VARIoT IoT vulnerabilities database
| VAR-201409-0493 | CVE-2014-4364 | Apple iOS and Apple TV of 802.1X Vulnerabilities for calculating authentication information in subsystems |
CVSS V2: 2.9 CVSS V3: 5.6 Severity: MEDIUM |
The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 does not require strong authentication methods, which allows remote attackers to calculate credentials by offering LEAP authentication from a crafted Wi-Fi AP and then performing a cryptographic attack against the MS-CHAPv1 hash. Apple iOS and TV are prone to multiple security vulnerabilities. These issues affect the following components:
802.1X, Accounts, Accessibility, Accounts Framework, Address Book, App Installation, Assets, Bluetooth, CoreGraphics, Foundation, Home & Lock Screen, iMessage, IOAcceleratorFamily, IOAcceleratorFamily, IOHIDFamily, IOHIDFamily, IOKit, Kernel, Libnotify, Mail, Profiles, Safari, Sandbox Profiles, syslog and WebKit components.
Successfully exploiting these issues may allow attackers to crash the affected device, bypass security restrictions, obtain sensitive information, or execute arbitrary code. Other attacks are also possible.
This BID is being retired. The following individual records exist to better document the issues:
69913 Apple iOS and TV CVE-2014-4364 Spoofing Vulnerability
69917 Apple iOS CVE-2014-4423 Information Disclosure Vulnerability
69926 Apple iOS Lock Screen CVE-2014-4368 Security Bypass Vulnerability
69930 Apple iOS and TV CVE-2014-4357 Local Information Disclosure Security Vulnerability
69932 Apple iOS CVE-2014-4352 Local Information Disclosure Security Vulnerability
69936 Apple iOS CVE-2014-4386 Local Privilege Escalation Vulnerability
69940 Apple iOS CVE-2014-4384 Local Privilege Escalation Vulnerability
69941 Apple iOS and TV CVE-2014-4383 Security Bypass Vulnerability
69943 Apple iOS CVE-2014-4354 Unspecified Security Vulnerability
69903 Multiple Apple Products CVE-2014-4377 PDF Handling Integer Overflow Vulnerability
69915 Apple TV/Mac OS X/iOS CVE-2014-4378 Out of Bounds Read Memory Corruption Vulnerability
69905 Apple Mac OS X and iOS CVE-2014-4374 XML External Entity Information Disclosure Vulnerability
69921 Apple TV/Mac OS X/iOS CVE-2014-4379 Out of Bounds Read Memory Corruption Vulnerability
69929 Apple TV and iOS CVE-2014-4369 NULL Pointer Dereference Denial of Service Vulnerability
69934 Apple TV and iOS CVE-2014-4373 NULL Pointer Dereference Denial of Service Vulnerability
69938 Apple TV and iOS CVE-2014-4405 NULL Pointer Dereference Remote Code Execution Vulnerability
69942 Apple TV and iOS CVE-2014-4380 Out of Bounds Read Write Remote Code Execution Vulnerability
69947 Apple TV and iOS CVE-2014-4404 Heap Based Buffer Overflow Vulnerability
69949 Apple iOS CVE-2014-4361 Security Bypass Vulnerability
69951 Apple iOS CVE-2014-4353 Race Condition Local Information Disclosure Vulnerability
69912 Apple iOS and TV CVE-2014-4407 Information Disclosure Security Vulnerability
69919 Apple iOS and TV CVE-2014-4371 Unspecified Security Vulnerability
69924 Apple iOS and TV CVE-2014-4421 Unspecified Security Vulnerability
69927 Apple iOS and TV CVE-2014-4420 Unspecified Security Vulnerability
69928 Apple iOS and TV CVE-2014-4419 Unspecified Security Vulnerability
69939 Apple iOS and TV CVE-2014-4408 Out of Bounds Read Local Memory Corruption Vulnerability
69944 Apple iOS and TV CVE-2014-4375 Local Memory Corruption Vulnerability
69946 Apple iOS and TV CVE-2014-4418 Remote Code Execution Vulnerability
69948 Apple TV/Mac OS X/iOS CVE-2014-4388 Remote Code Execution Vulnerability
69950 Apple TV/Mac OS X/iOS CVE-2014-4389 Integer Buffer Overflow Vulnerability
69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability
69911 Apple iOS and TV CVE-2014-4422 Security Bypass Vulnerability
69931 Apple TV/Mac OS X/iOS CVE-2014-4381 Arbitrary Code Execution Vulnerability
69914 Apple iOS CVE-2014-4366 Information Disclosure Vulnerability
69945 Apple iOS CVE-2014-4367 Security Vulnerability
69920 Apple iOS CVE-2014-4362 Information Disclosure Vulnerability
69922 Apple iOS CVE-2014-4356 Local Information Disclosure Vulnerability
69923 Apple iOS and TV CVE-2014-4372 Local Security Bypass Vulnerability
69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability.
An attacker can exploit this issue to impersonate a WiFi access point to obtain the credentials, which will aid in further attacks. The vulnerability is caused by the program's use of weak authentication methods.
CVE-ID
CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim
Lamotte of Universiteit Hasselt
AFP File Server
Impact: A remote attacker could determine all the network addresses
of the system
Description: The AFP file server supported a command which returned
all the network addresses of the system.
CVE-ID
CVE-2014-4426 : Craig Young of Tripwire VERT
apache
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache, the most
serious of which may lead to a denial of service.
CVE-ID
CVE-2013-6438
CVE-2014-0098
App Sandbox
Impact: An application confined by sandbox restrictions may misuse
the accessibility API
Description: A sandboxed application could misuse the accessibility
API without the user's knowledge. This has been addressed by
requiring administrator approval to use the accessibility API on an
per-application basis.
CVE-ID
CVE-2014-4427 : Paul S. Ziegler of Reflare UG
Bash
Impact: In certain configurations, a remote attacker may be able to
execute arbitrary shell commands
Description: An issue existed in Bash's parsing of environment
variables. This update also incorporated the suggested CVE-2014-7169
change, which resets the parser state. In addition, this update
added a new namespace for exported functions by creating a function
decorator to prevent unintended header passthrough to Bash. The names
of all environment variables that introduce function definitions are
required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent
unintended function passing via HTTP headers.
CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy
Bluetooth
Impact: A malicious Bluetooth input device may bypass pairing
Description: Unencrypted connections were permitted from Human
Interface Device-class Bluetooth Low Energy devices. If a Mac had
paired with such a device, an attacker could spoof the legitimate
device to establish a connection.
CVE-ID
CVE-2014-4428 : Mike Ryan of iSEC Partners
CFPreferences
Impact: The 'require password after sleep or screen saver begins'
preference may not be respected until after a reboot
Description: A session management issue existed in the handling of
system preference settings.
CoreStorage
Impact: An encrypted volume may stay unlocked when ejected
Description: When an encrypted volume was logically ejected while
mounted, the volume was unmounted but the keys were retained, so it
could have been mounted again without the password.
CVE-ID
CVE-2014-4430 : Benjamin King at See Ben Click Computer Services LLC,
Karsten Iwen, Dustin Li (http://dustin.li/), Ken J. Takekoshi, and
other anonymous researchers
CUPS
Impact: A local user can execute arbitrary code with system
privileges
Description: When the CUPS web interface served files, it would
follow symlinks. A local user could create symlinks to arbitrary
files and retrieve them through the web interface. This issue was
addressed by disallowing symlinks to be served via the CUPS web
interface.
CVE-ID
CVE-2014-4431 : Emil Sjolander of Umea University
fdesetup
Impact: The fdesetup command may provide misleading status for the
state of encryption on disk
Description: After updating settings, but before rebooting, the
fdesetup command provided misleading status.
CVE-ID
CVE-2014-4432
iCloud Find My Mac
Impact: iCloud Lost mode PIN may be bruteforced
Description: A state persistence issue in rate limiting allowed
brute force attacks on iCloud Lost mode PIN.
CVE-ID
CVE-2014-4435 : knoy
IOAcceleratorFamily
Impact: An application may cause a denial of service
Description: A NULL pointer dereference was present in the
IntelAccelerator driver.
CVE-ID
CVE-2014-4404 : Ian Beer of Google Project Zero
IOHIDFamily
Impact: An application may cause a denial of service
Description: A out-of-bounds memory read was present in the
IOHIDFamily driver. A maliciously crafted filesystem may
cause an unexpected system shutdown or arbitrary code execution with
kernel privileges. A maliciously crafted filesystem may cause an unexpected
system shutdown.
CVE-ID
CVE-2014-4422 : Tarjei Mandt of Azimuth Security
LaunchServices
Impact: A local application may bypass sandbox restrictions
Description: The LaunchServices interface for setting content type
handlers allowed sandboxed applications to specify handlers for
existing content types. A compromised application could use this to
bypass sandbox restrictions.
CVE-ID
CVE-2014-4437 : Meder Kydyraliev of the Google Security Team
LoginWindow
Impact: Sometimes the screen might not lock
Description: A race condition existed in LoginWindow, which would
sometimes prevent the screen from locking.
CVE-ID
CVE-2014-4438 : Harry Sintonen of nSense, Alessandro Lobina of
Helvetia Insurances, Patryk Szlagowski of Funky Monkey Labs
Mail
Impact: Mail may send email to unintended recipients
Description: A user interface inconsistency in Mail application
resulted in email being sent to addresses that were removed from the
list of recipients.
CVE-ID
CVE-2014-4439 : Patrick J Power of Melbourne, Australia
MCX Desktop Config Profiles
Impact: When mobile configuration profiles were uninstalled, their
settings were not removed
Description: Web proxy settings installed by a mobile configuration
profile were not removed when the profile was uninstalled.
CVE-ID
CVE-2014-4440 : Kevin Koster of Cloudpath Networks
NetFS Client Framework
Impact: File Sharing may enter a state in which it cannot be
disabled
Description: A state management issue existed in the File Sharing
framework.
CVE-ID
CVE-2014-4351 : Karl Smith of NCC Group
Safari
Impact: History of pages recently visited in an open tab may remain
after clearing of history
Description: Clearing Safari's history did not clear the
back/forward history for open tabs.
CVE-ID
CVE-2013-5150
Safari
Impact: Opting in to push notifications from a maliciously crafted
website may cause future Safari Push Notifications to be missed
Description: An uncaught exception issue existed in
SafariNotificationAgent's handling of Safari Push Notifications.
CVE-ID
CVE-2014-4417 : Marek Isalski of Faelix Limited
Secure Transport
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling CBC cipher suites
when TLS connection attempts fail.
CVE-ID
CVE-2014-4443 : Coverity
Security
Impact: A local user might have access to another user's Kerberos
tickets
Description: A state management issue existed in SecurityAgent.
While Fast User Switching, sometimes a Kerberos ticket for the
switched-to user would be placed in the cache for the previous user.
CVE-ID
CVE-2014-4444 : Gary Simon of Sandia National Laboratories, Ragnar
Sundblad of KTH Royal Institute of Technology, Eugene Homyakov of
Kaspersky Lab
Security - Code Signing
Impact: Tampered applications may not be prevented from launching
Description: Apps signed on OS X prior to OS X Mavericks 10.9 or
apps using custom resource rules, may have been susceptible to
tampering that would not have invalidated the signature. On systems
set to allow only apps from the Mac App Store and identified
developers, a downloaded modified app could have been allowed to run
as though it were legitimate. This issue was addressed by ignoring
signatures of bundles with resource envelopes that omit resources
that may influence execution. OS X Mavericks v10.9.5 and Security
Update 2014-004 for OS X Mountain Lion v10.8.5 already contain these
changes.
CVE-ID
CVE-2014-4391 : Christopher Hickstein working with HP's Zero Day
Initiative
Note: OS X Yosemite includes Safari 8.0, which incorporates
the security content of Safari 7.1. For further details see
"About the security content of Safari 7.1" at
https://support.apple.com/kb/HT6440.
OS X Yosemite may be obtained from the Mac App Store. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-09-17-1 iOS 8
iOS 8 is now available and addresses the following:
802.1X
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker can obtain WiFi credentials
Description: An attacker could have impersonated a WiFi access
point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash,
and used the derived credentials to authenticate to the intended
access point even if that access point supported stronger
authentication methods. This issue was addressed by disabling LEAP by
default.
CVE-ID
CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim
Lamotte of Universiteit Hasselt
Accounts
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to identify the Apple ID
of the user
Description: An issue existed in the access control logic for
accounts. A sandboxed application could get information about the
currently-active iCloud account, including the name of the account.
This issue was addressed by restricting access to certain account
types from unauthorized applications.
CVE-ID
CVE-2014-4423 : Adam Weaver
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at
http://support.apple.com/kb/HT5012.
Accessibility
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: The device may not lock the screen when using AssistiveTouch
Description: A logic issue existed in AssistiveTouch's handling of
events, which resulted in the screen not locking. This issue was
addressed through improved handling of the lock timer.
CVE-ID
CVE-2014-4368 : Hendrik Bettermann
Accounts Framework
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with access to an iOS device may access
sensitive user information from logs
Description: Sensitive user information was logged. This issue was
addressed by logging less information.
CVE-ID
CVE-2014-4357 : Heli Myllykoski of OP-Pohjola Group
Address Book
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to an iOS device may read the
address book
Description: The address book was encrypted with a key protected
only by the hardware UID. This issue was addressed by encrypting the
address book with a key protected by the hardware UID and the user's
passcode.
CVE-ID
CVE-2014-4352 : Jonathan Zdziarski
App Installation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local attacker may be able to escalate privileges and
install unverified applications
Description: A race condition existed in App Installation. An
attacker with the capability of writing to /tmp may have been able to
install an unverified app. This issue was addressed by staging files
for installation in another directory.
CVE-ID
CVE-2014-4386 : evad3rs
App Installation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local attacker may be able to escalate privileges and
install unverified applications
Description: A path traversal issue existed in App Installation. A
local attacker could have retargeted code signature validation to a
bundle different from the one being installed and cause installation
of an unverified app. This issue was addressed by detecting and
preventing path traversal when determining which code signature to
verify.
CVE-ID
CVE-2014-4384 : evad3rs
Assets
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to cause an iOS device to think that it is up to date even when it is
not
Description: A validation issue existed in the handling of update
check responses. Spoofed dates from Last-Modified response headers
set to future dates were used for If-Modified-Since checks in
subsequent update requests. This issue was addressed by validation of
the Last-Modified header.
CVE-ID
CVE-2014-4383 : Raul Siles of DinoSec
Bluetooth
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Bluetooth is unexpectedly enabled by default after upgrading
iOS
Description: Bluetooth was enabled automatically after upgrading
iOS. This was addressed by only turning on Bluetooth for major or
minor version updates.
CVE-ID
CVE-2014-4354 : Maneet Singh, Sean Bluestein
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of PDF
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with
the iSIGHT Partners GVP Program
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or an information disclosure
Description: An out of bounds memory read existed in the handling of
PDF files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with
the iSIGHT Partners GVP Program
Data Detectors
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Tapping on a FaceTime link in Mail would trigger a FaceTime
audio call without prompting
Description: Mail did not consult the user before launching
facetime-audio:// URLs. This issue was addressed with the addition of
a confirmation prompt.
CVE-ID
CVE-2013-6835 : Guillaume Ross
Foundation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application using NSXMLParser may be misused to disclose
information
Description: An XML External Entity issue existed in NSXMLParser's
handling of XML. This issue was addressed by not loading external
entities across origins.
CVE-ID
CVE-2014-4374 : George Gal of VSR (http://www.vsecurity.com/)
Home & Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A background app can determine which app is frontmost
Description: The private API for determining the frontmost app did
not have sufficient access control. This issue was addressed through
additional access control.
CVE-ID
CVE-2014-4361 : Andreas Kurtz of NESO Security Labs and Markus
TroBbach of Heilbronn University
iMessage
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Attachments may persist after the parent iMessage or MMS is
deleted
Description: A race condition existed in how attachments were
deleted. This issue was addressed by conducting additional checks on
whether an attachment has been deleted.
CVE-ID
CVE-2014-4353 : Silviu Schiau
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application may cause an unexpected system termination
Description: A null pointer dereference existed in the handling of
IOAcceleratorFamily API arguments. This issue was addressed through
improved validation of IOAcceleratorFamily API arguments.
CVE-ID
CVE-2014-4369 : Catherine aka winocm
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: The device may unexpectedly restart
Description: A NULL pointer dereference was present in the
IntelAccelerator driver. The issue was addressed by improved error
handling.
CVE-ID
CVE-2014-4373 : cunzhang from Adlab of Venustech
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to read kernel pointers,
which can be used to bypass kernel address space layout randomization
Description: An out-of-bounds read issue existed in the handling of
an IOHIDFamily function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-4379 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A heap buffer overflow existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-4404 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved validation of IOHIDFamily key-mapping properties.
CVE-ID
CVE-2014-4405 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with kernel privileges
Description: An out-of-bounds write issue existed in the IOHIDFamily
kernel extension. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4380 : cunzhang from Adlab of Venustech
IOKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to read uninitialized
data from kernel memory
Description: An uninitialized memory access issue existed in the
handling of IOKit functions. This issue was addressed through
improved memory initialization
CVE-ID
CVE-2014-4407 : @PanguTeam
IOKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4418 : Ian Beer of Google Project Zero
IOKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4388 : @PanguTeam
IOKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An integer overflow existed in the handling of IOKit
functions. This issue was addressed through improved validation of
IOKit API arguments.
CVE-ID
CVE-2014-4389 : Ian Beer of Google Project Zero
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: Multiple uninitialized memory issues existed in the
network statistics interface, which led to the disclosure of kernel
memory content. This issue was addressed through additional memory
initialization.
CVE-ID
CVE-2014-4371 : Fermin J. Serna of the Google Security Team
CVE-2014-4419 : Fermin J. Serna of the Google Security Team
CVE-2014-4420 : Fermin J. Serna of the Google Security Team
CVE-2014-4421 : Fermin J. Serna of the Google Security Team
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with a privileged network position may cause a
denial of service
Description: A race condition issue existed in the handling of IPv6
packets. This issue was addressed through improved lock state
checking.
CVE-ID
CVE-2011-2391 : Marc Heuse
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: A double free issue existed in the handling of Mach
ports. This issue was addressed through improved validation of Mach
ports.
CVE-ID
CVE-2014-4375 : an anonymous researcher
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out-of-bounds read issue existed in rt_setgate. This
may lead to memory disclosure or memory corruption. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2014-4408
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Some kernel hardening measures may be bypassed
Description: The random number generator used for kernel hardening
measures early in the boot process was not cryptographically secure.
Some of its output was inferable from user space, allowing bypass of
the hardening measures. This issue was addressed by using a
cryptographically secure algorithm.
CVE-ID
CVE-2014-4422 : Tarjei Mandt of Azimuth Security
Libnotify
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with root privileges
Description: An out-of-bounds write issue existed in Libnotify. This
issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4381 : Ian Beer of Google Project Zero
Lockdown
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A device can be manipulated into incorrectly presenting the
home screen when the device is activation locked
Description: An issue existed with unlocking behavior that caused a
device to proceed to the home screen even if it should still be in an
activation locked state. This was addressed by changing the
information a device verifies during an unlock request.
CVE-ID
CVE-2014-1360
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Login credentials can be sent in plaintext even if the
server has advertised the LOGINDISABLED IMAP capability
Description: Mail sent the LOGIN command to servers even if they had
advertised the LOGINDISABLED IMAP capability. This issue is mostly a
concern when connecting to servers that are configured to accept non-
encrypted connections and that advertise LOGINDISABLED. This issue
was addressed by respecting the LOGINDISABLED IMAP capability.
CVE-ID
CVE-2014-4366 : Mark Crispin
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to an iOS device may
potentially read email attachments
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2014-1348 : Andreas Kurtz of NESO Security Labs
Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Voice Dial is unexpectedly enabled after upgrading iOS
Description: Voice Dial was enabled automatically after upgrading
iOS. This issue was addressed through improved state management.
CVE-ID
CVE-2014-4367 : Sven Heinemann
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: User credentials may be disclosed to an unintended site via
autofill
Description: Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame. This
issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5227 : Niklas Malmgren of Klarna AB
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
user credentials
Description: Saved passwords were autofilled on http sites, on https
sites with broken trust, and in iframes. This issue was addressed by
restricting password autofill to the main frame of https sites with
valid certificate chains.
CVE-ID
CVE-2014-4363 : David Silver, Suman Jana, and Dan Boneh of Stanford
University working with Eric Chen and Collin Jackson of Carnegie
Mellon University
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Apple ID information is accessible by third-party apps
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the third-
party sandbox profile.
CVE-ID
CVE-2014-4362 : Andreas Kurtz of NESO Security Labs and Markus
TroBbach of Heilbronn University
Settings
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Text message previews may appear at the lock screen even
when this feature is disabled
Description: An issue existed in the previewing of text message
notifications at the lock screen. As a result, the contents of
received messages would be shown at the lock screen even when
previews were disabled in Settings. The issue was addressed through
improved observance of this setting.
CVE-ID
CVE-2014-4356 : Mattia Schirinzi from San Pietro Vernotico (BR),
Italy
syslog
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: syslogd followed symbolic links while changing
permissions on files. This issue was addressed through improved
handling of symbolic links.
CVE-ID
CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech
Information Security Center (GTISC)
Weather
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Location information was sent unencrypted
Description: An information disclosure issue existed in an API used
to determine local weather. This issue was addressed by changing
APIs.
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious website may be able to track users even when
private browsing is enabled
Description: A web application could store HTML 5 application cache
data during normal browsing and then read the data during private
browsing. This was addressed by disabling access to the application
cache when in private browsing mode.
CVE-ID
CVE-2014-4409 : Yosuke Hasegawa (NetAgent Co., Led.)
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-6663 : Atte Kettunen of OUSPG
CVE-2014-1384 : Apple
CVE-2014-1385 : Apple
CVE-2014-1387 : Google Chrome Security Team
CVE-2014-1388 : Apple
CVE-2014-1389 : Apple
CVE-2014-4410 : Eric Seidel of Google
CVE-2014-4411 : Google Chrome Security Team
CVE-2014-4412 : Apple
CVE-2014-4413 : Apple
CVE-2014-4414 : Apple
CVE-2014-4415 : Apple
WiFi
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A device may be passively tracked by its WiFi MAC address
Description: An information disclosure existed because a stable MAC
address was being used to scan for WiFi networks. This issue was
addressed by randomizing the MAC address for passive WiFi scans.
Note:
iOS 8 contains changes to some diagnostic capabilities.
For details, please consult http://support.apple.com/kb/HT6331
iOS 8 now permits devices to untrust all previously trusted
computers. Instructions can be found at
http://support.apple.com/kb/HT5868
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUGNl6AAoJEBcWfLTuOo7tD0oP/2QjJQxEaVKH5GhKX7HTLB9e
W2oU7kHqds6p9HQg3iw9SXs/c03EH2++Tf5+Kul8V94QZB2jD4T28MUctAjrvSX7
rHRTPFJn8dm6Dr/zReon3q6ph8PlnDGySJLON/RwrSwHpWcd8wA4uCC6gTPur3T9
tNfPrkT+b4iO4QsSLQaK6bJqTFmWruqEFwdXmtOY8qYOsEANMr9HPdm9WwEcdQaZ
tZZpa1FU4jIdfHZw18a3rzQ1LW4OO9fWbihKRgY8xq+Q8+Cs/EnY9hCIN0jl0OHm
TMvKojeO4CCBAKpwUQOVERkI4Oc7Ux6GefT84ttYu095KzmZVjq9yWmi0FcBAVMV
s32YL/alCNm86uNvxvkAvWJ3ZeZymuoTZHoNX5YNGIhuunRZONK94ay1RtYMdWPl
iesWma7tn9g/xMWRaDKfRy2vtUuetBVxiaAr3AqvMp+mx0lmmLOO8x1SxeKe+QUy
HO1O1DVAWPv2JIEf7mstDBHfQKYBRcgM3P4DJAgkrgH42ZNWb06ZyQhpAvFLVncD
g2/Q0cwUlPOvdNKxoUD3IVVwPZeIefw3vqrSHXSQPpIMkJJFrBbIB8v6nnkheebg
h5bPWfIxP0wuBjWz8SjOlPaSjxNxpmHK3H0tLU1q6TneBlmte405ytT4zSI7bvOY
ZZCDpw0BRMEXUyXqTns7
=hlmW
-----END PGP SIGNATURE-----
| VAR-201409-0498 | CVE-2014-4371 | Apple iOS and Apple TV Of the kernel network-statistics Vulnerability in obtaining memory content in the interface |
CVSS V2: 1.9 CVSS V3: - Severity: LOW |
The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4419, CVE-2014-4420, and CVE-2014-4421.
The impact of this issue is currently unknown. We will update this BID when more information emerges. Apple iOS and TV are prone to multiple security vulnerabilities. These issues affect the following components:
802.1X, Accounts, Accessibility, Accounts Framework, Address Book, App Installation, Assets, Bluetooth, CoreGraphics, Foundation, Home & Lock Screen, iMessage, IOAcceleratorFamily, IOAcceleratorFamily, IOHIDFamily, IOHIDFamily, IOKit, Kernel, Libnotify, Mail, Profiles, Safari, Sandbox Profiles, syslog and WebKit components.
Successfully exploiting these issues may allow attackers to crash the affected device, bypass security restrictions, obtain sensitive information, or execute arbitrary code. Other attacks are also possible.
This BID is being retired. The vulnerability is caused by the program not properly initializing memory.
CVE-ID
CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim
Lamotte of Universiteit Hasselt
AFP File Server
Impact: A remote attacker could determine all the network addresses
of the system
Description: The AFP file server supported a command which returned
all the network addresses of the system.
CVE-ID
CVE-2014-4426 : Craig Young of Tripwire VERT
apache
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache, the most
serious of which may lead to a denial of service.
CVE-ID
CVE-2013-6438
CVE-2014-0098
App Sandbox
Impact: An application confined by sandbox restrictions may misuse
the accessibility API
Description: A sandboxed application could misuse the accessibility
API without the user's knowledge. This has been addressed by
requiring administrator approval to use the accessibility API on an
per-application basis.
CVE-ID
CVE-2014-4427 : Paul S. Ziegler of Reflare UG
Bash
Impact: In certain configurations, a remote attacker may be able to
execute arbitrary shell commands
Description: An issue existed in Bash's parsing of environment
variables. This update also incorporated the suggested CVE-2014-7169
change, which resets the parser state. In addition, this update
added a new namespace for exported functions by creating a function
decorator to prevent unintended header passthrough to Bash. The names
of all environment variables that introduce function definitions are
required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent
unintended function passing via HTTP headers.
CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy
Bluetooth
Impact: A malicious Bluetooth input device may bypass pairing
Description: Unencrypted connections were permitted from Human
Interface Device-class Bluetooth Low Energy devices. If a Mac had
paired with such a device, an attacker could spoof the legitimate
device to establish a connection.
CVE-ID
CVE-2014-4428 : Mike Ryan of iSEC Partners
CFPreferences
Impact: The 'require password after sleep or screen saver begins'
preference may not be respected until after a reboot
Description: A session management issue existed in the handling of
system preference settings.
CoreStorage
Impact: An encrypted volume may stay unlocked when ejected
Description: When an encrypted volume was logically ejected while
mounted, the volume was unmounted but the keys were retained, so it
could have been mounted again without the password.
CVE-ID
CVE-2014-4430 : Benjamin King at See Ben Click Computer Services LLC,
Karsten Iwen, Dustin Li (http://dustin.li/), Ken J. Takekoshi, and
other anonymous researchers
CUPS
Impact: A local user can execute arbitrary code with system
privileges
Description: When the CUPS web interface served files, it would
follow symlinks. A local user could create symlinks to arbitrary
files and retrieve them through the web interface. This issue was
addressed by disallowing symlinks to be served via the CUPS web
interface.
CVE-ID
CVE-2014-4431 : Emil Sjolander of Umea University
fdesetup
Impact: The fdesetup command may provide misleading status for the
state of encryption on disk
Description: After updating settings, but before rebooting, the
fdesetup command provided misleading status.
CVE-ID
CVE-2014-4432
iCloud Find My Mac
Impact: iCloud Lost mode PIN may be bruteforced
Description: A state persistence issue in rate limiting allowed
brute force attacks on iCloud Lost mode PIN.
CVE-ID
CVE-2014-4435 : knoy
IOAcceleratorFamily
Impact: An application may cause a denial of service
Description: A NULL pointer dereference was present in the
IntelAccelerator driver.
CVE-ID
CVE-2014-4404 : Ian Beer of Google Project Zero
IOHIDFamily
Impact: An application may cause a denial of service
Description: A out-of-bounds memory read was present in the
IOHIDFamily driver. A maliciously crafted filesystem may
cause an unexpected system shutdown or arbitrary code execution with
kernel privileges. A maliciously crafted filesystem may cause an unexpected
system shutdown.
CVE-ID
CVE-2014-4422 : Tarjei Mandt of Azimuth Security
LaunchServices
Impact: A local application may bypass sandbox restrictions
Description: The LaunchServices interface for setting content type
handlers allowed sandboxed applications to specify handlers for
existing content types. A compromised application could use this to
bypass sandbox restrictions.
CVE-ID
CVE-2014-4437 : Meder Kydyraliev of the Google Security Team
LoginWindow
Impact: Sometimes the screen might not lock
Description: A race condition existed in LoginWindow, which would
sometimes prevent the screen from locking.
CVE-ID
CVE-2014-4438 : Harry Sintonen of nSense, Alessandro Lobina of
Helvetia Insurances, Patryk Szlagowski of Funky Monkey Labs
Mail
Impact: Mail may send email to unintended recipients
Description: A user interface inconsistency in Mail application
resulted in email being sent to addresses that were removed from the
list of recipients.
CVE-ID
CVE-2014-4439 : Patrick J Power of Melbourne, Australia
MCX Desktop Config Profiles
Impact: When mobile configuration profiles were uninstalled, their
settings were not removed
Description: Web proxy settings installed by a mobile configuration
profile were not removed when the profile was uninstalled.
CVE-ID
CVE-2014-4440 : Kevin Koster of Cloudpath Networks
NetFS Client Framework
Impact: File Sharing may enter a state in which it cannot be
disabled
Description: A state management issue existed in the File Sharing
framework.
CVE-ID
CVE-2014-4351 : Karl Smith of NCC Group
Safari
Impact: History of pages recently visited in an open tab may remain
after clearing of history
Description: Clearing Safari's history did not clear the
back/forward history for open tabs.
CVE-ID
CVE-2013-5150
Safari
Impact: Opting in to push notifications from a maliciously crafted
website may cause future Safari Push Notifications to be missed
Description: An uncaught exception issue existed in
SafariNotificationAgent's handling of Safari Push Notifications.
CVE-ID
CVE-2014-4417 : Marek Isalski of Faelix Limited
Secure Transport
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling CBC cipher suites
when TLS connection attempts fail.
CVE-ID
CVE-2014-4443 : Coverity
Security
Impact: A local user might have access to another user's Kerberos
tickets
Description: A state management issue existed in SecurityAgent.
While Fast User Switching, sometimes a Kerberos ticket for the
switched-to user would be placed in the cache for the previous user.
CVE-ID
CVE-2014-4444 : Gary Simon of Sandia National Laboratories, Ragnar
Sundblad of KTH Royal Institute of Technology, Eugene Homyakov of
Kaspersky Lab
Security - Code Signing
Impact: Tampered applications may not be prevented from launching
Description: Apps signed on OS X prior to OS X Mavericks 10.9 or
apps using custom resource rules, may have been susceptible to
tampering that would not have invalidated the signature. On systems
set to allow only apps from the Mac App Store and identified
developers, a downloaded modified app could have been allowed to run
as though it were legitimate. This issue was addressed by ignoring
signatures of bundles with resource envelopes that omit resources
that may influence execution. OS X Mavericks v10.9.5 and Security
Update 2014-004 for OS X Mountain Lion v10.8.5 already contain these
changes.
CVE-ID
CVE-2014-4391 : Christopher Hickstein working with HP's Zero Day
Initiative
Note: OS X Yosemite includes Safari 8.0, which incorporates
the security content of Safari 7.1. For further details see
"About the security content of Safari 7.1" at
https://support.apple.com/kb/HT6440.
OS X Yosemite may be obtained from the Mac App Store. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-09-17-1 iOS 8
iOS 8 is now available and addresses the following:
802.1X
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker can obtain WiFi credentials
Description: An attacker could have impersonated a WiFi access
point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash,
and used the derived credentials to authenticate to the intended
access point even if that access point supported stronger
authentication methods. This issue was addressed by disabling LEAP by
default.
CVE-ID
CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim
Lamotte of Universiteit Hasselt
Accounts
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to identify the Apple ID
of the user
Description: An issue existed in the access control logic for
accounts. A sandboxed application could get information about the
currently-active iCloud account, including the name of the account.
This issue was addressed by restricting access to certain account
types from unauthorized applications.
CVE-ID
CVE-2014-4423 : Adam Weaver
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at
http://support.apple.com/kb/HT5012.
Accessibility
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: The device may not lock the screen when using AssistiveTouch
Description: A logic issue existed in AssistiveTouch's handling of
events, which resulted in the screen not locking. This issue was
addressed through improved handling of the lock timer.
CVE-ID
CVE-2014-4368 : Hendrik Bettermann
Accounts Framework
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with access to an iOS device may access
sensitive user information from logs
Description: Sensitive user information was logged. This issue was
addressed by logging less information.
CVE-ID
CVE-2014-4357 : Heli Myllykoski of OP-Pohjola Group
Address Book
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to an iOS device may read the
address book
Description: The address book was encrypted with a key protected
only by the hardware UID. This issue was addressed by encrypting the
address book with a key protected by the hardware UID and the user's
passcode.
CVE-ID
CVE-2014-4352 : Jonathan Zdziarski
App Installation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local attacker may be able to escalate privileges and
install unverified applications
Description: A race condition existed in App Installation. An
attacker with the capability of writing to /tmp may have been able to
install an unverified app. This issue was addressed by staging files
for installation in another directory.
CVE-ID
CVE-2014-4386 : evad3rs
App Installation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local attacker may be able to escalate privileges and
install unverified applications
Description: A path traversal issue existed in App Installation. A
local attacker could have retargeted code signature validation to a
bundle different from the one being installed and cause installation
of an unverified app. This issue was addressed by detecting and
preventing path traversal when determining which code signature to
verify.
CVE-ID
CVE-2014-4384 : evad3rs
Assets
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to cause an iOS device to think that it is up to date even when it is
not
Description: A validation issue existed in the handling of update
check responses. Spoofed dates from Last-Modified response headers
set to future dates were used for If-Modified-Since checks in
subsequent update requests. This issue was addressed by validation of
the Last-Modified header.
CVE-ID
CVE-2014-4383 : Raul Siles of DinoSec
Bluetooth
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Bluetooth is unexpectedly enabled by default after upgrading
iOS
Description: Bluetooth was enabled automatically after upgrading
iOS. This was addressed by only turning on Bluetooth for major or
minor version updates.
CVE-ID
CVE-2014-4354 : Maneet Singh, Sean Bluestein
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of PDF
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with
the iSIGHT Partners GVP Program
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or an information disclosure
Description: An out of bounds memory read existed in the handling of
PDF files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with
the iSIGHT Partners GVP Program
Data Detectors
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Tapping on a FaceTime link in Mail would trigger a FaceTime
audio call without prompting
Description: Mail did not consult the user before launching
facetime-audio:// URLs. This issue was addressed with the addition of
a confirmation prompt.
CVE-ID
CVE-2013-6835 : Guillaume Ross
Foundation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application using NSXMLParser may be misused to disclose
information
Description: An XML External Entity issue existed in NSXMLParser's
handling of XML. This issue was addressed by not loading external
entities across origins.
CVE-ID
CVE-2014-4374 : George Gal of VSR (http://www.vsecurity.com/)
Home & Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A background app can determine which app is frontmost
Description: The private API for determining the frontmost app did
not have sufficient access control. This issue was addressed through
additional access control.
CVE-ID
CVE-2014-4361 : Andreas Kurtz of NESO Security Labs and Markus
TroBbach of Heilbronn University
iMessage
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Attachments may persist after the parent iMessage or MMS is
deleted
Description: A race condition existed in how attachments were
deleted. This issue was addressed by conducting additional checks on
whether an attachment has been deleted.
CVE-ID
CVE-2014-4353 : Silviu Schiau
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application may cause an unexpected system termination
Description: A null pointer dereference existed in the handling of
IOAcceleratorFamily API arguments. This issue was addressed through
improved validation of IOAcceleratorFamily API arguments.
CVE-ID
CVE-2014-4369 : Catherine aka winocm
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: The device may unexpectedly restart
Description: A NULL pointer dereference was present in the
IntelAccelerator driver. The issue was addressed by improved error
handling.
CVE-ID
CVE-2014-4373 : cunzhang from Adlab of Venustech
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to read kernel pointers,
which can be used to bypass kernel address space layout randomization
Description: An out-of-bounds read issue existed in the handling of
an IOHIDFamily function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-4379 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A heap buffer overflow existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-4404 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved validation of IOHIDFamily key-mapping properties.
CVE-ID
CVE-2014-4405 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with kernel privileges
Description: An out-of-bounds write issue existed in the IOHIDFamily
kernel extension. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4380 : cunzhang from Adlab of Venustech
IOKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to read uninitialized
data from kernel memory
Description: An uninitialized memory access issue existed in the
handling of IOKit functions. This issue was addressed through
improved memory initialization
CVE-ID
CVE-2014-4407 : @PanguTeam
IOKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4418 : Ian Beer of Google Project Zero
IOKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4388 : @PanguTeam
IOKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An integer overflow existed in the handling of IOKit
functions. This issue was addressed through improved validation of
IOKit API arguments.
CVE-ID
CVE-2014-4389 : Ian Beer of Google Project Zero
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: Multiple uninitialized memory issues existed in the
network statistics interface, which led to the disclosure of kernel
memory content. This issue was addressed through additional memory
initialization.
CVE-ID
CVE-2014-4371 : Fermin J. Serna of the Google Security Team
CVE-2014-4419 : Fermin J. Serna of the Google Security Team
CVE-2014-4420 : Fermin J. Serna of the Google Security Team
CVE-2014-4421 : Fermin J. Serna of the Google Security Team
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with a privileged network position may cause a
denial of service
Description: A race condition issue existed in the handling of IPv6
packets. This issue was addressed through improved lock state
checking.
CVE-ID
CVE-2011-2391 : Marc Heuse
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: A double free issue existed in the handling of Mach
ports. This issue was addressed through improved validation of Mach
ports.
CVE-ID
CVE-2014-4375 : an anonymous researcher
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out-of-bounds read issue existed in rt_setgate. This
may lead to memory disclosure or memory corruption. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2014-4408
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Some kernel hardening measures may be bypassed
Description: The random number generator used for kernel hardening
measures early in the boot process was not cryptographically secure.
Some of its output was inferable from user space, allowing bypass of
the hardening measures. This issue was addressed by using a
cryptographically secure algorithm.
CVE-ID
CVE-2014-4422 : Tarjei Mandt of Azimuth Security
Libnotify
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with root privileges
Description: An out-of-bounds write issue existed in Libnotify. This
issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4381 : Ian Beer of Google Project Zero
Lockdown
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A device can be manipulated into incorrectly presenting the
home screen when the device is activation locked
Description: An issue existed with unlocking behavior that caused a
device to proceed to the home screen even if it should still be in an
activation locked state. This was addressed by changing the
information a device verifies during an unlock request.
CVE-ID
CVE-2014-1360
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Login credentials can be sent in plaintext even if the
server has advertised the LOGINDISABLED IMAP capability
Description: Mail sent the LOGIN command to servers even if they had
advertised the LOGINDISABLED IMAP capability. This issue is mostly a
concern when connecting to servers that are configured to accept non-
encrypted connections and that advertise LOGINDISABLED. This issue
was addressed by respecting the LOGINDISABLED IMAP capability.
CVE-ID
CVE-2014-4366 : Mark Crispin
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to an iOS device may
potentially read email attachments
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2014-1348 : Andreas Kurtz of NESO Security Labs
Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Voice Dial is unexpectedly enabled after upgrading iOS
Description: Voice Dial was enabled automatically after upgrading
iOS. This issue was addressed through improved state management.
CVE-ID
CVE-2014-4367 : Sven Heinemann
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: User credentials may be disclosed to an unintended site via
autofill
Description: Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame. This
issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5227 : Niklas Malmgren of Klarna AB
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
user credentials
Description: Saved passwords were autofilled on http sites, on https
sites with broken trust, and in iframes. This issue was addressed by
restricting password autofill to the main frame of https sites with
valid certificate chains.
CVE-ID
CVE-2014-4363 : David Silver, Suman Jana, and Dan Boneh of Stanford
University working with Eric Chen and Collin Jackson of Carnegie
Mellon University
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Apple ID information is accessible by third-party apps
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the third-
party sandbox profile.
CVE-ID
CVE-2014-4362 : Andreas Kurtz of NESO Security Labs and Markus
TroBbach of Heilbronn University
Settings
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Text message previews may appear at the lock screen even
when this feature is disabled
Description: An issue existed in the previewing of text message
notifications at the lock screen. As a result, the contents of
received messages would be shown at the lock screen even when
previews were disabled in Settings. The issue was addressed through
improved observance of this setting.
CVE-ID
CVE-2014-4356 : Mattia Schirinzi from San Pietro Vernotico (BR),
Italy
syslog
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: syslogd followed symbolic links while changing
permissions on files. This issue was addressed through improved
handling of symbolic links.
CVE-ID
CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech
Information Security Center (GTISC)
Weather
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Location information was sent unencrypted
Description: An information disclosure issue existed in an API used
to determine local weather. This issue was addressed by changing
APIs.
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious website may be able to track users even when
private browsing is enabled
Description: A web application could store HTML 5 application cache
data during normal browsing and then read the data during private
browsing. This was addressed by disabling access to the application
cache when in private browsing mode.
CVE-ID
CVE-2014-4409 : Yosuke Hasegawa (NetAgent Co., Led.)
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-6663 : Atte Kettunen of OUSPG
CVE-2014-1384 : Apple
CVE-2014-1385 : Apple
CVE-2014-1387 : Google Chrome Security Team
CVE-2014-1388 : Apple
CVE-2014-1389 : Apple
CVE-2014-4410 : Eric Seidel of Google
CVE-2014-4411 : Google Chrome Security Team
CVE-2014-4412 : Apple
CVE-2014-4413 : Apple
CVE-2014-4414 : Apple
CVE-2014-4415 : Apple
WiFi
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A device may be passively tracked by its WiFi MAC address
Description: An information disclosure existed because a stable MAC
address was being used to scan for WiFi networks. This issue was
addressed by randomizing the MAC address for passive WiFi scans.
Note:
iOS 8 contains changes to some diagnostic capabilities.
For details, please consult http://support.apple.com/kb/HT6331
iOS 8 now permits devices to untrust all previously trusted
computers. Instructions can be found at
http://support.apple.com/kb/HT5868
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUGNl6AAoJEBcWfLTuOo7tD0oP/2QjJQxEaVKH5GhKX7HTLB9e
W2oU7kHqds6p9HQg3iw9SXs/c03EH2++Tf5+Kul8V94QZB2jD4T28MUctAjrvSX7
rHRTPFJn8dm6Dr/zReon3q6ph8PlnDGySJLON/RwrSwHpWcd8wA4uCC6gTPur3T9
tNfPrkT+b4iO4QsSLQaK6bJqTFmWruqEFwdXmtOY8qYOsEANMr9HPdm9WwEcdQaZ
tZZpa1FU4jIdfHZw18a3rzQ1LW4OO9fWbihKRgY8xq+Q8+Cs/EnY9hCIN0jl0OHm
TMvKojeO4CCBAKpwUQOVERkI4Oc7Ux6GefT84ttYu095KzmZVjq9yWmi0FcBAVMV
s32YL/alCNm86uNvxvkAvWJ3ZeZymuoTZHoNX5YNGIhuunRZONK94ay1RtYMdWPl
iesWma7tn9g/xMWRaDKfRy2vtUuetBVxiaAr3AqvMp+mx0lmmLOO8x1SxeKe+QUy
HO1O1DVAWPv2JIEf7mstDBHfQKYBRcgM3P4DJAgkrgH42ZNWb06ZyQhpAvFLVncD
g2/Q0cwUlPOvdNKxoUD3IVVwPZeIefw3vqrSHXSQPpIMkJJFrBbIB8v6nnkheebg
h5bPWfIxP0wuBjWz8SjOlPaSjxNxpmHK3H0tLU1q6TneBlmte405ytT4zSI7bvOY
ZZCDpw0BRMEXUyXqTns7
=hlmW
-----END PGP SIGNATURE-----
.
CVE-ID
CVE-2014-4481 : Felipe Andres Manzano of the Binamuse VRT, via the
iSIGHT Partners GVP Program
CPU Software
Available for: OS X Yosemite v10.10 and v10.10.1,
for: MacBook Pro Retina, MacBook Air (Mid 2013 and later),
iMac (Late 2013 and later), Mac Pro (Late 2013)
Impact: A malicious Thunderbolt device may be able to affect
firmware flashing
Description: Thunderbolt devices could modify the host firmware if
connected during an EFI update. The
App Store process could log Apple ID credentials in the log when
additional logging was enabled.
CVE-ID
CVE-2014-4499 : Sten Petersen
CoreGraphics
Available for: OS X Yosemite v10.10 and v10.10.1
Impact: Some third-party applications with non-secure text entry and
mouse events may log those events
Description: Due to the combination of an uninitialized variable and
an application's custom allocator, non-secure text entry and mouse
events may have been logged.
CVE-ID
CVE-2014-4485 : Apple
Intel Graphics Driver
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 and v10.10.1
Impact: Multiple vulnerabilities in Intel graphics driver
Description: Multiple vulnerabilities existed in the Intel graphics
driver, the most serious of which may have led to arbitrary code
execution with system privileges. This issue was addressed by
not granting write permissions as a side-effect of some custom cache
modes. Responses containing an
OSBundleMachOHeaders key may have included kernel addresses, which
may aid in bypassing address space layout randomization protection.
CVE-ID
CVE-2014-4461 : @PanguTeam
LaunchServices
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 and v10.10.1
Impact: A malicious JAR file may bypass Gatekeeper checks
Description: An issue existed in the handling of application
launches which allowed certain malicious JAR files to bypass
Gatekeeper checks.
CVE-ID
CVE-2014-8827 : Xavier Bertels of Mono, and multiple OS X seed
testers
lukemftp
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 and v10.10.1
Impact: Using the command line ftp tool to fetch files from a
malicious http server may lead to arbitrary code execution
Description: A command injection issue existed in the handling of
HTTP redirects.
CVE-ID
CVE-2014-8517
OpenSSL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 and v10.10.1
Impact: Multiple vulnerabilities in OpenSSL 0.9.8za, including one
that may allow an attacker to downgrade connections to use weaker
cipher-suites in applications using the library
Description: Multiple vulnerabilities existed in OpenSSL 0.9.8za.
CVE-ID
CVE-2014-3566
CVE-2014-3567
CVE-2014-3568
Sandbox
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: A design issue existed in the caching of sandbox
profiles which allowed sandboxed applications to gain write access to
the cache.
CVE-ID
CVE-2014-8830 : Jose Duart of Google Security Team
Security
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 and v10.10.1
Impact: A downloaded application signed with a revoked Developer ID
certificate may pass Gatekeeper checks
Description: An issue existed with how cached application
certificate information was evaluated.
CVE-ID
CVE-2014-8838 : Apple
security_taskgate
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 and v10.10.1
Impact: An app may access keychain items belonging to other apps
Description: An access control issue existed in the Keychain.
Applications signed with self-signed or Developer ID certificates
could access keychain items whose access control lists were based on
keychain groups.
CVE-ID
CVE-2014-8831 : Apple
Spotlight
Available for: OS X Yosemite v10.10 and v10.10.1
Impact: The sender of an email could determine the IP address of the
recipient
Description: Spotlight did not check the status of Mail's "Load
remote content in messages" setting.
CVE-ID
CVE-2014-8839 : John Whitehead of The New York Times, Frode Moe of
LastFriday.no
Spotlight
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 and v10.10.1
Impact: Spotlight may save unexpected information to an external
hard drive
Description: An issue existed in Spotlight where memory contents may
have been written to external hard drives when indexing.
CVE-ID
CVE-2014-8832 : F-Secure
SpotlightIndex
Available for: OS X Yosemite v10.10 and v10.10.1
Impact: Spotlight may display results for files not belonging to the
user
Description: A deserialization issue existed in Spotlight's handling
of permission caches. A user performing a Spotlight query may have
been shown search results referencing files for which they don't have
sufficient privileges to read. This
update removes such extraneous information that may have been present
in printing preference files
| VAR-201409-1157 | No CVE | OSSEC '.passlist' Unsafe File Permission Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
OSSEC is an open source multi-platform intrusion detection system developed by the OSSEC team. The system provides functions such as log analysis, file integrity detection, and real-time alarms.
A local insecure file permission vulnerability exists in OSSEC. This vulnerability could be used by a local attacker to gain access to globally readable files and sensitive information. There are vulnerabilities in OSSEC 2.8, other versions may also be affected
| VAR-201409-0724 | CVE-2014-5413 | Schneider Electric StruxureWare SCADA Expert ClearSCADA Vulnerable to server impersonation |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 uses the MD5 algorithm for an X.509 certificate, which makes it easier for remote attackers to spoof servers via a cryptographic attack against this algorithm. ClearSCADA is an integrated SCADA host platform. Schneider Electric ClearSCADA has a remote unknown vulnerability that allows an attacker to exploit the vulnerability to obtain sensitive information. Information obtained may lead to further attacks. Schneider Electric StruxureWare SCADA Expert ClearSCADA is a set of energy efficiency management software monitoring platform of French Schneider Electric (Schneider Electric). The platform is primarily used for remote management of critical infrastructure. There is an encryption issue vulnerability in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 to 2014 R1
| VAR-201409-0723 | CVE-2014-5412 | Schneider Electric ClearSCADA Remote Security Bypass Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account. ClearSCADA is an integrated SCADA host platform. Schneider Electric ClearSCADA has a remote security bypass vulnerability that allows an attacker to exploit this vulnerability to bypass security restrictions and perform unauthorized operations. Schneider Electric ClearSCADA is prone to a remote security-bypass vulnerability. The platform is primarily used for remote management of critical infrastructure
| VAR-201409-0438 | CVE-2014-0563 | Windows and Mac OS X Run on Adobe Reader and Acrobat Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to cause a denial of service (memory corruption) via unspecified vectors. Adobe Acrobat and Reader are prone to an unspecified memory-corruption vulnerability.
Attackers can exploit this issue to crash the affected application.
The following products are affected:
Adobe Reader 11.x versions prior to 11.0.09
Adobe Reader 10.x versions prior to 10.1.12
Adobe Acrobat 11.x versions prior to 11.0.09
Adobe Acrobat 10.x versions prior to 10.1.12. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool
| VAR-201409-0437 | CVE-2014-0562 | Mac OS X Run on Adobe Reader and Acrobat Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS).". Adobe Acrobat and Reader are prone to an unspecified cross-site scripting.
An attacker may leverage this issue to execute arbitrary script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool. The following products and versions are affected: Adobe Reader 11.0.08 and earlier and 10.1.11 and earlier for Windows, Adobe Reader 11.0.07 and earlier for OS X and 10.1.10 and earlier for Windows Adobe Acrobat 11.0.08 and earlier versions and 10.1.11 and earlier versions on the platform, and Adobe Acrobat 11.0.07 and earlier versions and 10.1.10 and earlier versions on the OS X platform
| VAR-201409-0436 | CVE-2014-0561 | Windows and Mac OS X Run on Adobe Reader and Acrobat Vulnerable to heap-based buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0567. This vulnerability is CVE-2014-0567 This is a different vulnerability.An attacker could execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the 3DIF Plugin (3difr.x3d). Failed exploit attempts likely result in denial-of-service conditions. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool
| VAR-201409-0429 | CVE-2014-0560 | Windows and Mac OS X Run on Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors. Adobe Reader and Acrobat are prone to a remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts likely result in denial-of-service conditions.
The affected products are:
Adobe Reader 11.x versions prior to 11.0.09
Adobe Reader 10.x versions prior to 10.1.12
Adobe Acrobat 11.x versions prior to 11.0.09
Adobe Acrobat 10.x versions prior to 10.1.12. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool
| VAR-201409-0420 | CVE-2014-0565 | Windows and Mac OS X Run on Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0566. Adobe Reader and Acrobat are prone to an unspecified remote code-execution vulnerability. Failed exploit attempts likely result in denial-of-service conditions.
The affected products are:
Adobe Reader 11.x versions prior to 11.0.09
Adobe Reader 10.x versions prior to 10.1.12
Adobe Acrobat 11.x versions prior to 11.0.09
Adobe Acrobat 10.x versions prior to 10.1.12. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool
| VAR-201409-0422 | CVE-2014-0567 | Windows and Mac OS X Run on Adobe Reader and Acrobat Heap-based buffer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0561. This vulnerability CVE-2014-0561 Is a different vulnerability.An attacker could execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the replace() JavaScript function. By creating a specially crafted string followed by a replace call with specific arguments, an attacker can force a heap buffer to overflow. Failed exploit attempts likely result in denial-of-service conditions. Both Adobe Reader and Acrobat are products of the American company Adobe. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool
| VAR-201409-0421 | CVE-2014-0566 | Windows and Mac OS X Run on Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0565. Adobe Reader and Acrobat are prone to an unspecified remote code-execution vulnerability. Failed exploit attempts likely result in denial-of-service conditions.
The affected products are:
Adobe Reader 11.x versions prior to 11.0.09
Adobe Reader 10.x versions prior to 10.1.12
Adobe Acrobat 11.x versions prior to 11.0.09
Adobe Acrobat 10.x versions prior to 10.1.12. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool
| VAR-201409-1171 | No CVE | Multiple vulnerabilities in multiple Aztech ADSL2/2+ routers |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Aztech ADSL2/2+ Routers are ADSL router devices. Multiple Aztech ADSL2/2+ Routers products have security vulnerabilities: 1, /cgi-bin/AZ_Retrain.cgi failed to properly handle user-submitted HTTP GET requests, which can lead to link interruption. 2. The WEB interface session management privilege ID verification has a problem, allowing an attacker to reuse the session execution management command. 3. The attacker can obtain sensitive configuration information by sending a request to the cgi-bin/userromfile.cgi script to download the ROM file. 4. The router fails to properly process the user request, allowing the attacker to operate the WEB parameters, change settings, and so on. An attacker could use this vulnerability to bypass security restrictions and perform unauthorized operations on the affected device. This may aid in further attacks
| VAR-201801-0071 | CVE-2014-6435 |
plural Aztech ADSL Authentication vulnerabilities in devices
Related entries in the VARIoT exploits database: VAR-E-201409-0073, VAR-E-201409-0072 |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
cgi-bin/AZ_Retrain.cgi in Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices does not check for authentication, which allows remote attackers to cause a denial of service (WAN connectivity reset) via a direct request. plural Aztech ADSL The device contains an authentication vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. AztechDSL5018EN, DSL705E and DSL705EU are router products of the Aztech Group of Singapore. A denial of service vulnerability exists in several Aztech routers. An attacker could exploit the vulnerability to crash an affected device, causing a denial of service.
Aztech DSL5018EN, DSL705E and DSL705EU are vulnerable. The vulnerability is due to the fact that the program does not perform authentication detection. PRODUCT DESCRIPTION
The Aztech ADSL family of modems/routes are shipped to residential and SOHO users that desires speed from 150-300mbps rate. This modem/router also supports IEEE802.11b/g/n as a Wireless LAN Access point. The vulnerable model numbers are: DSL5018EN (1T1R) (Shipped with Globe Telecom in the Philippines), DSL705E and DSL705EU.
Vendor reference: http://www.aztech.com/prod_adsl_dsl5018en_1t1r.html
1. Sending a crafted HTTP GET request to the router via /cgi-bin/AZ_Retrain.cgi will allow an attacker to execute code that could potentially lead to Denial of Service (DoS) attack and may terminate or all established Internet connections in the network.
Proof of Concept for this vulnerability
Send a GET request to the cgi-bin/AZ_Retrain.cgi to reset the WAN connection: http://x.arpa.ph/fjpf/aztech-exploits/azreset.txt
2. Broken Session Management
A successful authentication of a privilege (admin) ID in the web portal allows any attacker in the network to hijack and reuse the existing session in order to trick and allow the web server to execute administrative commands. The command may be freely executed from any terminal in the network as long as the session of the privilege ID is valid.
Proof of Concept for this vulnerability
1. From computer A, open a web browser and login to the modem/router's web portal using the administrator ID.
2. From computer B, open a terminal session and make a POST request to the router: http://x.arpa.ph/fjpf/aztech-exploits/azpass.txt
3. File and Data Exposure
The router's configuration file contains the hardware information as well as all of the user's credentials. This includes the customer's name and WAN account, the TR-069 credential of the telecom company and the web portal's admin username and password. A malicious attacker can send a direct GET request to the cgi-bin/userromfile.cgi script and download the ROM file. Although the ROM file is a ciphered text, this can be deciphered using a weak substitution technique (ROT 24) which could potentially lead to data exposure.
Proof of Concept for this vulnerability
a. Send a GET request to the router using cgi-bin/userromfile.cgi via curl: http://x.arpa.ph/fjpf/aztech-exploits/azgetconf.txt
b. Decipher the downloaded rommfile.cfg using Caesar cipher.
4. Web Parameter Tampering
Some of the router's restricted and disabled settings can be acquired by checking the hidden fields in forms. Most of these settings can be manipulated by intercepting the data and manipulating the values upon submission. The below example shows how we manipulated the Access Control List in order to enable Telnet in the WAN section of the control panel before submitting the data.
Proof of Concept for this vulnerability
a. Open a web browser and redirect traffic to localhost:8080.
b. Open burb proxy and intercept traffic coming from the browser.
c. Login to the router's web portal and go to the page where the protected values are located.
d. Find the reference to the hidden values in the form and modify it.
e. Submit the request to the router. Refresh the browser to see the modified protected values.
Screenshots: http://x.arpa.ph/fjpf/aztech-exploits/aztech.img.tgz
The following CVE's precedes the above and were found as fixed:
CVE-2008-6588 _ Aztech ADSL2/2+ 4-port router has a default "isp" account with a default "isp" password, which allows remote attackers to obtain access if this default is not changed.
CVE-2008-6554 _ cgi-bin/script in Aztech ADSL2/2+ 4-port router 3.7.0 build 070426 allows remote attackers to execute arbitrary commands via shell metacharacters in the query string.
CVE-2007-4733 _ The Aztech DSL600EU router, when WAN access to the web interface is disabled, does not properly block inbound traffic on TCP port 80, which allows remote attackers to connect to the web interface by guessing a TCP sequence number, possibly involving spoofing of an ARP packet, a related issue to CVE-1999-0077.
Researchers:
Federick Joe Fajardo / fjpfajardo(at)ph.ibm.com, Lorenzo Miguel Flores / floresl(at)ph.ibm.com
| VAR-201801-0073 | CVE-2014-6437 |
Aztech Modem Routers Information Disclosure Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201409-0073, VAR-E-201409-0072 |
CVSS V2: 5.0 CVSS V3: 9.8 Severity: CRITICAL |
Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices allow remote attackers to obtain sensitive device configuration information via vectors involving the ROM file. plural Aztech ADSL The device contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AztechModemRouters is a Modem and router all-in-one product from Aztech Group of Singapore. An information disclosure vulnerability exists in AztechModemRouters. An attacker could exploit the vulnerability to gain access to sensitive information and facilitate further attacks. Aztech Modem Routers are prone to an information-disclosure vulnerability. PRODUCT DESCRIPTION
The Aztech ADSL family of modems/routes are shipped to residential and SOHO users that desires speed from 150-300mbps rate. This modem/router also supports IEEE802.11b/g/n as a Wireless LAN Access point. The vulnerable model numbers are: DSL5018EN (1T1R) (Shipped with Globe Telecom in the Philippines), DSL705E and DSL705EU.
Vendor reference: http://www.aztech.com/prod_adsl_dsl5018en_1t1r.html
1. Denial of Service (DoS)
The CGI script that resets the WAN connectivity of the modem can be called directly from the web server with no authentication. Sending a crafted HTTP GET request to the router via /cgi-bin/AZ_Retrain.cgi will allow an attacker to execute code that could potentially lead to Denial of Service (DoS) attack and may terminate or all established Internet connections in the network.
Proof of Concept for this vulnerability
Send a GET request to the cgi-bin/AZ_Retrain.cgi to reset the WAN connection: http://x.arpa.ph/fjpf/aztech-exploits/azreset.txt
2. Broken Session Management
A successful authentication of a privilege (admin) ID in the web portal allows any attacker in the network to hijack and reuse the existing session in order to trick and allow the web server to execute administrative commands. The command may be freely executed from any terminal in the network as long as the session of the privilege ID is valid.
Proof of Concept for this vulnerability
1. From computer A, open a web browser and login to the modem/router's web portal using the administrator ID.
2. From computer B, open a terminal session and make a POST request to the router: http://x.arpa.ph/fjpf/aztech-exploits/azpass.txt
3. File and Data Exposure
The router's configuration file contains the hardware information as well as all of the user's credentials. This includes the customer's name and WAN account, the TR-069 credential of the telecom company and the web portal's admin username and password. A malicious attacker can send a direct GET request to the cgi-bin/userromfile.cgi script and download the ROM file. Although the ROM file is a ciphered text, this can be deciphered using a weak substitution technique (ROT 24) which could potentially lead to data exposure.
Proof of Concept for this vulnerability
a. Send a GET request to the router using cgi-bin/userromfile.cgi via curl: http://x.arpa.ph/fjpf/aztech-exploits/azgetconf.txt
b. Decipher the downloaded rommfile.cfg using Caesar cipher.
4. Web Parameter Tampering
Some of the router's restricted and disabled settings can be acquired by checking the hidden fields in forms. Most of these settings can be manipulated by intercepting the data and manipulating the values upon submission. The below example shows how we manipulated the Access Control List in order to enable Telnet in the WAN section of the control panel before submitting the data.
Proof of Concept for this vulnerability
a. Open a web browser and redirect traffic to localhost:8080.
b. Open burb proxy and intercept traffic coming from the browser.
c. Login to the router's web portal and go to the page where the protected values are located.
d. Find the reference to the hidden values in the form and modify it.
e. Submit the request to the router. Refresh the browser to see the modified protected values.
Screenshots: http://x.arpa.ph/fjpf/aztech-exploits/aztech.img.tgz
The following CVE's precedes the above and were found as fixed:
CVE-2008-6588 _ Aztech ADSL2/2+ 4-port router has a default "isp" account with a default "isp" password, which allows remote attackers to obtain access if this default is not changed.
CVE-2008-6554 _ cgi-bin/script in Aztech ADSL2/2+ 4-port router 3.7.0 build 070426 allows remote attackers to execute arbitrary commands via shell metacharacters in the query string.
CVE-2007-4733 _ The Aztech DSL600EU router, when WAN access to the web interface is disabled, does not properly block inbound traffic on TCP port 80, which allows remote attackers to connect to the web interface by guessing a TCP sequence number, possibly involving spoofing of an ARP packet, a related issue to CVE-1999-0077.
Researchers:
Federick Joe Fajardo / fjpfajardo(at)ph.ibm.com, Lorenzo Miguel Flores / floresl(at)ph.ibm.com
| VAR-201801-0072 | CVE-2014-6436 |
plural Aztech ADSL Authentication vulnerabilities in devices
Related entries in the VARIoT exploits database: VAR-E-201409-0073, VAR-E-201409-0072 |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges by leveraging an existing web portal login. plural Aztech ADSL The device contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AztechModemRouters is a Modem and router all-in-one product from Aztech Group of Singapore. A session hijacking vulnerability exists in several AztechModemRouters products. An attacker could exploit the vulnerability to gain access to affected devices. A session hijacking vulnerability exists in multiple Aztech Modem Routers products, allowing remote attackers to exploit vulnerabilities to access devices for unauthorized operation in other user contexts. The vulnerability stems from the fact that the program does not manage sessions correctly. PRODUCT DESCRIPTION
The Aztech ADSL family of modems/routes are shipped to residential and SOHO users that desires speed from 150-300mbps rate. This modem/router also supports IEEE802.11b/g/n as a Wireless LAN Access point. The vulnerable model numbers are: DSL5018EN (1T1R) (Shipped with Globe Telecom in the Philippines), DSL705E and DSL705EU.
Vendor reference: http://www.aztech.com/prod_adsl_dsl5018en_1t1r.html
1. Denial of Service (DoS)
The CGI script that resets the WAN connectivity of the modem can be called directly from the web server with no authentication. Sending a crafted HTTP GET request to the router via /cgi-bin/AZ_Retrain.cgi will allow an attacker to execute code that could potentially lead to Denial of Service (DoS) attack and may terminate or all established Internet connections in the network.
Proof of Concept for this vulnerability
Send a GET request to the cgi-bin/AZ_Retrain.cgi to reset the WAN connection: http://x.arpa.ph/fjpf/aztech-exploits/azreset.txt
2. The command may be freely executed from any terminal in the network as long as the session of the privilege ID is valid.
Proof of Concept for this vulnerability
1. From computer A, open a web browser and login to the modem/router's web portal using the administrator ID.
2. From computer B, open a terminal session and make a POST request to the router: http://x.arpa.ph/fjpf/aztech-exploits/azpass.txt
3. File and Data Exposure
The router's configuration file contains the hardware information as well as all of the user's credentials. This includes the customer's name and WAN account, the TR-069 credential of the telecom company and the web portal's admin username and password. A malicious attacker can send a direct GET request to the cgi-bin/userromfile.cgi script and download the ROM file. Although the ROM file is a ciphered text, this can be deciphered using a weak substitution technique (ROT 24) which could potentially lead to data exposure.
Proof of Concept for this vulnerability
a. Send a GET request to the router using cgi-bin/userromfile.cgi via curl: http://x.arpa.ph/fjpf/aztech-exploits/azgetconf.txt
b. Decipher the downloaded rommfile.cfg using Caesar cipher.
4. Web Parameter Tampering
Some of the router's restricted and disabled settings can be acquired by checking the hidden fields in forms. Most of these settings can be manipulated by intercepting the data and manipulating the values upon submission. The below example shows how we manipulated the Access Control List in order to enable Telnet in the WAN section of the control panel before submitting the data.
Proof of Concept for this vulnerability
a. Open a web browser and redirect traffic to localhost:8080.
b. Open burb proxy and intercept traffic coming from the browser.
c. Login to the router's web portal and go to the page where the protected values are located.
d. Find the reference to the hidden values in the form and modify it.
e. Submit the request to the router. Refresh the browser to see the modified protected values.
Screenshots: http://x.arpa.ph/fjpf/aztech-exploits/aztech.img.tgz
The following CVE's precedes the above and were found as fixed:
CVE-2008-6588 _ Aztech ADSL2/2+ 4-port router has a default "isp" account with a default "isp" password, which allows remote attackers to obtain access if this default is not changed.
CVE-2008-6554 _ cgi-bin/script in Aztech ADSL2/2+ 4-port router 3.7.0 build 070426 allows remote attackers to execute arbitrary commands via shell metacharacters in the query string.
CVE-2007-4733 _ The Aztech DSL600EU router, when WAN access to the web interface is disabled, does not properly block inbound traffic on TCP port 80, which allows remote attackers to connect to the web interface by guessing a TCP sequence number, possibly involving spoofing of an ARP packet, a related issue to CVE-1999-0077.
Researchers:
Federick Joe Fajardo / fjpfajardo(at)ph.ibm.com, Lorenzo Miguel Flores / floresl(at)ph.ibm.com
| VAR-201409-0550 | CVE-2014-3824 | IVE OS of Juniper Junos Pulse Secure Access Service Device Web Server cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the web server in the Juniper Junos Pulse Secure Access Service (SSL VPN) devices with IVE OS 8.0 before 8.0r6, 7.4 before 7.4r13, and 7.1 before 7.1r20 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Junos Pulse Secure Access Service is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks
| VAR-201409-0549 | CVE-2014-3823 | IVE OS of Juniper Junos Pulse Secure Access Service Vulnerabilities that can cause clickjacking attacks on devices |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The Juniper Junos Pulse Secure Access Service (SSL VPN) devices with IVE OS 8.0 before 8.0r1, 7.4 before 7.4r5, and 7.1 before 7.1r18 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
Successful exploits will allow an attacker to compromise the affected application or obtain sensitive information. Other attacks are also possible. The client supports remote and mobile users to access enterprise resources with various web devices. A remote attacker can exploit this vulnerability to implement clickjacking attacks
| VAR-201412-0395 | CVE-2014-9134 | Huawei Honor Cube WS860S Arbitrary File Upload Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unrestricted file upload vulnerability in Huawei Honor Cube Wireless Router WS860s before V100R001C02B222 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-434: Unrestricted Upload of File with Dangerous Type ( Unlimited upload of dangerous types of files ) Has been identified. Huawei Honor Cube WS860S is a wireless router product
| VAR-201410-0935 | CVE-2014-6394 | Node.js for visionmedia send Vulnerable to restricted directory access |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory. Node.js is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to create or overwrite arbitrary files in the context of the application. This may aid in further attacks.
Versions prior to Node.js 0.8.4 are vulnerable. Joyent Node.js is a set of network application platforms built on the Google V8 JavaScript engine by the American Joyent company. The platform is mainly used to build highly scalable applications and write connection code that can handle tens of thousands of connections to a physical machine at the same time. A remote attacker could exploit this vulnerability to access restricted directories. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-09-16-2 Xcode 7.0
Xcode 7.0 is now available and addresses the following:
DevTools
Available for: OS X Yosemite v10.10.4 or later
Impact: An attacker may be able to bypass access restrictions
Description: An API issue existed in the apache configuration. This
issue was addressed by updating header files to use the latest
version.
CVE-ID
CVE-2015-3185 : Branko Aibej of the Apache Software Foundation
IDE Xcode Server
Available for: OS X Yosemite 10.10 or later
Impact: An attacker may be able to access restricted parts of the
filesystem
Description: A comparison issue existed in the node.js send module
prior to version 0.8.4. This issue was addressed by upgrading to
version 0.12.3.
CVE-ID
CVE-2014-6394 : Ilya Kantor
IDE Xcode Server
Available for: OS X Yosemite v10.10.4 or later
Impact: Multiple vulnerabilties in OpenSSL
Description: Multiple vulnerabilties existed in the node.js OpenSSL
module prior to version 1.0.1j. These issues were addressed by
updating openssl to version 1.0.1j.
CVE-ID
CVE-2014-3513
CVE-2014-3566
CVE-2014-3567
CVE-2014-3568
IDE Xcode Server
Available for: OS X Yosemite v10.10.4 or later
Impact: An attacker with a privileged network position may be able
to inspect traffic to Xcode Server
Description: Connections to Xcode Server may have been made without
encryption. This issue was addressed through improved network
connection logic.
CVE-ID
CVE-2015-5910 : an anonymous researcher
IDE Xcode Server
Available for: OS X Yosemite v10.10.4 or later
Impact: Build notifications may be sent to unintended recipients
Description: An access issue existed in the handling of repository
email lists. This issue was addressed through improved validation.
CVE-ID
CVE-2015-5909 : Daniel Tomlinson of Rocket Apps, David Gatwood of
Anchorfree
subversion
Available for: OS X Yosemite v10.10.4 or later
Impact: Multiple vulnerabilities existed in svn versions prior to
1.7.19
Description: Multiple vulnerabilities existed in svn versions prior
to 1.7.19. These issues were addressed by updating svn to version
1.7.20.
CVE-ID
CVE-2015-0248
CVE-2015-0251
Xcode 7.0 may be obtained from:
https://developer.apple.com/xcode/downloads/
To check that the Xcode has been updated:
* Select Xcode in the menu bar
* Select About Xcode
* The version after applying this update will be "7.0".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJV+axlAAoJEBcWfLTuOo7tzuMQAJhCQaeClT0rDozh+WlKgM6f
X86xFeXLJ1gjlPKH183Bvm2gTW0m5kQuoNK1grarMB+rEeb8mPsOczwrIJisxVlr
5zkW/7JktHcsBU5vUa4j4T/CEJjp92VPZ4ub3k3eQOrhinn4E86uKcMxrYoQOAE0
YFMSDaPBFy+LIJ08ROB/AH8fkGJMLRCRAp43IGgzNuxCDx9jzW97m1dh86mR1CxP
GdhWRvN7T5YqXyJTw6pZbEHtVXjty8appe2ScvHByCRxa4gZq+/JinHInLjaB4p7
3o58rAWh7lDhcEi3HqkIu0YW6fLslPydCHTI4cH1PCHTuevNjjvK34IqMbD0jG/t
tO+vQFhwXpD5chsSB2oP2zLOWAJ7BA5uwvArkJhGKKzQ5DEI0soLBWG7Koe3RitO
HokIMyx0r+sf4YD+OP4RVPU9bU4FpayXZnECmHzWmK2vguihbIzjxq+Knvx7aiF9
js1Qn0DxT2puVYdhixtkvYKT7r8XRjI8MPLEwS+tX1Yg1Lqhz2G1MR6mO9iBW56L
g5deOuCVc56qeaobuUK0clvdFYtyd5jIXgh0zspZ4ssCbbdCOTZUQaG1mBGkIf3R
JgWTX8ny1Fdk9om3dmZVWUCzzqxJR/tm5M7kjGc425ZGaoBRWLga1VIjNz7MEfKS
YMBNmqt6weEewNqyDMnX
=SGgX
-----END PGP SIGNATURE-----