435 : knoy IOAcceleratorFamily Impact: An application may cause a denial of service Description: A NULL pointer dereference was present in the IntelAccelerator driver. The issue was addressed through improved error handling. CVE-ID CVE-2014-4373 : cunzhang from Adlab of Venustech IOHIDFamily Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties. CVE-ID CVE-2014-4405 : Ian Beer of Google Project Zero IOHIDFamily Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A heap buffer overflow existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4404 : Ian Beer of Google Project Zero IOHIDFamily Impact: An application may cause a denial of service Description: A out-of-bounds memory read was present in the IOHIDFamily driver. The issue was addressed through improved input validation. The issue was addressed through improved input validation. CVE-ID CVE-2014-4380 : cunzhang from Adlab of Venustech IOKit Impact: A malicious application may be able to read uninitialized data from kernel memory Description: An uninitialized memory access issue existed in the handling of IOKit functions. This issue was addressed through improved memory initialization. CVE-ID CVE-2014-4407 : @PanguTeam IOKit Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4388 : @PanguTeam IOKit Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4418 : Ian Beer of Google Project Zero Kernel Impact: A local user may be able to determine kernel memory layout Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization. CVE-ID CVE-2014-4371 : Fermin J. Serna of the Google Security Team CVE-2014-4419 : Fermin J. Serna of the Google Security Team CVE-2014-4420 : Fermin J. Serna of the Google Security Team CVE-2014-4421 : Fermin J. Serna of the Google Security Team Kernel Impact: A maliciously crafted file system may cause unexpected system shutdown or arbitrary code execution Description: A heap-based buffer overflow issue existed in the handling of HFS resource forks. The issue was addressed through improved bounds checking. CVE-ID CVE-2014-4433 : Maksymilian Arciemowicz Kernel Impact: A malicious file system may cause unexpected system shutdown Description: A NULL dereference issue existed in the handling of HFS filenames. A maliciously crafted filesystem may cause an unexpected system shutdown. This issue was addressed by avoiding the NULL dereference. CVE-ID CVE-2014-4434 : Maksymilian Arciemowicz Kernel Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports. CVE-ID CVE-2014-4375 : an anonymous researcher Kernel Impact: A person with a privileged network position may cause a denial of service Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking. CVE-ID CVE-2011-2391 : Marc Heuse Kernel Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: An out-of-bounds read issue existed in rt_setgate. This may lead to memory disclosure or memory corruption. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4408 Kernel Impact: A local user can cause an unexpected system termination Description: A reachable panic existed in the handling of messages sent to system control sockets. This issue was addressed through additional validation of messages. CVE-ID CVE-2014-4442 : Darius Davis of VMware Kernel Impact: Some kernel hardening measures may be bypassed Description: The random number generator used for kernel hardening measures early in the boot process was not cryptographically secure. Some of its output was inferable from user space, allowing bypass of the hardening measures. This issue was addressed by using a cryptographically secure algorithm. CVE-ID CVE-2014-4422 : Tarjei Mandt of Azimuth Security LaunchServices Impact: A local application may bypass sandbox restrictions Description: The LaunchServices interface for setting content type handlers allowed sandboxed applications to specify handlers for existing content types. A compromised application could use this to bypass sandbox restrictions. The issue was addressed by restricting sandboxed applications from specifying content type handlers. CVE-ID CVE-2014-4437 : Meder Kydyraliev of the Google Security Team LoginWindow Impact: Sometimes the screen might not lock Description: A race condition existed in LoginWindow, which would sometimes prevent the screen from locking. The issue was addressed by changing the order of operations. CVE-ID CVE-2014-4438 : Harry Sintonen of nSense, Alessandro Lobina of Helvetia Insurances, Patryk Szlagowski of Funky Monkey Labs Mail Impact: Mail may send email to unintended recipients Description: A user interface inconsistency in Mail application resulted in email being sent to addresses that were removed from the list of recipients. The issue was addressed through improved user interface consistency checks. CVE-ID CVE-2014-4439 : Patrick J Power of Melbourne, Australia MCX Desktop Config Profiles Impact: When mobile configuration profiles were uninstalled, their settings were not removed Description: Web proxy settings installed by a mobile configuration profile were not removed when the profile was uninstalled. This issue was addressed through improved handling of profile uninstallation. CVE-ID CVE-2014-4440 : Kevin Koster of Cloudpath Networks NetFS Client Framework Impact: File Sharing may enter a state in which it cannot be disabled Description: A state management issue existed in the File Sharing framework. This issue was addressed through improved state management. CVE-ID CVE-2014-4441 : Eduardo Bonsi of BEARTCOMMUNICATIONS QuickTime Impact: Playing a maliciously crafted m4a file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of audio samples. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4351 : Karl Smith of NCC Group Safari Impact: History of pages recently visited in an open tab may remain after clearing of history Description: Clearing Safari's history did not clear the back/forward history for open tabs. This issue was addressed by clearing the back/forward history. CVE-ID CVE-2013-5150 Safari Impact: Opting in to push notifications from a maliciously crafted website may cause future Safari Push Notifications to be missed Description: An uncaught exception issue existed in SafariNotificationAgent's handling of Safari Push Notifications. This issue was addressed through improved handling of Safari Push Notifications. CVE-ID CVE-2014-4417 : Marek Isalski of Faelix Limited Secure Transport Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail. CVE-ID CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of Google Security Team Security Impact: A remote attacker may be able to cause a denial of service Description: A null dereference existed in the handling of ASN.1 data. This issue was addressed through additional validation of ASN.1 data. CVE-ID CVE-2014-4443 : Coverity Security Impact: A local user might have access to another user's Kerberos tickets Description: A state management issue existed in SecurityAgent. While Fast User Switching, sometimes a Kerberos ticket for the switched-to user would be placed in the cache for the previous user. This issue was addressed through improved state management. CVE-ID CVE-2014-4444 : Gary Simon of Sandia National Laboratories, Ragnar Sundblad of KTH Royal Institute of Technology, Eugene Homyakov of Kaspersky Lab Security - Code Signing Impact: Tampered applications may not be prevented from launching Description: Apps signed on OS X prior to OS X Mavericks 10.9 or apps using custom resource rules, may have been susceptible to tampering that would not have invalidated the signature. On systems set to allow only apps from the Mac App Store and identified developers, a downloaded modified app could have been allowed to run as though it were legitimate. This issue was addressed by ignoring signatures of bundles with resource envelopes that omit resources that may influence execution. OS X Mavericks v10.9.5 and Security Update 2014-004 for OS X Mountain Lion v10.8.5 already contain these changes. CVE-ID CVE-2014-4391 : Christopher Hickstein working with HP's Zero Day Initiative Note: OS X Yosemite includes Safari 8.0, which incorporates the security content of Safari 7.1. For further details see "About the security content of Safari 7.1" at https://support.apple.com/kb/HT6440. OS X Yosemite may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUQCItAAoJEBcWfLTuOo7tVTMQAIpXH2MO4xElrJDdFvz+9hEq 0I/Md7JZMvm66AZZG6AlHPnGn/UfNSD6BxGmuuz2MnVyr3kBTHfGQbsRtoZ/54dZ OJrFVD+HE+WmjhB2xLoLTMDP5QgdpBY0gpmNF5Ze4tRogpbfrhDQJjjWls4xbB3B 0MYF5Cq+9nMwHquh/gQpp4pRCms+S/3TdHrjunlfnWFJMNT+XTs0Y5+QPZQ8OMAb lqDGjjjulN3+WLCekIWXX1WeAFjqW5ICSWqt0b8/yWVnLWuYmWvHPC8LrP52+s87 XHgx+9tW/5L+ZMGxfDYKnhkXNsQaFPai1iPgztjz7/c3NON7ogdIbJd290j2GZ2S CUoozCx2rVn9l7hFYSDP5fHt8x1itvWeH1UX6WP6Ydkf4iXe63ksMaVSFqccEb7r HlBlx/dE1FuWD+gkOQwDPkKZR1yiMArqrHz1YwC4GZ6/A3aG9B++y1TBCetQO8xs bFmlhX4Rvmme+NED0Hli7yN/++axkYUfAHTLwnucq1MW+eP9jecsBpFsOMKJ0ika XrZoquwIM4zQPgY1qBz15Nxeb8lX2IcpL5PKGEeqiKX3SRPerdQKUnUBk1DtHg2h fl+BG2AfN6uaYGJvGL9G2OX95SylOWW9uoYvfTVafwU7f9tE8RUEStnXhQD00j/r P2OKoqPuE6SsFq6L2VwF =Ucxd -----END PGP SIGNATURE-----

Double free vulnerability in Apple iOS before 8 and Apple TV before 7 allows local users to gain privileges or cause a denial of service (device crash) via vectors related to Mach ports. Supplementary information : CWE Vulnerability type by CWE-415: Double Free ( Double release ) Has been identified. http://cwe.mitre.org/data/definitions/415.htmlAuthorized by local user or service disruption ( Device crash ) There is a possibility of being put into a state. Apple iOS and TV are prone to multiple security vulnerabilities. These issues affect the following components: 802.1X, Accounts, Accessibility, Accounts Framework, Address Book, App Installation, Assets, Bluetooth, CoreGraphics, Foundation, Home &amp; Lock Screen, iMessage, IOAcceleratorFamily, IOAcceleratorFamily, IOHIDFamily, IOHIDFamily, IOKit, Kernel, Libnotify, Mail, Profiles, Safari, Sandbox Profiles, syslog and WebKit components. Successfully exploiting these issues may allow attackers to crash the affected device, bypass security restrictions, obtain sensitive information, or execute arbitrary code. Other attacks are also possible. This BID is being retired. Failed exploit attempts will likely cause denial-of-service conditions. CVE-ID CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim Lamotte of Universiteit Hasselt Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with access to an device may access sensitive user information from logs Description: Sensitive user information was logged. Spoofed dates from Last-Modified response headers set to future dates were used for If-Modified-Since checks in subsequent update requests. CVE-ID CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Apple TV Available for: Apple TV 3rd generation and later Impact: An application may cause an unexpected system termination Description: A null pointer dereference existed in the handling of IOAcceleratorFamily API arguments. CVE-ID CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech Information Security Center (GTISC) Apple TV Available for: Apple TV 3rd generation and later Impact: An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. Alternatively, you may manually check for software updates by selecting "Settings -> General -> Update Software". To check the current version of software, select "Settings -> General -> About". -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-10-16-1 OS X Yosemite v10.10 OS X Yosemite v10.10 is now available and addresses the following: 802.1X Impact: An attacker can obtain WiFi credentials Description: An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default. CVE-ID CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim Lamotte of Universiteit Hasselt AFP File Server Impact: A remote attacker could determine all the network addresses of the system Description: The AFP file server supported a command which returned all the network addresses of the system. This issue was addressed by removing the addresses from the result. CVE-ID CVE-2014-4426 : Craig Young of Tripwire VERT apache Impact: Multiple vulnerabilities in Apache Description: Multiple vulnerabilities existed in Apache, the most serious of which may lead to a denial of service. These issues were addressed by updating Apache to version 2.4.9. CVE-ID CVE-2013-6438 CVE-2014-0098 App Sandbox Impact: An application confined by sandbox restrictions may misuse the accessibility API Description: A sandboxed application could misuse the accessibility API without the user's knowledge. This has been addressed by requiring administrator approval to use the accessibility API on an per-application basis. CVE-ID CVE-2014-4427 : Paul S. Ziegler of Reflare UG Bash Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement. This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state. In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers. CVE-ID CVE-2014-6271 : Stephane Chazelas CVE-2014-7169 : Tavis Ormandy Bluetooth Impact: A malicious Bluetooth input device may bypass pairing Description: Unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy devices. If a Mac had paired with such a device, an attacker could spoof the legitimate device to establish a connection. The issue was addressed by denying unencrypted HID connections. CVE-ID CVE-2014-4428 : Mike Ryan of iSEC Partners CFPreferences Impact: The 'require password after sleep or screen saver begins' preference may not be respected until after a reboot Description: A session management issue existed in the handling of system preference settings. This issue was addressed through improved session tracking. CVE-ID CVE-2014-4425 Certificate Trust Policy Impact: Update to the certificate trust policy Description: The certificate trust policy was updated. The complete list of certificates may be viewed at http://support.apple.com/kb/HT6005. CoreStorage Impact: An encrypted volume may stay unlocked when ejected Description: When an encrypted volume was logically ejected while mounted, the volume was unmounted but the keys were retained, so it could have been mounted again without the password. This issue was addressed by erasing the keys on eject. CVE-ID CVE-2014-4430 : Benjamin King at See Ben Click Computer Services LLC, Karsten Iwen, Dustin Li (http://dustin.li/), Ken J. Takekoshi, and other anonymous researchers CUPS Impact: A local user can execute arbitrary code with system privileges Description: When the CUPS web interface served files, it would follow symlinks. A local user could create symlinks to arbitrary files and retrieve them through the web interface. This issue was addressed by disallowing symlinks to be served via the CUPS web interface. CVE-ID CVE-2014-3537 Dock Impact: In some circumstances, windows may be visible even when the screen is locked Description: A state management issue existed in the handling of the screen lock. This issue was addressed through improved state tracking. CVE-ID CVE-2014-4431 : Emil Sjolander of Umea University fdesetup Impact: The fdesetup command may provide misleading status for the state of encryption on disk Description: After updating settings, but before rebooting, the fdesetup command provided misleading status. This issue was addressed through improved status reporting. CVE-ID CVE-2014-4432 iCloud Find My Mac Impact: iCloud Lost mode PIN may be bruteforced Description: A state persistence issue in rate limiting allowed brute force attacks on iCloud Lost mode PIN. This issue was addressed through improved state persistence across reboots. CVE-ID CVE-2014-4435 : knoy IOAcceleratorFamily Impact: An application may cause a denial of service Description: A NULL pointer dereference was present in the IntelAccelerator driver. The issue was addressed through improved error handling. CVE-ID CVE-2014-4373 : cunzhang from Adlab of Venustech IOHIDFamily Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties. CVE-ID CVE-2014-4405 : Ian Beer of Google Project Zero IOHIDFamily Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A heap buffer overflow existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4404 : Ian Beer of Google Project Zero IOHIDFamily Impact: An application may cause a denial of service Description: A out-of-bounds memory read was present in the IOHIDFamily driver. The issue was addressed through improved input validation. The issue was addressed through improved input validation. CVE-ID CVE-2014-4380 : cunzhang from Adlab of Venustech IOKit Impact: A malicious application may be able to read uninitialized data from kernel memory Description: An uninitialized memory access issue existed in the handling of IOKit functions. This issue was addressed through improved memory initialization. This issue was addressed through improved validation of metadata. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4418 : Ian Beer of Google Project Zero Kernel Impact: A local user may be able to determine kernel memory layout Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization. CVE-ID CVE-2014-4371 : Fermin J. Serna of the Google Security Team CVE-2014-4419 : Fermin J. Serna of the Google Security Team CVE-2014-4420 : Fermin J. Serna of the Google Security Team CVE-2014-4421 : Fermin J. Serna of the Google Security Team Kernel Impact: A maliciously crafted file system may cause unexpected system shutdown or arbitrary code execution Description: A heap-based buffer overflow issue existed in the handling of HFS resource forks. A maliciously crafted filesystem may cause an unexpected system shutdown or arbitrary code execution with kernel privileges. The issue was addressed through improved bounds checking. CVE-ID CVE-2014-4433 : Maksymilian Arciemowicz Kernel Impact: A malicious file system may cause unexpected system shutdown Description: A NULL dereference issue existed in the handling of HFS filenames. A maliciously crafted filesystem may cause an unexpected system shutdown. This issue was addressed by avoiding the NULL dereference. This issue was addressed through improved validation of Mach ports. CVE-ID CVE-2014-4375 : an anonymous researcher Kernel Impact: A person with a privileged network position may cause a denial of service Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking. CVE-ID CVE-2011-2391 : Marc Heuse Kernel Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: An out-of-bounds read issue existed in rt_setgate. This may lead to memory disclosure or memory corruption. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4408 Kernel Impact: A local user can cause an unexpected system termination Description: A reachable panic existed in the handling of messages sent to system control sockets. This issue was addressed through additional validation of messages. CVE-ID CVE-2014-4442 : Darius Davis of VMware Kernel Impact: Some kernel hardening measures may be bypassed Description: The random number generator used for kernel hardening measures early in the boot process was not cryptographically secure. Some of its output was inferable from user space, allowing bypass of the hardening measures. This issue was addressed by using a cryptographically secure algorithm. CVE-ID CVE-2014-4422 : Tarjei Mandt of Azimuth Security LaunchServices Impact: A local application may bypass sandbox restrictions Description: The LaunchServices interface for setting content type handlers allowed sandboxed applications to specify handlers for existing content types. A compromised application could use this to bypass sandbox restrictions. The issue was addressed by restricting sandboxed applications from specifying content type handlers. CVE-ID CVE-2014-4437 : Meder Kydyraliev of the Google Security Team LoginWindow Impact: Sometimes the screen might not lock Description: A race condition existed in LoginWindow, which would sometimes prevent the screen from locking. The issue was addressed by changing the order of operations. CVE-ID CVE-2014-4438 : Harry Sintonen of nSense, Alessandro Lobina of Helvetia Insurances, Patryk Szlagowski of Funky Monkey Labs Mail Impact: Mail may send email to unintended recipients Description: A user interface inconsistency in Mail application resulted in email being sent to addresses that were removed from the list of recipients. The issue was addressed through improved user interface consistency checks. CVE-ID CVE-2014-4439 : Patrick J Power of Melbourne, Australia MCX Desktop Config Profiles Impact: When mobile configuration profiles were uninstalled, their settings were not removed Description: Web proxy settings installed by a mobile configuration profile were not removed when the profile was uninstalled. This issue was addressed through improved handling of profile uninstallation. CVE-ID CVE-2014-4440 : Kevin Koster of Cloudpath Networks NetFS Client Framework Impact: File Sharing may enter a state in which it cannot be disabled Description: A state management issue existed in the File Sharing framework. This issue was addressed through improved state management. CVE-ID CVE-2014-4441 : Eduardo Bonsi of BEARTCOMMUNICATIONS QuickTime Impact: Playing a maliciously crafted m4a file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of audio samples. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4351 : Karl Smith of NCC Group Safari Impact: History of pages recently visited in an open tab may remain after clearing of history Description: Clearing Safari's history did not clear the back/forward history for open tabs. This issue was addressed by clearing the back/forward history. CVE-ID CVE-2013-5150 Safari Impact: Opting in to push notifications from a maliciously crafted website may cause future Safari Push Notifications to be missed Description: An uncaught exception issue existed in SafariNotificationAgent's handling of Safari Push Notifications. This issue was addressed through improved handling of Safari Push Notifications. CVE-ID CVE-2014-4417 : Marek Isalski of Faelix Limited Secure Transport Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail. CVE-ID CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of Google Security Team Security Impact: A remote attacker may be able to cause a denial of service Description: A null dereference existed in the handling of ASN.1 data. This issue was addressed through additional validation of ASN.1 data. CVE-ID CVE-2014-4443 : Coverity Security Impact: A local user might have access to another user's Kerberos tickets Description: A state management issue existed in SecurityAgent. While Fast User Switching, sometimes a Kerberos ticket for the switched-to user would be placed in the cache for the previous user. This issue was addressed through improved state management. CVE-ID CVE-2014-4444 : Gary Simon of Sandia National Laboratories, Ragnar Sundblad of KTH Royal Institute of Technology, Eugene Homyakov of Kaspersky Lab Security - Code Signing Impact: Tampered applications may not be prevented from launching Description: Apps signed on OS X prior to OS X Mavericks 10.9 or apps using custom resource rules, may have been susceptible to tampering that would not have invalidated the signature. On systems set to allow only apps from the Mac App Store and identified developers, a downloaded modified app could have been allowed to run as though it were legitimate. This issue was addressed by ignoring signatures of bundles with resource envelopes that omit resources that may influence execution. OS X Mavericks v10.9.5 and Security Update 2014-004 for OS X Mountain Lion v10.8.5 already contain these changes. CVE-ID CVE-2014-4391 : Christopher Hickstein working with HP's Zero Day Initiative Note: OS X Yosemite includes Safari 8.0, which incorporates the security content of Safari 7.1. For further details see "About the security content of Safari 7.1" at https://support.apple.com/kb/HT6440. OS X Yosemite may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUQCItAAoJEBcWfLTuOo7tVTMQAIpXH2MO4xElrJDdFvz+9hEq 0I/Md7JZMvm66AZZG6AlHPnGn/UfNSD6BxGmuuz2MnVyr3kBTHfGQbsRtoZ/54dZ OJrFVD+HE+WmjhB2xLoLTMDP5QgdpBY0gpmNF5Ze4tRogpbfrhDQJjjWls4xbB3B 0MYF5Cq+9nMwHquh/gQpp4pRCms+S/3TdHrjunlfnWFJMNT+XTs0Y5+QPZQ8OMAb lqDGjjjulN3+WLCekIWXX1WeAFjqW5ICSWqt0b8/yWVnLWuYmWvHPC8LrP52+s87 XHgx+9tW/5L+ZMGxfDYKnhkXNsQaFPai1iPgztjz7/c3NON7ogdIbJd290j2GZ2S CUoozCx2rVn9l7hFYSDP5fHt8x1itvWeH1UX6WP6Ydkf4iXe63ksMaVSFqccEb7r HlBlx/dE1FuWD+gkOQwDPkKZR1yiMArqrHz1YwC4GZ6/A3aG9B++y1TBCetQO8xs bFmlhX4Rvmme+NED0Hli7yN/++axkYUfAHTLwnucq1MW+eP9jecsBpFsOMKJ0ika XrZoquwIM4zQPgY1qBz15Nxeb8lX2IcpL5PKGEeqiKX3SRPerdQKUnUBk1DtHg2h fl+BG2AfN6uaYGJvGL9G2OX95SylOWW9uoYvfTVafwU7f9tE8RUEStnXhQD00j/r P2OKoqPuE6SsFq6L2VwF =Ucxd -----END PGP SIGNATURE-----

NSXMLParser in Foundation in Apple iOS before 8 allows attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Apple iOS and TV are prone to multiple security vulnerabilities. These issues affect the following components: 802.1X, Accounts, Accessibility, Accounts Framework, Address Book, App Installation, Assets, Bluetooth, CoreGraphics, Foundation, Home &amp; Lock Screen, iMessage, IOAcceleratorFamily, IOAcceleratorFamily, IOHIDFamily, IOHIDFamily, IOKit, Kernel, Libnotify, Mail, Profiles, Safari, Sandbox Profiles, syslog and WebKit components. Successfully exploiting these issues may allow attackers to crash the affected device, bypass security restrictions, obtain sensitive information, or execute arbitrary code. Other attacks are also possible. This BID is being retired. The following individual records exist to better document the issues: 69913 Apple iOS and TV CVE-2014-4364 Spoofing Vulnerability 69917 Apple iOS CVE-2014-4423 Information Disclosure Vulnerability 69926 Apple iOS Lock Screen CVE-2014-4368 Security Bypass Vulnerability 69930 Apple iOS and TV CVE-2014-4357 Local Information Disclosure Security Vulnerability 69932 Apple iOS CVE-2014-4352 Local Information Disclosure Security Vulnerability 69936 Apple iOS CVE-2014-4386 Local Privilege Escalation Vulnerability 69940 Apple iOS CVE-2014-4384 Local Privilege Escalation Vulnerability 69941 Apple iOS and TV CVE-2014-4383 Security Bypass Vulnerability 69943 Apple iOS CVE-2014-4354 Unspecified Security Vulnerability 69903 Multiple Apple Products CVE-2014-4377 PDF Handling Integer Overflow Vulnerability 69915 Apple TV/Mac OS X/iOS CVE-2014-4378 Out of Bounds Read Memory Corruption Vulnerability 69905 Apple Mac OS X and iOS CVE-2014-4374 XML External Entity Information Disclosure Vulnerability 69921 Apple TV/Mac OS X/iOS CVE-2014-4379 Out of Bounds Read Memory Corruption Vulnerability 69929 Apple TV and iOS CVE-2014-4369 NULL Pointer Dereference Denial of Service Vulnerability 69934 Apple TV and iOS CVE-2014-4373 NULL Pointer Dereference Denial of Service Vulnerability 69938 Apple TV and iOS CVE-2014-4405 NULL Pointer Dereference Remote Code Execution Vulnerability 69942 Apple TV and iOS CVE-2014-4380 Out of Bounds Read Write Remote Code Execution Vulnerability 69947 Apple TV and iOS CVE-2014-4404 Heap Based Buffer Overflow Vulnerability 69949 Apple iOS CVE-2014-4361 Security Bypass Vulnerability 69951 Apple iOS CVE-2014-4353 Race Condition Local Information Disclosure Vulnerability 69912 Apple iOS and TV CVE-2014-4407 Information Disclosure Security Vulnerability 69919 Apple iOS and TV CVE-2014-4371 Unspecified Security Vulnerability 69924 Apple iOS and TV CVE-2014-4421 Unspecified Security Vulnerability 69927 Apple iOS and TV CVE-2014-4420 Unspecified Security Vulnerability 69928 Apple iOS and TV CVE-2014-4419 Unspecified Security Vulnerability 69939 Apple iOS and TV CVE-2014-4408 Out of Bounds Read Local Memory Corruption Vulnerability 69944 Apple iOS and TV CVE-2014-4375 Local Memory Corruption Vulnerability 69946 Apple iOS and TV CVE-2014-4418 Remote Code Execution Vulnerability 69948 Apple TV/Mac OS X/iOS CVE-2014-4388 Remote Code Execution Vulnerability 69950 Apple TV/Mac OS X/iOS CVE-2014-4389 Integer Buffer Overflow Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability 69911 Apple iOS and TV CVE-2014-4422 Security Bypass Vulnerability 69931 Apple TV/Mac OS X/iOS CVE-2014-4381 Arbitrary Code Execution Vulnerability 69914 Apple iOS CVE-2014-4366 Information Disclosure Vulnerability 69945 Apple iOS CVE-2014-4367 Security Vulnerability 69920 Apple iOS CVE-2014-4362 Information Disclosure Vulnerability 69922 Apple iOS CVE-2014-4356 Local Information Disclosure Vulnerability 69923 Apple iOS and TV CVE-2014-4372 Local Security Bypass Vulnerability 69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-3 OS X Mavericks 10.9.5 and Security Update 2014-004 OS X Mavericks 10.9.5 and Security Update 2014-004 are now available and address the following: apache_mod_php Available for: OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in PHP 5.4.24 Description: Multiple vulnerabilities existed in PHP 5.4.24, the most serious of which may have led to arbitrary code execution. This issue was addressed through always allocating the Global Descriptor Table at random addresses. This issue was addressed through improved bounds checking CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero OpenSSL Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4 Impact: Multiple vulnerabilities in OpenSSL 0.9.8y, including one that may lead to arbitrary code execution Description: Multiple vulnerabilities existed in OpenSSL 0.9.8y. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-1 iOS 8 iOS 8 is now available and addresses the following: 802.1X Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker can obtain WiFi credentials Description: An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default. CVE-ID CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim Lamotte of Universiteit Hasselt Accounts Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to identify the Apple ID of the user Description: An issue existed in the access control logic for accounts. A sandboxed application could get information about the currently-active iCloud account, including the name of the account. CVE-ID CVE-2014-4423 : Adam Weaver Certificate Trust Policy Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Update to the certificate trust policy Description: The certificate trust policy was updated. The complete list of certificates may be viewed at http://support.apple.com/kb/HT5012. Accessibility Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: The device may not lock the screen when using AssistiveTouch Description: A logic issue existed in AssistiveTouch's handling of events, which resulted in the screen not locking. This issue was addressed through improved handling of the lock timer. CVE-ID CVE-2014-4368 : Hendrik Bettermann Accounts Framework Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker with access to an iOS device may access sensitive user information from logs Description: Sensitive user information was logged. This issue was addressed by logging less information. CVE-ID CVE-2014-4357 : Heli Myllykoski of OP-Pohjola Group Address Book Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A person with physical access to an iOS device may read the address book Description: The address book was encrypted with a key protected only by the hardware UID. This issue was addressed by encrypting the address book with a key protected by the hardware UID and the user's passcode. CVE-ID CVE-2014-4352 : Jonathan Zdziarski App Installation Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local attacker may be able to escalate privileges and install unverified applications Description: A race condition existed in App Installation. An attacker with the capability of writing to /tmp may have been able to install an unverified app. This issue was addressed by staging files for installation in another directory. CVE-ID CVE-2014-4386 : evad3rs App Installation Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local attacker may be able to escalate privileges and install unverified applications Description: A path traversal issue existed in App Installation. A local attacker could have retargeted code signature validation to a bundle different from the one being installed and cause installation of an unverified app. This issue was addressed by detecting and preventing path traversal when determining which code signature to verify. CVE-ID CVE-2014-4384 : evad3rs Assets Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker with a privileged network position may be able to cause an iOS device to think that it is up to date even when it is not Description: A validation issue existed in the handling of update check responses. Spoofed dates from Last-Modified response headers set to future dates were used for If-Modified-Since checks in subsequent update requests. This issue was addressed by validation of the Last-Modified header. CVE-ID CVE-2014-4383 : Raul Siles of DinoSec Bluetooth Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Bluetooth is unexpectedly enabled by default after upgrading iOS Description: Bluetooth was enabled automatically after upgrading iOS. This was addressed by only turning on Bluetooth for major or minor version updates. CVE-ID CVE-2014-4354 : Maneet Singh, Sean Bluestein CoreGraphics Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program CoreGraphics Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or an information disclosure Description: An out of bounds memory read existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Data Detectors Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Tapping on a FaceTime link in Mail would trigger a FaceTime audio call without prompting Description: Mail did not consult the user before launching facetime-audio:// URLs. This issue was addressed with the addition of a confirmation prompt. CVE-ID CVE-2013-6835 : Guillaume Ross Foundation Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application using NSXMLParser may be misused to disclose information Description: An XML External Entity issue existed in NSXMLParser's handling of XML. This issue was addressed by not loading external entities across origins. CVE-ID CVE-2014-4374 : George Gal of VSR (http://www.vsecurity.com/) Home & Lock Screen Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A background app can determine which app is frontmost Description: The private API for determining the frontmost app did not have sufficient access control. This issue was addressed through additional access control. CVE-ID CVE-2014-4361 : Andreas Kurtz of NESO Security Labs and Markus TroBbach of Heilbronn University iMessage Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Attachments may persist after the parent iMessage or MMS is deleted Description: A race condition existed in how attachments were deleted. This issue was addressed by conducting additional checks on whether an attachment has been deleted. CVE-ID CVE-2014-4353 : Silviu Schiau IOAcceleratorFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application may cause an unexpected system termination Description: A null pointer dereference existed in the handling of IOAcceleratorFamily API arguments. This issue was addressed through improved validation of IOAcceleratorFamily API arguments. CVE-ID CVE-2014-4369 : Catherine aka winocm IOAcceleratorFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: The device may unexpectedly restart Description: A NULL pointer dereference was present in the IntelAccelerator driver. The issue was addressed by improved error handling. CVE-ID CVE-2014-4373 : cunzhang from Adlab of Venustech IOHIDFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to read kernel pointers, which can be used to bypass kernel address space layout randomization Description: An out-of-bounds read issue existed in the handling of an IOHIDFamily function. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4379 : Ian Beer of Google Project Zero IOHIDFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A heap buffer overflow existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4404 : Ian Beer of Google Project Zero IOHIDFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties. CVE-ID CVE-2014-4405 : Ian Beer of Google Project Zero IOHIDFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue existed in the IOHIDFamily kernel extension. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4380 : cunzhang from Adlab of Venustech IOKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to read uninitialized data from kernel memory Description: An uninitialized memory access issue existed in the handling of IOKit functions. This issue was addressed through improved memory initialization CVE-ID CVE-2014-4407 : @PanguTeam IOKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4418 : Ian Beer of Google Project Zero IOKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4388 : @PanguTeam IOKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2014-4389 : Ian Beer of Google Project Zero Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user may be able to determine kernel memory layout Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization. CVE-ID CVE-2014-4371 : Fermin J. Serna of the Google Security Team CVE-2014-4419 : Fermin J. Serna of the Google Security Team CVE-2014-4420 : Fermin J. Serna of the Google Security Team CVE-2014-4421 : Fermin J. Serna of the Google Security Team Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A person with a privileged network position may cause a denial of service Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking. CVE-ID CVE-2011-2391 : Marc Heuse Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports. CVE-ID CVE-2014-4375 : an anonymous researcher Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: An out-of-bounds read issue existed in rt_setgate. This may lead to memory disclosure or memory corruption. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4408 Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Some kernel hardening measures may be bypassed Description: The random number generator used for kernel hardening measures early in the boot process was not cryptographically secure. Some of its output was inferable from user space, allowing bypass of the hardening measures. This issue was addressed by using a cryptographically secure algorithm. CVE-ID CVE-2014-4422 : Tarjei Mandt of Azimuth Security Libnotify Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with root privileges Description: An out-of-bounds write issue existed in Libnotify. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero Lockdown Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A device can be manipulated into incorrectly presenting the home screen when the device is activation locked Description: An issue existed with unlocking behavior that caused a device to proceed to the home screen even if it should still be in an activation locked state. This was addressed by changing the information a device verifies during an unlock request. CVE-ID CVE-2014-1360 Mail Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Login credentials can be sent in plaintext even if the server has advertised the LOGINDISABLED IMAP capability Description: Mail sent the LOGIN command to servers even if they had advertised the LOGINDISABLED IMAP capability. This issue is mostly a concern when connecting to servers that are configured to accept non- encrypted connections and that advertise LOGINDISABLED. This issue was addressed by respecting the LOGINDISABLED IMAP capability. CVE-ID CVE-2014-4366 : Mark Crispin Mail Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A person with physical access to an iOS device may potentially read email attachments Description: A logic issue existed in Mail's use of Data Protection on email attachments. This issue was addressed by properly setting the Data Protection class for email attachments. CVE-ID CVE-2014-1348 : Andreas Kurtz of NESO Security Labs Profiles Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Voice Dial is unexpectedly enabled after upgrading iOS Description: Voice Dial was enabled automatically after upgrading iOS. This issue was addressed through improved state management. CVE-ID CVE-2014-4367 : Sven Heinemann Safari Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: User credentials may be disclosed to an unintended site via autofill Description: Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking. CVE-ID CVE-2013-5227 : Niklas Malmgren of Klarna AB Safari Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker with a privileged network position may intercept user credentials Description: Saved passwords were autofilled on http sites, on https sites with broken trust, and in iframes. This issue was addressed by restricting password autofill to the main frame of https sites with valid certificate chains. CVE-ID CVE-2014-4363 : David Silver, Suman Jana, and Dan Boneh of Stanford University working with Eric Chen and Collin Jackson of Carnegie Mellon University Sandbox Profiles Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Apple ID information is accessible by third-party apps Description: An information disclosure issue existed in the third- party app sandbox. This issue was addressed by improving the third- party sandbox profile. CVE-ID CVE-2014-4362 : Andreas Kurtz of NESO Security Labs and Markus TroBbach of Heilbronn University Settings Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Text message previews may appear at the lock screen even when this feature is disabled Description: An issue existed in the previewing of text message notifications at the lock screen. As a result, the contents of received messages would be shown at the lock screen even when previews were disabled in Settings. The issue was addressed through improved observance of this setting. CVE-ID CVE-2014-4356 : Mattia Schirinzi from San Pietro Vernotico (BR), Italy syslog Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user may be able to change permissions on arbitrary files Description: syslogd followed symbolic links while changing permissions on files. This issue was addressed through improved handling of symbolic links. CVE-ID CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech Information Security Center (GTISC) Weather Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Location information was sent unencrypted Description: An information disclosure issue existed in an API used to determine local weather. This issue was addressed by changing APIs. WebKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious website may be able to track users even when private browsing is enabled Description: A web application could store HTML 5 application cache data during normal browsing and then read the data during private browsing. This was addressed by disabling access to the application cache when in private browsing mode. CVE-ID CVE-2014-4409 : Yosuke Hasegawa (NetAgent Co., Led.) WebKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-6663 : Atte Kettunen of OUSPG CVE-2014-1384 : Apple CVE-2014-1385 : Apple CVE-2014-1387 : Google Chrome Security Team CVE-2014-1388 : Apple CVE-2014-1389 : Apple CVE-2014-4410 : Eric Seidel of Google CVE-2014-4411 : Google Chrome Security Team CVE-2014-4412 : Apple CVE-2014-4413 : Apple CVE-2014-4414 : Apple CVE-2014-4415 : Apple WiFi Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A device may be passively tracked by its WiFi MAC address Description: An information disclosure existed because a stable MAC address was being used to scan for WiFi networks. This issue was addressed by randomizing the MAC address for passive WiFi scans. Note: iOS 8 contains changes to some diagnostic capabilities. For details, please consult http://support.apple.com/kb/HT6331 iOS 8 now permits devices to untrust all previously trusted computers. Instructions can be found at http://support.apple.com/kb/HT5868 Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "8". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUGNl6AAoJEBcWfLTuOo7tD0oP/2QjJQxEaVKH5GhKX7HTLB9e W2oU7kHqds6p9HQg3iw9SXs/c03EH2++Tf5+Kul8V94QZB2jD4T28MUctAjrvSX7 rHRTPFJn8dm6Dr/zReon3q6ph8PlnDGySJLON/RwrSwHpWcd8wA4uCC6gTPur3T9 tNfPrkT+b4iO4QsSLQaK6bJqTFmWruqEFwdXmtOY8qYOsEANMr9HPdm9WwEcdQaZ tZZpa1FU4jIdfHZw18a3rzQ1LW4OO9fWbihKRgY8xq+Q8+Cs/EnY9hCIN0jl0OHm TMvKojeO4CCBAKpwUQOVERkI4Oc7Ux6GefT84ttYu095KzmZVjq9yWmi0FcBAVMV s32YL/alCNm86uNvxvkAvWJ3ZeZymuoTZHoNX5YNGIhuunRZONK94ay1RtYMdWPl iesWma7tn9g/xMWRaDKfRy2vtUuetBVxiaAr3AqvMp+mx0lmmLOO8x1SxeKe+QUy HO1O1DVAWPv2JIEf7mstDBHfQKYBRcgM3P4DJAgkrgH42ZNWb06ZyQhpAvFLVncD g2/Q0cwUlPOvdNKxoUD3IVVwPZeIefw3vqrSHXSQPpIMkJJFrBbIB8v6nnkheebg h5bPWfIxP0wuBjWz8SjOlPaSjxNxpmHK3H0tLU1q6TneBlmte405ytT4zSI7bvOY ZZCDpw0BRMEXUyXqTns7 =hlmW -----END PGP SIGNATURE----- . Gal <ggal (at) vsecurity.com> Vendor Status: Fix Available CVE Candidate: CVE-2014-4374 Reference: http://www.vsecurity.com/resources/advisory/20140917-1/ http://support.apple.com/kb/HT1222 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Product Description ~-----------------~ - From [1]: "Xcode includes software development kits (SDKs) that enable you to create applications that run on specific versions of iOS or OS X?including versions different from the one you are developing on. This technology lets you build a single binary that takes advantage of new features when running on a system that supports them, and gracefully degrades when running on an older system. Some Apple frameworks automatically modify their behavior based on the SDK an application is built against for improved compatibility." Vulnerability Overview ~--------------------~ In May 2014, VSR identified a vulnerability in versions 7.0 and 7.1 of the iOS SDK whereby the NSXMLParser class, resolves XML External Entities by default despite documentation which indicates otherwise. This vulnerability, commonly known as XXE (XML eXternal Entities) attacks could allow for an attacker's ability to use the XML parser to carry out attacks ranging from network port scanning, information disclosure, denial of service, and potentially to carry out remote file retrieval. Further review also revealed that the Foundation Framework used in OS X 10.9.x is also vulnerable. The severity of this vulnerability varies. For example, in situations where the application does not reflect user influenced XML, retrieval of files may be limited, however using external HTTP entities could be used to conduct port scans. In other scenarios if core iOS applications transmit XML over plaintext protocols, these protocols could potentially be intercepted to leak contents of any file on the mobile device. For App Store applications files which could be accessed may be limited to those under the individual chrooted application directories, or in the case of jailbroken devices, any file on the filesystem. However, inspection of multiple applications running on iOS 7.0 and 7.1 now appear to resolve external entities by default, and even when attempting to disable entity resolution explicitly as shown below: [nsXmlParser setShouldResolveExternalEntities:NO]; The following source code demonstrates the flaw: - - (void) doParse:(NSData *)data { // create and init NSXMLParser object NSXMLParser *nsXmlParser = [[NSXMLParser alloc] initWithData:data]; // Why does the following not even work!? [nsXmlParser setShouldResolveExternalEntities:NO]; // create and init our delegate VSRParser *parser = [[VSRParser alloc] initXMLParser]; // set delegate [nsXmlParser setDelegate:parser]; // parsing... BOOL success = [nsXmlParser parse]; // test the result if (success) { NSLog(@"No errors"); NSMutableArray *stuff = [parser tests]; } else { NSLog(@"Error parsing document!"); } [parser release]; [nsXmlParser release]; } When using a vulnerable input XML file as shown below, the XML parser attempts to perform network name resolution and access the resource defined by &http; <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE roottag [ <!ENTITY http SYSTEM "http://iossdk-xxe.apt.vsecurity.org/"> <!ENTITY file SYSTEM "file:///etc/hosts"> ]> <test> <vsr> <tag1>&file;</tag1> <tag2>&http;</tag2> </vsr> </test> The following DNS and web server log entries demonstrate attempts to resolve &http; 2014-05-19_13:26:28.31088 ... iossdk-xxe.apt.vsecurity.org XX.XX.XX.XX - - [19/May/2014:09:26:28 -0400] "GET /xxe HTTP/1.0" 404 446 "-" "-" In more serious exploitation scenarios, plaintext XML communications between a server and iOS mobile application, or OS X client application could be intercepted and modified in transit to reference a file present on the client device. If the device reflects this value in subsequent communications or errors the contents of files stored on the device could be leaked to an attacker Versions Affected ~---------------~ VSR's analysis revealed that the IOS 7.0, 7.1 SDKs are vulnerable, while earlier versions of IOS and the IOS SDK do not appear to be affected. This vulnerability affects the Mac OSX Foundation, however VSR has not verified the earliest version of the Foundation framework for OSX which is affected. Vendor Response ~-------------~ The following timeline details Apple's response to the reported issue: 2014-05-19 Apple was provided a draft advisory. Common Vulnerabilities and Exposures (CVE) Information ~----------------------------------------------------~ The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2014-4374 to this issue. This is a candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= References: 1. https://developer.apple.com/library/ios/documentation/DeveloperTools/Conceptual/cross_development/Introduction/Introduction.html#//apple_ref/doc/uid/10000163-BCICHGIE 2. https://developer.apple.com/library/ios/documentation/Cocoa/Reference/Foundation/Classes/NSXMLParser_Class/Reference/Reference.html 3. http://support.apple.com/kb/HT1222 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Neither Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. See the VSR disclosure policy for more information on our responsible disclosure practices: http://www.vsecurity.com/company/disclosure =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright 2014 Virtual Security Research, LLC. All rights reserved