VARIoT IoT vulnerabilities database
| VAR-201404-0694 | No CVE | ICOMM 610 Wireless Modem Cross-Site Request Forgery Vulnerability |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
The ICOMM 610 Wireless Modem has a cross-site request forgery vulnerability that allows remote attackers to build malicious URIs, entice users to resolve, and perform malicious operations in the target user context. ICOMM Tele ICOMM 610 is a wireless broadband modem (Modem) product from India's ICOMM Tele.
A cross-site request forgery vulnerability exists in ICOMM Tele ICOMM 610 01.01.08.991 and earlier versions. A remote attacker could use this vulnerability to perform unauthorized operations. ICOMM 610 is prone to a cross-site request-forgery vulnerability. This may lead to further attacks.
ICOMM 610 01.01.08.991 and prior are vulnerable
| VAR-202001-1337 | CVE-2014-1409 | MobileIron VSP and Sentry Vulnerability regarding inadequate protection of credentials in |
CVSS V2: 6.4 CVSS V3: 9.1 Severity: CRITICAL |
MobileIron VSP versions prior to 5.9.1 and Sentry versions prior to 5.0 have an authentication bypass vulnerability due to an XML file with obfuscated passwords. MobileIron VSP and Sentry Exists in an inadequate protection of credentials.Information may be obtained. MobileIron VSP and Sentry There is a cryptographic strength vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. MobileIron VSP and Sentry are prone to an XPath-injection weakness.
An attacker can exploit this issue by manipulating the XPath query logic to gain access to sensitive information that may aid in launching further attacks.
MobileIron VSP prior to 5.9.1 and Sentry 5.0 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Matta Consulting - Matta Advisory
https://www.trustmatta.com
MobileIron Multiple Products
Authentication Bypass Vulnerability
Advisory ID: MATTA-2013-004
CVE reference: CVE-2014-1409, CVE-2013-7286
Affected platforms: VSP and Sentry
Version: VSP < 5.9.1 and Sentry < 5.0
Date: 2013-December-19
Security risk: Critical
Researcher: Nico Leidecker
Vendor Status: Patch released
Vulnerability Disclosure Policy:
https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt
Permanent URL:
https://www.trustmatta.com/advisories/MATTA-2013-004.txt
=====================================================================
Description:
During an external penetration test exercise for one of our clients,
an authentication bypass vulnerability was found in the
administrative interface of a MobileIron deployment. This ultimately
allowed us to, gain access to our client's internal network.
The 'j_username' parameter of the script at
https://<target>/mics/j_spring_security_check is vulnerable to blind
XPath Injection, allowing an unauthenticated attacker to retrieve the
underlying XML document.
This XML document is an excerpt of the configuration file of the
device. It contains obfuscated passwords and, depending on
configuration, might contain domain credentials and allow the
attacker to reposition both internally and on any of the attached
devices.
This vulnerability has been assigned CVE-2014-1409.
The password obfuscation algorithm is known and has already been
documented [1]... AES-ECB-PKCS1.5 with a known, shared key. While we
won't release a full-featured exploit for the vulnerability, we will
release a PoC to confirm whether the hashes are indeed vulnerable.
The vendor has confirmed that a stronger encryption method is used
since release 5.7.
This vulnerability has been assigned CVE-2013-7286.
[1]
https://www.hackinparis.com/sites/hackinparis.com/files/MDM-HIP_2013.pdf
NB: A second insecure encryption scheme is described in [1], MITRE has
assigned CVE-2013-7287 to that separate vulnerability.
=====================================================================
Base64 encoded script to confirm whether the hash provided is
vulnerable to CVE-2013-7286:
IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCiMKIyAgTW9iaWxlSXJvbiB1c2VzIEFFUy1FQ0ItUEtDUzEu
NSAod2l0aCBhIGtub3duIGtleSkKIyB0byBzdG9yZSBjcmVkZW50aWFscy4uLiBXaGF0IGEgYnJp
bGxpYW50IGlkZWEhCiMKIyBUaGlzIHNjcmlwdCBpcyBhYm91dCBjaGVja2luZyB3aGV0aGVyIHRo
ZSBwcm92aWRlZAojIGhhc2ggaXMgdnVsbmVyYWJsZSB0byBDVkUtMjAxMy03Mjg2IG9yIG5vdC4K
IwojIE5leHRHZW4kIH4gMjAxMwoKaW1wb3J0IHN5cwppbXBvcnQgYmluYXNjaWkKaW1wb3J0IGhh
c2hsaWIKaW1wb3J0IHN0cmluZwpmcm9tIENyeXB0by5DaXBoZXIgaW1wb3J0IEFFUwoKaWYgbGVu
KHN5cy5hcmd2KTwyOiAgICAKIHN5cy5leGl0KCdVc2FnZTogLi9DVkUtMjAxMy03Mjg2LnB5IDxi
YXNlNjRlbmNvZGVkIGJsb2I
+JykKCkJTID0gOAp1bnBhZCA9IGxhbWJkYSBzIDogc1swOi1vcmQo
c1stMV0pXQoKaWYgX19uYW1lX189PSAiX19tYWluX18iOgogICAgIyBHZW5lcmF0ZSB0aGUgbWFz
dGVyIGtleS4uLgogICAgIyBZZXMuIEl0J3Mgbm90IGEgdHlwbyEKICAgIHBocmFzZSA9ICdIYWt1
bmEgbWF0YXRhIHdoYXQgYSB3b2RlcmZ1bCBwaHJhc2UnCiAgICBtID0gaGFzaGxpYi5zaGExKCkK
ICAgIG0udXBkYXRlKHBocmFzZSkKIyBXZSBvbmx5IHdhbnQgdGhlIDE2IGZpcnN0IGJ5dGVzICgx
MjhiaXQga2V5LCAxNjBiaXQgaGFzaCBmdW5jdGlvbikKICAgIGtleSA9IG0uZGlnZXN0KClbOjE2
XQogICAgY2lwaGVydGV4dCA9IGJpbmFzY2lpLmEyYl9iYXNlNjQoc3lzLmFyZ3ZbMV0pCiAgICBj
aXBoZXIgPSBBRVMubmV3KGtleSwgQUVTLk1PREVfRUNCKSAKICAgIHBsYWludGV4dCA9IHVucGFk
KGNpcGhlci5kZWNyeXB0KGNpcGhlcnRleHQpKQogICAgdnVsbmVyYWJsZSA9IGxlbihwbGFpbnRl
eHQpID4gMCBhbmQgYWxsKGMgaW4gc3RyaW5nLnByaW50YWJsZSBmb3IgYyBpbiBwbGFpbnRleHQp
CiAgICBwcmludCAnJXNWVUxORVJBQkxFIFRPIENWRS0yMDEzLTcyODYnICUgKCcnIGlmIHZ1bG5l
cmFibGUgZWxzZSAnTk9UICcpCg==
=====================================================================
Impact
Successful exploitation allows an unauthenticated attacker to take
over the device and potentially any device attached to it as well
as the Active Directory Domain it might be linked to.
=====================================================================
Versions affected:
- - Sentry Standalone < 5
- - VSP < 5.9.1
=====================================================================
Workaround:
Restrict access to the MICS service (administrative interface) to
specific hosts:
MICS Portal -> Security -> Portal ACLs -> System Manager Portal ACL
=====================================================================
Credits
This vulnerability was discovered by Nico Leidecker from Matta
Consulting.
=====================================================================
History
19-12-13 initial discovery
30-12-13 client has mitigated the vulnerability
30-12-13 initial attempt to contact the vendor
30-12-13 reply from the vendor
31-12-13 a draft of this advisory is sent to the vendor
03-01-14 vendor can't reproduce / ask for more details
03-01-14 more details are sent
07-01-14 vendor recognize that there is a bug but dissmisses it as a
security vulnerability
07-01-14 more details are sent
14-01-14 a week lapsed, no reply... we chase it up
14-01-14 vendor reply: they're working on a response
15-01-14 vendor respond: reclassify the bug as a security issue,
indicate that they indend on fixing the bug in the Q1 release,
provide a workaround and ask for us to hold on releasing the
advisory until the release is published
15-01-14 we agree to a deadline extension, send the CVEs MITRE has
assigned
...
19-02-14 vendor release 5.9.1 (but doesn't let us know)
...
31-03-14 vendor indicate that the release of VSP 6 is delayed but
the bugs have been fixed in 5.9.1
02-04-14 release of this advisory
=====================================================================
About Matta
Matta is a privately held company with Headquarters in London, and a
European office in Amsterdam. Established in 2001, Matta operates
in Europe, Asia, the Middle East and North America using a respected
team of senior consultants. Matta is an accredited provider of
Tiger Scheme training and conducts regular research.
https://www.trustmatta.com
https://www.trustmatta.com/training.html
https://www.trustmatta.com/network-penetration-testing.html
https://www.trustmatta.com/vulnerability-assessment.html
=====================================================================
Disclaimer and Copyright
Copyright (c) 2014 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
free-of-charge and proper credit is given.
The information provided in this advisory is provided "as is" without
warranty of any kind. Matta Consulting disclaims all warranties,
either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event
shall Matta Consulting or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages, even if Matta
Consulting or its suppliers have been advised of the possibility
of such damages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJTO/cTAAoJELJDQjn66kB28ysIAILzCnK9mifpyjswSKOJPzUi
EgcexJdVIjWZf32gLi202YCHJkiIXNGfG390HrWMQZZWU2l+lEb4cMb4NH8xsjzg
06GbBnrRzBcE35dhO3C0aHuPFh7MRQzbRM4mVyPg1ViUlM7Lb9kQBoD6xdS4gZ09
SaNAdm44WrvGiFAO8yuT56cjHZ1ZYfr+iHQjxY7UIrvmzKKSvMnvv13Fy2CIrRPe
zk7QLfyxszbR/eo+HOroNhHAPnfl8Mu0Y/1ihFTJF96irCPuejR7v9WzqlJxRfZB
ZQJCKnz1c9cCDPxNY9GliBKT0FlkLX+IOVP/TF40jT7Zk6f+cWgOXcghlgnyunA=
=XxBr
-----END PGP SIGNATURE-----
| VAR-202002-0803 | CVE-2013-7286 | MobileIron VSP and Sentry Vulnerability regarding inadequate protection of credentials in |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
MobileIron VSP < 5.9.1 and Sentry < 5.0 has a weak password obfuscation algorithm. MobileIron VSP and Sentry Exists in an inadequate protection of credentials.Information may be obtained. The MobileIron Virtual Smartphone Platform (VSP) and Sentry are products of MobileIron. VSP is a virtual smartphone platform. Sentry is a smart gateway product. An attacker could exploit the vulnerability to view encrypted data for sensitive information. MobileIron VSP and Sentry are prone to a security weakness that may allow attackers to obtain sensitive information. This may lead to other attacks.
MobileIron VSP prior to 5.9.1 and Sentry 5.0 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Matta Consulting - Matta Advisory
https://www.trustmatta.com
MobileIron Multiple Products
Authentication Bypass Vulnerability
Advisory ID: MATTA-2013-004
CVE reference: CVE-2014-1409, CVE-2013-7286
Affected platforms: VSP and Sentry
Version: VSP < 5.9.1 and Sentry < 5.0
Date: 2013-December-19
Security risk: Critical
Researcher: Nico Leidecker
Vendor Status: Patch released
Vulnerability Disclosure Policy:
https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt
Permanent URL:
https://www.trustmatta.com/advisories/MATTA-2013-004.txt
=====================================================================
Description:
During an external penetration test exercise for one of our clients,
an authentication bypass vulnerability was found in the
administrative interface of a MobileIron deployment. This ultimately
allowed us to, gain access to our client's internal network.
The 'j_username' parameter of the script at
https://<target>/mics/j_spring_security_check is vulnerable to blind
XPath Injection, allowing an unauthenticated attacker to retrieve the
underlying XML document.
This XML document is an excerpt of the configuration file of the
device. It contains obfuscated passwords and, depending on
configuration, might contain domain credentials and allow the
attacker to reposition both internally and on any of the attached
devices.
This vulnerability has been assigned CVE-2014-1409. AES-ECB-PKCS1.5 with a known, shared key. While we
won't release a full-featured exploit for the vulnerability, we will
release a PoC to confirm whether the hashes are indeed vulnerable.
The vendor has confirmed that a stronger encryption method is used
since release 5.7.
This vulnerability has been assigned CVE-2013-7286.
[1]
https://www.hackinparis.com/sites/hackinparis.com/files/MDM-HIP_2013.pdf
NB: A second insecure encryption scheme is described in [1], MITRE has
assigned CVE-2013-7287 to that separate vulnerability.
=====================================================================
Base64 encoded script to confirm whether the hash provided is
vulnerable to CVE-2013-7286:
IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCiMKIyAgTW9iaWxlSXJvbiB1c2VzIEFFUy1FQ0ItUEtDUzEu
NSAod2l0aCBhIGtub3duIGtleSkKIyB0byBzdG9yZSBjcmVkZW50aWFscy4uLiBXaGF0IGEgYnJp
bGxpYW50IGlkZWEhCiMKIyBUaGlzIHNjcmlwdCBpcyBhYm91dCBjaGVja2luZyB3aGV0aGVyIHRo
ZSBwcm92aWRlZAojIGhhc2ggaXMgdnVsbmVyYWJsZSB0byBDVkUtMjAxMy03Mjg2IG9yIG5vdC4K
IwojIE5leHRHZW4kIH4gMjAxMwoKaW1wb3J0IHN5cwppbXBvcnQgYmluYXNjaWkKaW1wb3J0IGhh
c2hsaWIKaW1wb3J0IHN0cmluZwpmcm9tIENyeXB0by5DaXBoZXIgaW1wb3J0IEFFUwoKaWYgbGVu
KHN5cy5hcmd2KTwyOiAgICAKIHN5cy5leGl0KCdVc2FnZTogLi9DVkUtMjAxMy03Mjg2LnB5IDxi
YXNlNjRlbmNvZGVkIGJsb2I
+JykKCkJTID0gOAp1bnBhZCA9IGxhbWJkYSBzIDogc1swOi1vcmQo
c1stMV0pXQoKaWYgX19uYW1lX189PSAiX19tYWluX18iOgogICAgIyBHZW5lcmF0ZSB0aGUgbWFz
dGVyIGtleS4uLgogICAgIyBZZXMuIEl0J3Mgbm90IGEgdHlwbyEKICAgIHBocmFzZSA9ICdIYWt1
bmEgbWF0YXRhIHdoYXQgYSB3b2RlcmZ1bCBwaHJhc2UnCiAgICBtID0gaGFzaGxpYi5zaGExKCkK
ICAgIG0udXBkYXRlKHBocmFzZSkKIyBXZSBvbmx5IHdhbnQgdGhlIDE2IGZpcnN0IGJ5dGVzICgx
MjhiaXQga2V5LCAxNjBiaXQgaGFzaCBmdW5jdGlvbikKICAgIGtleSA9IG0uZGlnZXN0KClbOjE2
XQogICAgY2lwaGVydGV4dCA9IGJpbmFzY2lpLmEyYl9iYXNlNjQoc3lzLmFyZ3ZbMV0pCiAgICBj
aXBoZXIgPSBBRVMubmV3KGtleSwgQUVTLk1PREVfRUNCKSAKICAgIHBsYWludGV4dCA9IHVucGFk
KGNpcGhlci5kZWNyeXB0KGNpcGhlcnRleHQpKQogICAgdnVsbmVyYWJsZSA9IGxlbihwbGFpbnRl
eHQpID4gMCBhbmQgYWxsKGMgaW4gc3RyaW5nLnByaW50YWJsZSBmb3IgYyBpbiBwbGFpbnRleHQp
CiAgICBwcmludCAnJXNWVUxORVJBQkxFIFRPIENWRS0yMDEzLTcyODYnICUgKCcnIGlmIHZ1bG5l
cmFibGUgZWxzZSAnTk9UICcpCg==
=====================================================================
Impact
Successful exploitation allows an unauthenticated attacker to take
over the device and potentially any device attached to it as well
as the Active Directory Domain it might be linked to.
=====================================================================
Versions affected:
- - Sentry Standalone < 5
- - VSP < 5.9.1
=====================================================================
Workaround:
Restrict access to the MICS service (administrative interface) to
specific hosts:
MICS Portal -> Security -> Portal ACLs -> System Manager Portal ACL
=====================================================================
Credits
This vulnerability was discovered by Nico Leidecker from Matta
Consulting.
=====================================================================
History
19-12-13 initial discovery
30-12-13 client has mitigated the vulnerability
30-12-13 initial attempt to contact the vendor
30-12-13 reply from the vendor
31-12-13 a draft of this advisory is sent to the vendor
03-01-14 vendor can't reproduce / ask for more details
03-01-14 more details are sent
07-01-14 vendor recognize that there is a bug but dissmisses it as a
security vulnerability
07-01-14 more details are sent
14-01-14 a week lapsed, no reply... we chase it up
14-01-14 vendor reply: they're working on a response
15-01-14 vendor respond: reclassify the bug as a security issue,
indicate that they indend on fixing the bug in the Q1 release,
provide a workaround and ask for us to hold on releasing the
advisory until the release is published
15-01-14 we agree to a deadline extension, send the CVEs MITRE has
assigned
...
19-02-14 vendor release 5.9.1 (but doesn't let us know)
...
31-03-14 vendor indicate that the release of VSP 6 is delayed but
the bugs have been fixed in 5.9.1
02-04-14 release of this advisory
=====================================================================
About Matta
Matta is a privately held company with Headquarters in London, and a
European office in Amsterdam. Established in 2001, Matta operates
in Europe, Asia, the Middle East and North America using a respected
team of senior consultants. Matta is an accredited provider of
Tiger Scheme training and conducts regular research.
https://www.trustmatta.com
https://www.trustmatta.com/training.html
https://www.trustmatta.com/network-penetration-testing.html
https://www.trustmatta.com/vulnerability-assessment.html
=====================================================================
Disclaimer and Copyright
Copyright (c) 2014 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
free-of-charge and proper credit is given.
The information provided in this advisory is provided "as is" without
warranty of any kind. Matta Consulting disclaims all warranties,
either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event
shall Matta Consulting or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages, even if Matta
Consulting or its suppliers have been advised of the possibility
of such damages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJTO/cTAAoJELJDQjn66kB28ysIAILzCnK9mifpyjswSKOJPzUi
EgcexJdVIjWZf32gLi202YCHJkiIXNGfG390HrWMQZZWU2l+lEb4cMb4NH8xsjzg
06GbBnrRzBcE35dhO3C0aHuPFh7MRQzbRM4mVyPg1ViUlM7Lb9kQBoD6xdS4gZ09
SaNAdm44WrvGiFAO8yuT56cjHZ1ZYfr+iHQjxY7UIrvmzKKSvMnvv13Fy2CIrRPe
zk7QLfyxszbR/eo+HOroNhHAPnfl8Mu0Y/1ihFTJF96irCPuejR7v9WzqlJxRfZB
ZQJCKnz1c9cCDPxNY9GliBKT0FlkLX+IOVP/TF40jT7Zk6f+cWgOXcghlgnyunA=
=XxBr
-----END PGP SIGNATURE-----
| VAR-202003-1221 | CVE-2014-2721 | plural FortiBalancer Inappropriate default permissions in the product |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. The vulnerability is caused by a configuration error, and is not the result of an underlying SSH defect. plural FortiBalancer The product contains a vulnerability related to improper default permissions.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. The FortiBalancer Series is an application delivery controller device. FortiBalancer is prone to a security-bypass vulnerability. This may lead to further attacks.
FortiBalancer 400, 1000, 2000, and 3000 are vulnerable
| VAR-201404-0221 | CVE-2014-1302 | Apple Safari Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. A security vulnerability exists in WebKit used in Apple Safari versions 6.1.2 and prior and 7.x prior to 7.0.3 due to the program not properly validating WebProcess IPC messages. A remote attacker can use the WebProcess access permission to exploit this vulnerability to bypass the sandbox protection mechanism and read arbitrary files.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-22-2 iOS 7.1.1
iOS 7.1.1 is now available and addresses the following:
CFNetwork HTTPProtocol
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position can obtain web
site credentials
Description: Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris
IOKit Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description: A set of kernel pointers stored in an IOKit object
could be retrieved from userland. This issue was addressed through
removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
Security - Secure Transport
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection.
CVE-ID
CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and
Alfredo Pironti of Prosecco at Inria Paris
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2871 : miaubiz
CVE-2014-1298 : Google Chrome Security Team
CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics
CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
CVE-2014-1302 : Google Chrome Security Team, Apple
CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative
CVE-2014-1304 : Apple
CVE-2014-1305 : Apple
CVE-2014-1307 : Google Chrome Security Team
CVE-2014-1308 : Google Chrome Security Team
CVE-2014-1309 : cloudfuzzer
CVE-2014-1310 : Google Chrome Security Team
CVE-2014-1311 : Google Chrome Security Team
CVE-2014-1312 : Google Chrome Security Team
CVE-2014-1313 : Google Chrome Security Team
CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTVet5AAoJEPefwLHPlZEwx3YP/iL/NwYn7T1q1ezvAVHQ6T3F
9X+ylJYZ+Ago+ij0wdzlDNJfVLPPbWde3biss6p10zDtLHHJK1jOQJLcZOBHtABG
7+OjIxFw5ZZCmWfOkF/GkfL/kBZllN0GuDCb7v4DVUf6GQPtWBsszQ9pre9Peotx
TZOHxpPd2TBdz1GkLoFSd4I2yXIT5uIkRfvv9vgDXeNihDMlrJdq8ZBSlfKt+eXT
kQ3+hGW2knT7np3BdWPQgqo9+YIfcAXN4Rnj0rPXVzzeKwpUrVjLwJgivecwhB7w
mF+AWfH5oajw+ANzMeFm/DirlAADcM5LgdxtHnXH2Xh1NV5tOCSnaYWyFK4Nadex
rVEWTOW4VxSb881dOikwY182kBlpaMjVgpvb04GA5zMAW+MtS7o4hj/H6ywGe7zm
t7ZdyAo7i3QRFwBGEcJw1KjyTWnP1ILuBC9dekek+3DmxRAeQuBsrbPz2cxXPf9V
jlvnxwiRzc/VqgAIyhCtgj0S3sEAMxnVXYSrbZpTpi1ZifiTriyyX291mS8xZBcF
LZaNUzusQnEkyE+iGODKi+OPvgUnACIK8gWjMIDbwX99Fmd3LXU1fTpvdlkeuDBS
LKBvZQs0JyYqOxkhU7PsRI6WN1F2nQHuMnb0mlFruejTrRbgyHxvMK6lpVP0nMoK
Av6eIuVxA8q9Lm6TCh+h
=ilSw
-----END PGP SIGNATURE-----
| VAR-201404-0220 | CVE-2014-1301 | Apple Safari Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-01-1 Safari 6.1.3 and Safari 7.0.3
Safari 6.1.3 and Safari 7.0.3 are now available and address the
following:
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2871 : miaubiz
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-6625 : cloudfuzzer
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
CVE-2014-1298 : Google Chrome Security Team
CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics
CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
CVE-2014-1301 : Google Chrome Security Team
CVE-2014-1302 : Google Chrome Security Team, Apple
CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative
CVE-2014-1304 : Apple
CVE-2014-1305 : Apple
CVE-2014-1307 : Google Chrome Security Team
CVE-2014-1308 : Google Chrome Security Team
CVE-2014-1309 : cloudfuzzer
CVE-2014-1310 : Google Chrome Security Team
CVE-2014-1311 : Google Chrome Security Team
CVE-2014-1312 : Google Chrome Security Team
CVE-2014-1313 : Google Chrome Security Team
CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
Impact: An attacker running arbitary code in the WebProcess may be
able to read arbitrary files despite sandbox restrictions
Description: A logic issue existed in the handling of IPC messages
from the WebProcess. This issue was addressed through additional
validation of IPC messages.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTOwlLAAoJEPefwLHPlZEwmPYP/AoGVbrVVEQfbWZ/OMER6jCR
bDN4ykWdExJFRKr972tsirke9mLrDX1Flqg3jYpqrna6lWsZxk1wA/IXy4TRG97O
mpA75r7853lCJ482h5XImTdv6wWqMfTTNR1YzsK+TCLZA3sDlByQ4yshwGWhOf1Q
nY+hPpaC05PEmPeNKMWw6PA9IgA9e84uy0b/3+c2acOUZ9aAYEXmydPySY+5uYLa
ecXjvee83LVTu8Pq2/C9yCJ1kI1EMix6Q3CTb2Cv/Dtgu1q7rZMG7qKieFpMKO2J
xM7RYm1qPNlZ4hf+ZPX+D4+k6g2sZMqYdocdG1qXubk8m314CinHajdsZH9jXDHO
01gnYeMRp2IUBJlClQ7mPyIveJqJV9XpzvMTciuTVEuhzWhMaazzly8dp+8NCu4Q
QShPJKqAq16ACJqqOarwo8xaSumZ3UcKhVrD0Gxo1/dhzO1Hy52yo7WrWLaOVH89
bXPeVMfYIF0V9xysbixNmBIEro0mYDuor/XlXBFicZAjmyGEVE04K4UjenMeDoYO
/1A2zaVyM9MD50y+X/rFErtz2cj7uNcZ1XSNqPdGameoti5WvvoRbKs/D/H7E8bX
p8JDoVJoy46fOBfwNv6eaQYTGYzgtdoEtmTKL3zDauQC1bxI1Jwtma07S97D2SyJ
urMcI/V2h8JnGD4sS/7L
=kHuK
-----END PGP SIGNATURE-----
| VAR-201404-0217 | CVE-2014-1297 | Apple Safari Used in etc. WebKit Vulnerabilities that bypass the sandbox protection mechanism |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, does not properly validate WebProcess IPC messages, which allows remote attackers to bypass a sandbox protection mechanism and read arbitrary files by leveraging WebProcess access. Apple Safari Used in etc. WebKit is prone to an unspecified security-bypass vulnerability. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-01-1 Safari 6.1.3 and Safari 7.0.3
Safari 6.1.3 and Safari 7.0.3 are now available and address the
following:
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. This issue was addressed through additional
validation of IPC messages.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTOwlLAAoJEPefwLHPlZEwmPYP/AoGVbrVVEQfbWZ/OMER6jCR
bDN4ykWdExJFRKr972tsirke9mLrDX1Flqg3jYpqrna6lWsZxk1wA/IXy4TRG97O
mpA75r7853lCJ482h5XImTdv6wWqMfTTNR1YzsK+TCLZA3sDlByQ4yshwGWhOf1Q
nY+hPpaC05PEmPeNKMWw6PA9IgA9e84uy0b/3+c2acOUZ9aAYEXmydPySY+5uYLa
ecXjvee83LVTu8Pq2/C9yCJ1kI1EMix6Q3CTb2Cv/Dtgu1q7rZMG7qKieFpMKO2J
xM7RYm1qPNlZ4hf+ZPX+D4+k6g2sZMqYdocdG1qXubk8m314CinHajdsZH9jXDHO
01gnYeMRp2IUBJlClQ7mPyIveJqJV9XpzvMTciuTVEuhzWhMaazzly8dp+8NCu4Q
QShPJKqAq16ACJqqOarwo8xaSumZ3UcKhVrD0Gxo1/dhzO1Hy52yo7WrWLaOVH89
bXPeVMfYIF0V9xysbixNmBIEro0mYDuor/XlXBFicZAjmyGEVE04K4UjenMeDoYO
/1A2zaVyM9MD50y+X/rFErtz2cj7uNcZ1XSNqPdGameoti5WvvoRbKs/D/H7E8bX
p8JDoVJoy46fOBfwNv6eaQYTGYzgtdoEtmTKL3zDauQC1bxI1Jwtma07S97D2SyJ
urMcI/V2h8JnGD4sS/7L
=kHuK
-----END PGP SIGNATURE-----
. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0001
------------------------------------------------------------------------
Date reported : January 26, 2015
Advisory ID : WSA-2015-0001
Advisory URL : http://webkitgtk.org/security/WSA-2015-0001.html
Affected versions : 2.4 series before 2.4.1, 2.4.2 and 2.4.8.
CVE identifiers : CVE-2013-2871, CVE-2014-1292, CVE-2014-1298,
CVE-2014-1299, CVE-2014-1300, CVE-2014-1303,
CVE-2014-1304, CVE-2014-1305, CVE-2014-1307,
CVE-2014-1308, CVE-2014-1309, CVE-2014-1311,
CVE-2014-1313, CVE-2014-1713, CVE-2014-1297,
CVE-2013-2875, CVE-2013-2927, CVE-2014-1323,
CVE-2014-1326, CVE-2014-1329, CVE-2014-1330,
CVE-2014-1331, CVE-2014-1333, CVE-2014-1334,
CVE-2014-1335, CVE-2014-1336, CVE-2014-1337,
CVE-2014-1338, CVE-2014-1339, CVE-2014-1341,
CVE-2014-1342, CVE-2014-1343, CVE-2014-1731,
CVE-2014-1346, CVE-2014-1344, CVE-2014-1384,
CVE-2014-1385, CVE-2014-1387, CVE-2014-1388,
CVE-2014-1389, CVE-2014-1390.
Several vulnerabilities were discovered on the 2.4 stable series of
WebKitGTK+.
CVE-2013-2871
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to miaubiz.
Use-after-free vulnerability in Google Chrome before 28.0.1500.71
allows remote attackers to cause a denial of service or possibly
have unspecified other impact via vectors related to the handling of
input.
CVE-2014-1292
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1,
allows remote attackers to execute arbitrary code or cause a denial
of service (memory corruption and application crash) via a crafted
web site, a different vulnerability than CVE-2014-1289,
CVE-2014-1290, CVE-2014-1291, CVE-2014-1293, and CVE-2014-1294.
CVE-2014-1298
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1299
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics.
CVE-2014-1300
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero working with HP's Zero Day
Initiative.
CVE-2014-1303
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to KeenTeam working with HP's Zero Day Initiative.
CVE-2014-1304
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1305
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1307
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1308
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1309
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to cloudfuzzer.
CVE-2014-1311
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1313
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1713
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to VUPEN working with HP's Zero Day Initiative.
Use-after-free vulnerability in the AttributeSetter function in
bindings/templates/attributes.cpp in the bindings in Blink, as used
in Google Chrome before 33.0.1750.152 on OS X and Linux and before
33.0.1750.154 on Windows, allows remote attackers to cause a denial
of service or possibly have unspecified other impact via vectors
involving the document.location value.
CVE-2014-1297
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero.
CVE-2013-2875
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to miaubiz.
core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in
Blink, as used in Google Chrome before 28.0.1500.71, allows remote
attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors.
CVE-2013-2927
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
Use-after-free vulnerability in the
HTMLFormElement::prepareForSubmission function in
core/html/HTMLFormElement.cpp in Blink, as used in Google Chrome
before 30.0.1599.101, allows remote attackers to cause a denial of
service or possibly have unspecified other impact via vectors
related to submission for FORM elements.
CVE-2014-1323
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to banty.
CVE-2014-1326
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1329
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1330
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1331
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1333
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1334
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1335
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1336
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1337
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1338
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1339
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Atte Kettunen of OUSPG.
CVE-2014-1341
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1342
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1343
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1731
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to an anonymous member of the Blink development community.
core/html/HTMLSelectElement.cpp in the DOM implementation in Blink,
as used in Google Chrome before 34.0.1847.131 on Windows and OS X
and before 34.0.1847.132 on Linux, does not properly check renderer
state upon a focus event, which allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors that leverage "type confusion" for SELECT elements.
CVE-2014-1346
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Erling Ellingsen of Facebook.
CVE-2014-1344
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Ian Beer of Google Project Zero.
CVE-2014-1384
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1385
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1387
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Google Chrome Security Team.
CVE-2014-1388
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1389
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1390
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
For the 2.4 series, these problems have been fixed in release 2.4.8.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
January 26, 2015
| VAR-201404-0223 | CVE-2014-1305 | Apple Safari Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0001
------------------------------------------------------------------------
Date reported : January 26, 2015
Advisory ID : WSA-2015-0001
Advisory URL : http://webkitgtk.org/security/WSA-2015-0001.html
Affected versions : 2.4 series before 2.4.1, 2.4.2 and 2.4.8.
CVE identifiers : CVE-2013-2871, CVE-2014-1292, CVE-2014-1298,
CVE-2014-1299, CVE-2014-1300, CVE-2014-1303,
CVE-2014-1304, CVE-2014-1305, CVE-2014-1307,
CVE-2014-1308, CVE-2014-1309, CVE-2014-1311,
CVE-2014-1313, CVE-2014-1713, CVE-2014-1297,
CVE-2013-2875, CVE-2013-2927, CVE-2014-1323,
CVE-2014-1326, CVE-2014-1329, CVE-2014-1330,
CVE-2014-1331, CVE-2014-1333, CVE-2014-1334,
CVE-2014-1335, CVE-2014-1336, CVE-2014-1337,
CVE-2014-1338, CVE-2014-1339, CVE-2014-1341,
CVE-2014-1342, CVE-2014-1343, CVE-2014-1731,
CVE-2014-1346, CVE-2014-1344, CVE-2014-1384,
CVE-2014-1385, CVE-2014-1387, CVE-2014-1388,
CVE-2014-1389, CVE-2014-1390.
Several vulnerabilities were discovered on the 2.4 stable series of
WebKitGTK+.
CVE-2013-2871
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to miaubiz.
CVE-2014-1292
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1298
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1299
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics.
CVE-2014-1300
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero working with HP's Zero Day
Initiative.
CVE-2014-1303
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to KeenTeam working with HP's Zero Day Initiative.
CVE-2014-1304
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1305
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1307
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1308
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1309
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to cloudfuzzer.
CVE-2014-1311
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1313
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1713
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to VUPEN working with HP's Zero Day Initiative.
CVE-2014-1297
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero.
CVE-2013-2875
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to miaubiz.
core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in
Blink, as used in Google Chrome before 28.0.1500.71, allows remote
attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors.
CVE-2013-2927
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1323
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to banty.
CVE-2014-1326
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1329
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1330
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1331
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1333
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1334
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1335
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1336
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1337
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1338
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1339
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Atte Kettunen of OUSPG.
CVE-2014-1341
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1342
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1343
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1731
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to an anonymous member of the Blink development community.
core/html/HTMLSelectElement.cpp in the DOM implementation in Blink,
as used in Google Chrome before 34.0.1847.131 on Windows and OS X
and before 34.0.1847.132 on Linux, does not properly check renderer
state upon a focus event, which allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors that leverage "type confusion" for SELECT elements.
CVE-2014-1346
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Erling Ellingsen of Facebook.
CVE-2014-1344
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Ian Beer of Google Project Zero.
CVE-2014-1384
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1385
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1387
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Google Chrome Security Team.
CVE-2014-1388
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1389
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1390
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
For the 2.4 series, these problems have been fixed in release 2.4.8.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
January 26, 2015
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-22-2 iOS 7.1.1
iOS 7.1.1 is now available and addresses the following:
CFNetwork HTTPProtocol
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position can obtain web
site credentials
Description: Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris
IOKit Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description: A set of kernel pointers stored in an IOKit object
could be retrieved from userland. This issue was addressed through
removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
Security - Secure Transport
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection.
CVE-ID
CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and
Alfredo Pironti of Prosecco at Inria Paris
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTVet5AAoJEPefwLHPlZEwx3YP/iL/NwYn7T1q1ezvAVHQ6T3F
9X+ylJYZ+Ago+ij0wdzlDNJfVLPPbWde3biss6p10zDtLHHJK1jOQJLcZOBHtABG
7+OjIxFw5ZZCmWfOkF/GkfL/kBZllN0GuDCb7v4DVUf6GQPtWBsszQ9pre9Peotx
TZOHxpPd2TBdz1GkLoFSd4I2yXIT5uIkRfvv9vgDXeNihDMlrJdq8ZBSlfKt+eXT
kQ3+hGW2knT7np3BdWPQgqo9+YIfcAXN4Rnj0rPXVzzeKwpUrVjLwJgivecwhB7w
mF+AWfH5oajw+ANzMeFm/DirlAADcM5LgdxtHnXH2Xh1NV5tOCSnaYWyFK4Nadex
rVEWTOW4VxSb881dOikwY182kBlpaMjVgpvb04GA5zMAW+MtS7o4hj/H6ywGe7zm
t7ZdyAo7i3QRFwBGEcJw1KjyTWnP1ILuBC9dekek+3DmxRAeQuBsrbPz2cxXPf9V
jlvnxwiRzc/VqgAIyhCtgj0S3sEAMxnVXYSrbZpTpi1ZifiTriyyX291mS8xZBcF
LZaNUzusQnEkyE+iGODKi+OPvgUnACIK8gWjMIDbwX99Fmd3LXU1fTpvdlkeuDBS
LKBvZQs0JyYqOxkhU7PsRI6WN1F2nQHuMnb0mlFruejTrRbgyHxvMK6lpVP0nMoK
Av6eIuVxA8q9Lm6TCh+h
=ilSw
-----END PGP SIGNATURE-----
| VAR-201404-0205 | CVE-2014-1312 | Apple Safari Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-22-2 iOS 7.1.1
iOS 7.1.1 is now available and addresses the following:
CFNetwork HTTPProtocol
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position can obtain web
site credentials
Description: Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris
IOKit Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description: A set of kernel pointers stored in an IOKit object
could be retrieved from userland. This issue was addressed through
removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
Security - Secure Transport
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection.
CVE-ID
CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and
Alfredo Pironti of Prosecco at Inria Paris
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2871 : miaubiz
CVE-2014-1298 : Google Chrome Security Team
CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics
CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
CVE-2014-1302 : Google Chrome Security Team, Apple
CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative
CVE-2014-1304 : Apple
CVE-2014-1305 : Apple
CVE-2014-1307 : Google Chrome Security Team
CVE-2014-1308 : Google Chrome Security Team
CVE-2014-1309 : cloudfuzzer
CVE-2014-1310 : Google Chrome Security Team
CVE-2014-1311 : Google Chrome Security Team
CVE-2014-1312 : Google Chrome Security Team
CVE-2014-1313 : Google Chrome Security Team
CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTVet5AAoJEPefwLHPlZEwx3YP/iL/NwYn7T1q1ezvAVHQ6T3F
9X+ylJYZ+Ago+ij0wdzlDNJfVLPPbWde3biss6p10zDtLHHJK1jOQJLcZOBHtABG
7+OjIxFw5ZZCmWfOkF/GkfL/kBZllN0GuDCb7v4DVUf6GQPtWBsszQ9pre9Peotx
TZOHxpPd2TBdz1GkLoFSd4I2yXIT5uIkRfvv9vgDXeNihDMlrJdq8ZBSlfKt+eXT
kQ3+hGW2knT7np3BdWPQgqo9+YIfcAXN4Rnj0rPXVzzeKwpUrVjLwJgivecwhB7w
mF+AWfH5oajw+ANzMeFm/DirlAADcM5LgdxtHnXH2Xh1NV5tOCSnaYWyFK4Nadex
rVEWTOW4VxSb881dOikwY182kBlpaMjVgpvb04GA5zMAW+MtS7o4hj/H6ywGe7zm
t7ZdyAo7i3QRFwBGEcJw1KjyTWnP1ILuBC9dekek+3DmxRAeQuBsrbPz2cxXPf9V
jlvnxwiRzc/VqgAIyhCtgj0S3sEAMxnVXYSrbZpTpi1ZifiTriyyX291mS8xZBcF
LZaNUzusQnEkyE+iGODKi+OPvgUnACIK8gWjMIDbwX99Fmd3LXU1fTpvdlkeuDBS
LKBvZQs0JyYqOxkhU7PsRI6WN1F2nQHuMnb0mlFruejTrRbgyHxvMK6lpVP0nMoK
Av6eIuVxA8q9Lm6TCh+h
=ilSw
-----END PGP SIGNATURE-----
| VAR-201404-0222 | CVE-2014-1304 | Apple Safari Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0001
------------------------------------------------------------------------
Date reported : January 26, 2015
Advisory ID : WSA-2015-0001
Advisory URL : http://webkitgtk.org/security/WSA-2015-0001.html
Affected versions : 2.4 series before 2.4.1, 2.4.2 and 2.4.8.
CVE identifiers : CVE-2013-2871, CVE-2014-1292, CVE-2014-1298,
CVE-2014-1299, CVE-2014-1300, CVE-2014-1303,
CVE-2014-1304, CVE-2014-1305, CVE-2014-1307,
CVE-2014-1308, CVE-2014-1309, CVE-2014-1311,
CVE-2014-1313, CVE-2014-1713, CVE-2014-1297,
CVE-2013-2875, CVE-2013-2927, CVE-2014-1323,
CVE-2014-1326, CVE-2014-1329, CVE-2014-1330,
CVE-2014-1331, CVE-2014-1333, CVE-2014-1334,
CVE-2014-1335, CVE-2014-1336, CVE-2014-1337,
CVE-2014-1338, CVE-2014-1339, CVE-2014-1341,
CVE-2014-1342, CVE-2014-1343, CVE-2014-1731,
CVE-2014-1346, CVE-2014-1344, CVE-2014-1384,
CVE-2014-1385, CVE-2014-1387, CVE-2014-1388,
CVE-2014-1389, CVE-2014-1390.
Several vulnerabilities were discovered on the 2.4 stable series of
WebKitGTK+.
CVE-2013-2871
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to miaubiz.
CVE-2014-1292
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1298
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1299
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics.
CVE-2014-1300
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero working with HP's Zero Day
Initiative.
CVE-2014-1303
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to KeenTeam working with HP's Zero Day Initiative.
CVE-2014-1304
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1305
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1307
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1308
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1309
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to cloudfuzzer.
CVE-2014-1311
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1313
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1713
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to VUPEN working with HP's Zero Day Initiative.
CVE-2014-1297
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero.
CVE-2013-2875
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to miaubiz.
core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in
Blink, as used in Google Chrome before 28.0.1500.71, allows remote
attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors.
CVE-2013-2927
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1323
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to banty.
CVE-2014-1326
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1329
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1330
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1331
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1333
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1334
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1335
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1336
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1337
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1338
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1339
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Atte Kettunen of OUSPG.
CVE-2014-1341
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1342
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1343
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1731
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to an anonymous member of the Blink development community.
core/html/HTMLSelectElement.cpp in the DOM implementation in Blink,
as used in Google Chrome before 34.0.1847.131 on Windows and OS X
and before 34.0.1847.132 on Linux, does not properly check renderer
state upon a focus event, which allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors that leverage "type confusion" for SELECT elements.
CVE-2014-1346
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Erling Ellingsen of Facebook.
CVE-2014-1344
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Ian Beer of Google Project Zero.
CVE-2014-1384
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1385
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1387
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Google Chrome Security Team.
CVE-2014-1388
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1389
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1390
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
For the 2.4 series, these problems have been fixed in release 2.4.8.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
January 26, 2015
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-22-2 iOS 7.1.1
iOS 7.1.1 is now available and addresses the following:
CFNetwork HTTPProtocol
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position can obtain web
site credentials
Description: Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris
IOKit Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description: A set of kernel pointers stored in an IOKit object
could be retrieved from userland. This issue was addressed through
removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
Security - Secure Transport
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection.
CVE-ID
CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and
Alfredo Pironti of Prosecco at Inria Paris
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTVet5AAoJEPefwLHPlZEwx3YP/iL/NwYn7T1q1ezvAVHQ6T3F
9X+ylJYZ+Ago+ij0wdzlDNJfVLPPbWde3biss6p10zDtLHHJK1jOQJLcZOBHtABG
7+OjIxFw5ZZCmWfOkF/GkfL/kBZllN0GuDCb7v4DVUf6GQPtWBsszQ9pre9Peotx
TZOHxpPd2TBdz1GkLoFSd4I2yXIT5uIkRfvv9vgDXeNihDMlrJdq8ZBSlfKt+eXT
kQ3+hGW2knT7np3BdWPQgqo9+YIfcAXN4Rnj0rPXVzzeKwpUrVjLwJgivecwhB7w
mF+AWfH5oajw+ANzMeFm/DirlAADcM5LgdxtHnXH2Xh1NV5tOCSnaYWyFK4Nadex
rVEWTOW4VxSb881dOikwY182kBlpaMjVgpvb04GA5zMAW+MtS7o4hj/H6ywGe7zm
t7ZdyAo7i3QRFwBGEcJw1KjyTWnP1ILuBC9dekek+3DmxRAeQuBsrbPz2cxXPf9V
jlvnxwiRzc/VqgAIyhCtgj0S3sEAMxnVXYSrbZpTpi1ZifiTriyyX291mS8xZBcF
LZaNUzusQnEkyE+iGODKi+OPvgUnACIK8gWjMIDbwX99Fmd3LXU1fTpvdlkeuDBS
LKBvZQs0JyYqOxkhU7PsRI6WN1F2nQHuMnb0mlFruejTrRbgyHxvMK6lpVP0nMoK
Av6eIuVxA8q9Lm6TCh+h
=ilSw
-----END PGP SIGNATURE-----
| VAR-201404-0203 | CVE-2014-1310 | Apple Safari Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-22-2 iOS 7.1.1
iOS 7.1.1 is now available and addresses the following:
CFNetwork HTTPProtocol
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position can obtain web
site credentials
Description: Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris
IOKit Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description: A set of kernel pointers stored in an IOKit object
could be retrieved from userland. This issue was addressed through
removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
Security - Secure Transport
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection.
CVE-ID
CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and
Alfredo Pironti of Prosecco at Inria Paris
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2871 : miaubiz
CVE-2014-1298 : Google Chrome Security Team
CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics
CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
CVE-2014-1302 : Google Chrome Security Team, Apple
CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative
CVE-2014-1304 : Apple
CVE-2014-1305 : Apple
CVE-2014-1307 : Google Chrome Security Team
CVE-2014-1308 : Google Chrome Security Team
CVE-2014-1309 : cloudfuzzer
CVE-2014-1310 : Google Chrome Security Team
CVE-2014-1311 : Google Chrome Security Team
CVE-2014-1312 : Google Chrome Security Team
CVE-2014-1313 : Google Chrome Security Team
CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTVet5AAoJEPefwLHPlZEwx3YP/iL/NwYn7T1q1ezvAVHQ6T3F
9X+ylJYZ+Ago+ij0wdzlDNJfVLPPbWde3biss6p10zDtLHHJK1jOQJLcZOBHtABG
7+OjIxFw5ZZCmWfOkF/GkfL/kBZllN0GuDCb7v4DVUf6GQPtWBsszQ9pre9Peotx
TZOHxpPd2TBdz1GkLoFSd4I2yXIT5uIkRfvv9vgDXeNihDMlrJdq8ZBSlfKt+eXT
kQ3+hGW2knT7np3BdWPQgqo9+YIfcAXN4Rnj0rPXVzzeKwpUrVjLwJgivecwhB7w
mF+AWfH5oajw+ANzMeFm/DirlAADcM5LgdxtHnXH2Xh1NV5tOCSnaYWyFK4Nadex
rVEWTOW4VxSb881dOikwY182kBlpaMjVgpvb04GA5zMAW+MtS7o4hj/H6ywGe7zm
t7ZdyAo7i3QRFwBGEcJw1KjyTWnP1ILuBC9dekek+3DmxRAeQuBsrbPz2cxXPf9V
jlvnxwiRzc/VqgAIyhCtgj0S3sEAMxnVXYSrbZpTpi1ZifiTriyyX291mS8xZBcF
LZaNUzusQnEkyE+iGODKi+OPvgUnACIK8gWjMIDbwX99Fmd3LXU1fTpvdlkeuDBS
LKBvZQs0JyYqOxkhU7PsRI6WN1F2nQHuMnb0mlFruejTrRbgyHxvMK6lpVP0nMoK
Av6eIuVxA8q9Lm6TCh+h
=ilSw
-----END PGP SIGNATURE-----
| VAR-201404-0219 | CVE-2014-1299 | Apple Safari Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0001
------------------------------------------------------------------------
Date reported : January 26, 2015
Advisory ID : WSA-2015-0001
Advisory URL : http://webkitgtk.org/security/WSA-2015-0001.html
Affected versions : 2.4 series before 2.4.1, 2.4.2 and 2.4.8.
CVE identifiers : CVE-2013-2871, CVE-2014-1292, CVE-2014-1298,
CVE-2014-1299, CVE-2014-1300, CVE-2014-1303,
CVE-2014-1304, CVE-2014-1305, CVE-2014-1307,
CVE-2014-1308, CVE-2014-1309, CVE-2014-1311,
CVE-2014-1313, CVE-2014-1713, CVE-2014-1297,
CVE-2013-2875, CVE-2013-2927, CVE-2014-1323,
CVE-2014-1326, CVE-2014-1329, CVE-2014-1330,
CVE-2014-1331, CVE-2014-1333, CVE-2014-1334,
CVE-2014-1335, CVE-2014-1336, CVE-2014-1337,
CVE-2014-1338, CVE-2014-1339, CVE-2014-1341,
CVE-2014-1342, CVE-2014-1343, CVE-2014-1731,
CVE-2014-1346, CVE-2014-1344, CVE-2014-1384,
CVE-2014-1385, CVE-2014-1387, CVE-2014-1388,
CVE-2014-1389, CVE-2014-1390.
Several vulnerabilities were discovered on the 2.4 stable series of
WebKitGTK+.
CVE-2013-2871
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to miaubiz.
CVE-2014-1292
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1298
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1299
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics.
CVE-2014-1300
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero working with HP's Zero Day
Initiative.
CVE-2014-1303
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to KeenTeam working with HP's Zero Day Initiative.
CVE-2014-1304
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1305
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1307
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1308
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1309
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to cloudfuzzer.
CVE-2014-1311
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1313
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1713
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to VUPEN working with HP's Zero Day Initiative.
CVE-2014-1297
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero.
CVE-2013-2875
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to miaubiz.
core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in
Blink, as used in Google Chrome before 28.0.1500.71, allows remote
attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors.
CVE-2013-2927
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1323
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to banty.
CVE-2014-1326
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1329
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1330
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1331
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1333
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1334
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1335
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1336
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1337
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1338
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1339
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Atte Kettunen of OUSPG.
CVE-2014-1341
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1342
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1343
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1731
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to an anonymous member of the Blink development community.
core/html/HTMLSelectElement.cpp in the DOM implementation in Blink,
as used in Google Chrome before 34.0.1847.131 on Windows and OS X
and before 34.0.1847.132 on Linux, does not properly check renderer
state upon a focus event, which allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors that leverage "type confusion" for SELECT elements.
CVE-2014-1346
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Erling Ellingsen of Facebook.
CVE-2014-1344
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Ian Beer of Google Project Zero.
CVE-2014-1384
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1385
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1387
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Google Chrome Security Team.
CVE-2014-1388
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1389
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1390
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
For the 2.4 series, these problems have been fixed in release 2.4.8.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
January 26, 2015
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-22-2 iOS 7.1.1
iOS 7.1.1 is now available and addresses the following:
CFNetwork HTTPProtocol
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position can obtain web
site credentials
Description: Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris
IOKit Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description: A set of kernel pointers stored in an IOKit object
could be retrieved from userland. This issue was addressed through
removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
Security - Secure Transport
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection.
CVE-ID
CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and
Alfredo Pironti of Prosecco at Inria Paris
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTVet5AAoJEPefwLHPlZEwx3YP/iL/NwYn7T1q1ezvAVHQ6T3F
9X+ylJYZ+Ago+ij0wdzlDNJfVLPPbWde3biss6p10zDtLHHJK1jOQJLcZOBHtABG
7+OjIxFw5ZZCmWfOkF/GkfL/kBZllN0GuDCb7v4DVUf6GQPtWBsszQ9pre9Peotx
TZOHxpPd2TBdz1GkLoFSd4I2yXIT5uIkRfvv9vgDXeNihDMlrJdq8ZBSlfKt+eXT
kQ3+hGW2knT7np3BdWPQgqo9+YIfcAXN4Rnj0rPXVzzeKwpUrVjLwJgivecwhB7w
mF+AWfH5oajw+ANzMeFm/DirlAADcM5LgdxtHnXH2Xh1NV5tOCSnaYWyFK4Nadex
rVEWTOW4VxSb881dOikwY182kBlpaMjVgpvb04GA5zMAW+MtS7o4hj/H6ywGe7zm
t7ZdyAo7i3QRFwBGEcJw1KjyTWnP1ILuBC9dekek+3DmxRAeQuBsrbPz2cxXPf9V
jlvnxwiRzc/VqgAIyhCtgj0S3sEAMxnVXYSrbZpTpi1ZifiTriyyX291mS8xZBcF
LZaNUzusQnEkyE+iGODKi+OPvgUnACIK8gWjMIDbwX99Fmd3LXU1fTpvdlkeuDBS
LKBvZQs0JyYqOxkhU7PsRI6WN1F2nQHuMnb0mlFruejTrRbgyHxvMK6lpVP0nMoK
Av6eIuVxA8q9Lm6TCh+h
=ilSw
-----END PGP SIGNATURE-----
| VAR-201404-0218 | CVE-2014-1298 | Apple Safari Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0001
------------------------------------------------------------------------
Date reported : January 26, 2015
Advisory ID : WSA-2015-0001
Advisory URL : http://webkitgtk.org/security/WSA-2015-0001.html
Affected versions : 2.4 series before 2.4.1, 2.4.2 and 2.4.8.
CVE identifiers : CVE-2013-2871, CVE-2014-1292, CVE-2014-1298,
CVE-2014-1299, CVE-2014-1300, CVE-2014-1303,
CVE-2014-1304, CVE-2014-1305, CVE-2014-1307,
CVE-2014-1308, CVE-2014-1309, CVE-2014-1311,
CVE-2014-1313, CVE-2014-1713, CVE-2014-1297,
CVE-2013-2875, CVE-2013-2927, CVE-2014-1323,
CVE-2014-1326, CVE-2014-1329, CVE-2014-1330,
CVE-2014-1331, CVE-2014-1333, CVE-2014-1334,
CVE-2014-1335, CVE-2014-1336, CVE-2014-1337,
CVE-2014-1338, CVE-2014-1339, CVE-2014-1341,
CVE-2014-1342, CVE-2014-1343, CVE-2014-1731,
CVE-2014-1346, CVE-2014-1344, CVE-2014-1384,
CVE-2014-1385, CVE-2014-1387, CVE-2014-1388,
CVE-2014-1389, CVE-2014-1390.
Several vulnerabilities were discovered on the 2.4 stable series of
WebKitGTK+.
CVE-2013-2871
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to miaubiz.
CVE-2014-1292
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1298
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1299
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics.
CVE-2014-1300
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero working with HP's Zero Day
Initiative.
CVE-2014-1303
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to KeenTeam working with HP's Zero Day Initiative.
CVE-2014-1304
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1305
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1307
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1308
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1309
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to cloudfuzzer.
CVE-2014-1311
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1313
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1713
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to VUPEN working with HP's Zero Day Initiative.
CVE-2014-1297
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero.
CVE-2013-2875
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to miaubiz.
core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in
Blink, as used in Google Chrome before 28.0.1500.71, allows remote
attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors.
CVE-2013-2927
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1323
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to banty.
CVE-2014-1326
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1329
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1330
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1331
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1333
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1334
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1335
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1336
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1337
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1338
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1339
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Atte Kettunen of OUSPG.
CVE-2014-1341
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1342
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1343
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1731
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to an anonymous member of the Blink development community.
core/html/HTMLSelectElement.cpp in the DOM implementation in Blink,
as used in Google Chrome before 34.0.1847.131 on Windows and OS X
and before 34.0.1847.132 on Linux, does not properly check renderer
state upon a focus event, which allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors that leverage "type confusion" for SELECT elements.
CVE-2014-1346
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Erling Ellingsen of Facebook.
CVE-2014-1344
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Ian Beer of Google Project Zero.
CVE-2014-1384
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1385
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1387
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Google Chrome Security Team.
CVE-2014-1388
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1389
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1390
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
For the 2.4 series, these problems have been fixed in release 2.4.8.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
January 26, 2015
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-22-2 iOS 7.1.1
iOS 7.1.1 is now available and addresses the following:
CFNetwork HTTPProtocol
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position can obtain web
site credentials
Description: Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris
IOKit Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description: A set of kernel pointers stored in an IOKit object
could be retrieved from userland. This issue was addressed through
removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
Security - Secure Transport
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection.
CVE-ID
CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and
Alfredo Pironti of Prosecco at Inria Paris
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTVet5AAoJEPefwLHPlZEwx3YP/iL/NwYn7T1q1ezvAVHQ6T3F
9X+ylJYZ+Ago+ij0wdzlDNJfVLPPbWde3biss6p10zDtLHHJK1jOQJLcZOBHtABG
7+OjIxFw5ZZCmWfOkF/GkfL/kBZllN0GuDCb7v4DVUf6GQPtWBsszQ9pre9Peotx
TZOHxpPd2TBdz1GkLoFSd4I2yXIT5uIkRfvv9vgDXeNihDMlrJdq8ZBSlfKt+eXT
kQ3+hGW2knT7np3BdWPQgqo9+YIfcAXN4Rnj0rPXVzzeKwpUrVjLwJgivecwhB7w
mF+AWfH5oajw+ANzMeFm/DirlAADcM5LgdxtHnXH2Xh1NV5tOCSnaYWyFK4Nadex
rVEWTOW4VxSb881dOikwY182kBlpaMjVgpvb04GA5zMAW+MtS7o4hj/H6ywGe7zm
t7ZdyAo7i3QRFwBGEcJw1KjyTWnP1ILuBC9dekek+3DmxRAeQuBsrbPz2cxXPf9V
jlvnxwiRzc/VqgAIyhCtgj0S3sEAMxnVXYSrbZpTpi1ZifiTriyyX291mS8xZBcF
LZaNUzusQnEkyE+iGODKi+OPvgUnACIK8gWjMIDbwX99Fmd3LXU1fTpvdlkeuDBS
LKBvZQs0JyYqOxkhU7PsRI6WN1F2nQHuMnb0mlFruejTrRbgyHxvMK6lpVP0nMoK
Av6eIuVxA8q9Lm6TCh+h
=ilSw
-----END PGP SIGNATURE-----
| VAR-201404-0206 | CVE-2014-1313 | Apple Safari Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0001
------------------------------------------------------------------------
Date reported : January 26, 2015
Advisory ID : WSA-2015-0001
Advisory URL : http://webkitgtk.org/security/WSA-2015-0001.html
Affected versions : 2.4 series before 2.4.1, 2.4.2 and 2.4.8.
CVE identifiers : CVE-2013-2871, CVE-2014-1292, CVE-2014-1298,
CVE-2014-1299, CVE-2014-1300, CVE-2014-1303,
CVE-2014-1304, CVE-2014-1305, CVE-2014-1307,
CVE-2014-1308, CVE-2014-1309, CVE-2014-1311,
CVE-2014-1313, CVE-2014-1713, CVE-2014-1297,
CVE-2013-2875, CVE-2013-2927, CVE-2014-1323,
CVE-2014-1326, CVE-2014-1329, CVE-2014-1330,
CVE-2014-1331, CVE-2014-1333, CVE-2014-1334,
CVE-2014-1335, CVE-2014-1336, CVE-2014-1337,
CVE-2014-1338, CVE-2014-1339, CVE-2014-1341,
CVE-2014-1342, CVE-2014-1343, CVE-2014-1731,
CVE-2014-1346, CVE-2014-1344, CVE-2014-1384,
CVE-2014-1385, CVE-2014-1387, CVE-2014-1388,
CVE-2014-1389, CVE-2014-1390.
Several vulnerabilities were discovered on the 2.4 stable series of
WebKitGTK+.
CVE-2013-2871
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to miaubiz.
CVE-2014-1292
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1298
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1299
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics.
CVE-2014-1300
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero working with HP's Zero Day
Initiative.
CVE-2014-1303
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to KeenTeam working with HP's Zero Day Initiative.
CVE-2014-1304
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1305
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1307
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1308
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1309
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to cloudfuzzer.
CVE-2014-1311
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1313
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1713
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to VUPEN working with HP's Zero Day Initiative.
CVE-2014-1297
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero.
CVE-2013-2875
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to miaubiz.
core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in
Blink, as used in Google Chrome before 28.0.1500.71, allows remote
attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors.
CVE-2013-2927
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1323
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to banty.
CVE-2014-1326
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1329
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1330
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1331
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1333
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1334
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1335
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1336
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1337
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1338
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1339
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Atte Kettunen of OUSPG.
CVE-2014-1341
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1342
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1343
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1731
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to an anonymous member of the Blink development community.
core/html/HTMLSelectElement.cpp in the DOM implementation in Blink,
as used in Google Chrome before 34.0.1847.131 on Windows and OS X
and before 34.0.1847.132 on Linux, does not properly check renderer
state upon a focus event, which allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors that leverage "type confusion" for SELECT elements.
CVE-2014-1346
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Erling Ellingsen of Facebook.
CVE-2014-1344
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Ian Beer of Google Project Zero.
CVE-2014-1384
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1385
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1387
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Google Chrome Security Team.
CVE-2014-1388
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1389
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1390
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
For the 2.4 series, these problems have been fixed in release 2.4.8.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
January 26, 2015
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-22-2 iOS 7.1.1
iOS 7.1.1 is now available and addresses the following:
CFNetwork HTTPProtocol
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position can obtain web
site credentials
Description: Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris
IOKit Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description: A set of kernel pointers stored in an IOKit object
could be retrieved from userland. This issue was addressed through
removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
Security - Secure Transport
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection.
CVE-ID
CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and
Alfredo Pironti of Prosecco at Inria Paris
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTVet5AAoJEPefwLHPlZEwx3YP/iL/NwYn7T1q1ezvAVHQ6T3F
9X+ylJYZ+Ago+ij0wdzlDNJfVLPPbWde3biss6p10zDtLHHJK1jOQJLcZOBHtABG
7+OjIxFw5ZZCmWfOkF/GkfL/kBZllN0GuDCb7v4DVUf6GQPtWBsszQ9pre9Peotx
TZOHxpPd2TBdz1GkLoFSd4I2yXIT5uIkRfvv9vgDXeNihDMlrJdq8ZBSlfKt+eXT
kQ3+hGW2knT7np3BdWPQgqo9+YIfcAXN4Rnj0rPXVzzeKwpUrVjLwJgivecwhB7w
mF+AWfH5oajw+ANzMeFm/DirlAADcM5LgdxtHnXH2Xh1NV5tOCSnaYWyFK4Nadex
rVEWTOW4VxSb881dOikwY182kBlpaMjVgpvb04GA5zMAW+MtS7o4hj/H6ywGe7zm
t7ZdyAo7i3QRFwBGEcJw1KjyTWnP1ILuBC9dekek+3DmxRAeQuBsrbPz2cxXPf9V
jlvnxwiRzc/VqgAIyhCtgj0S3sEAMxnVXYSrbZpTpi1ZifiTriyyX291mS8xZBcF
LZaNUzusQnEkyE+iGODKi+OPvgUnACIK8gWjMIDbwX99Fmd3LXU1fTpvdlkeuDBS
LKBvZQs0JyYqOxkhU7PsRI6WN1F2nQHuMnb0mlFruejTrRbgyHxvMK6lpVP0nMoK
Av6eIuVxA8q9Lm6TCh+h
=ilSw
-----END PGP SIGNATURE-----
| VAR-201404-0202 | CVE-2014-1309 | Apple Safari Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0001
------------------------------------------------------------------------
Date reported : January 26, 2015
Advisory ID : WSA-2015-0001
Advisory URL : http://webkitgtk.org/security/WSA-2015-0001.html
Affected versions : 2.4 series before 2.4.1, 2.4.2 and 2.4.8.
CVE identifiers : CVE-2013-2871, CVE-2014-1292, CVE-2014-1298,
CVE-2014-1299, CVE-2014-1300, CVE-2014-1303,
CVE-2014-1304, CVE-2014-1305, CVE-2014-1307,
CVE-2014-1308, CVE-2014-1309, CVE-2014-1311,
CVE-2014-1313, CVE-2014-1713, CVE-2014-1297,
CVE-2013-2875, CVE-2013-2927, CVE-2014-1323,
CVE-2014-1326, CVE-2014-1329, CVE-2014-1330,
CVE-2014-1331, CVE-2014-1333, CVE-2014-1334,
CVE-2014-1335, CVE-2014-1336, CVE-2014-1337,
CVE-2014-1338, CVE-2014-1339, CVE-2014-1341,
CVE-2014-1342, CVE-2014-1343, CVE-2014-1731,
CVE-2014-1346, CVE-2014-1344, CVE-2014-1384,
CVE-2014-1385, CVE-2014-1387, CVE-2014-1388,
CVE-2014-1389, CVE-2014-1390.
Several vulnerabilities were discovered on the 2.4 stable series of
WebKitGTK+.
CVE-2013-2871
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to miaubiz.
CVE-2014-1292
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1298
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1299
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics.
CVE-2014-1300
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero working with HP's Zero Day
Initiative.
CVE-2014-1303
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to KeenTeam working with HP's Zero Day Initiative.
CVE-2014-1304
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1305
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1307
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1308
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1309
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to cloudfuzzer.
CVE-2014-1311
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1313
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1713
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to VUPEN working with HP's Zero Day Initiative.
CVE-2014-1297
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero.
CVE-2013-2875
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to miaubiz.
core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in
Blink, as used in Google Chrome before 28.0.1500.71, allows remote
attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors.
CVE-2013-2927
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1323
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to banty.
CVE-2014-1326
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1329
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1330
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1331
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1333
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1334
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1335
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1336
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1337
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1338
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1339
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Atte Kettunen of OUSPG.
CVE-2014-1341
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1342
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1343
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1731
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to an anonymous member of the Blink development community.
core/html/HTMLSelectElement.cpp in the DOM implementation in Blink,
as used in Google Chrome before 34.0.1847.131 on Windows and OS X
and before 34.0.1847.132 on Linux, does not properly check renderer
state upon a focus event, which allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors that leverage "type confusion" for SELECT elements.
CVE-2014-1346
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Erling Ellingsen of Facebook.
CVE-2014-1344
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Ian Beer of Google Project Zero.
CVE-2014-1384
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1385
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1387
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Google Chrome Security Team.
CVE-2014-1388
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1389
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1390
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
For the 2.4 series, these problems have been fixed in release 2.4.8.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
January 26, 2015
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-22-2 iOS 7.1.1
iOS 7.1.1 is now available and addresses the following:
CFNetwork HTTPProtocol
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position can obtain web
site credentials
Description: Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris
IOKit Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description: A set of kernel pointers stored in an IOKit object
could be retrieved from userland. This issue was addressed through
removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
Security - Secure Transport
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection.
CVE-ID
CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and
Alfredo Pironti of Prosecco at Inria Paris
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTVet5AAoJEPefwLHPlZEwx3YP/iL/NwYn7T1q1ezvAVHQ6T3F
9X+ylJYZ+Ago+ij0wdzlDNJfVLPPbWde3biss6p10zDtLHHJK1jOQJLcZOBHtABG
7+OjIxFw5ZZCmWfOkF/GkfL/kBZllN0GuDCb7v4DVUf6GQPtWBsszQ9pre9Peotx
TZOHxpPd2TBdz1GkLoFSd4I2yXIT5uIkRfvv9vgDXeNihDMlrJdq8ZBSlfKt+eXT
kQ3+hGW2knT7np3BdWPQgqo9+YIfcAXN4Rnj0rPXVzzeKwpUrVjLwJgivecwhB7w
mF+AWfH5oajw+ANzMeFm/DirlAADcM5LgdxtHnXH2Xh1NV5tOCSnaYWyFK4Nadex
rVEWTOW4VxSb881dOikwY182kBlpaMjVgpvb04GA5zMAW+MtS7o4hj/H6ywGe7zm
t7ZdyAo7i3QRFwBGEcJw1KjyTWnP1ILuBC9dekek+3DmxRAeQuBsrbPz2cxXPf9V
jlvnxwiRzc/VqgAIyhCtgj0S3sEAMxnVXYSrbZpTpi1ZifiTriyyX291mS8xZBcF
LZaNUzusQnEkyE+iGODKi+OPvgUnACIK8gWjMIDbwX99Fmd3LXU1fTpvdlkeuDBS
LKBvZQs0JyYqOxkhU7PsRI6WN1F2nQHuMnb0mlFruejTrRbgyHxvMK6lpVP0nMoK
Av6eIuVxA8q9Lm6TCh+h
=ilSw
-----END PGP SIGNATURE-----
| VAR-201404-0204 | CVE-2014-1311 | Apple Safari Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0001
------------------------------------------------------------------------
Date reported : January 26, 2015
Advisory ID : WSA-2015-0001
Advisory URL : http://webkitgtk.org/security/WSA-2015-0001.html
Affected versions : 2.4 series before 2.4.1, 2.4.2 and 2.4.8.
CVE identifiers : CVE-2013-2871, CVE-2014-1292, CVE-2014-1298,
CVE-2014-1299, CVE-2014-1300, CVE-2014-1303,
CVE-2014-1304, CVE-2014-1305, CVE-2014-1307,
CVE-2014-1308, CVE-2014-1309, CVE-2014-1311,
CVE-2014-1313, CVE-2014-1713, CVE-2014-1297,
CVE-2013-2875, CVE-2013-2927, CVE-2014-1323,
CVE-2014-1326, CVE-2014-1329, CVE-2014-1330,
CVE-2014-1331, CVE-2014-1333, CVE-2014-1334,
CVE-2014-1335, CVE-2014-1336, CVE-2014-1337,
CVE-2014-1338, CVE-2014-1339, CVE-2014-1341,
CVE-2014-1342, CVE-2014-1343, CVE-2014-1731,
CVE-2014-1346, CVE-2014-1344, CVE-2014-1384,
CVE-2014-1385, CVE-2014-1387, CVE-2014-1388,
CVE-2014-1389, CVE-2014-1390.
Several vulnerabilities were discovered on the 2.4 stable series of
WebKitGTK+.
CVE-2013-2871
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to miaubiz.
CVE-2014-1292
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1298
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1299
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics.
CVE-2014-1300
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero working with HP's Zero Day
Initiative.
CVE-2014-1303
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to KeenTeam working with HP's Zero Day Initiative.
CVE-2014-1304
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1305
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1307
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1308
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1309
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to cloudfuzzer.
CVE-2014-1311
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1313
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1713
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to VUPEN working with HP's Zero Day Initiative.
CVE-2014-1297
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero.
CVE-2013-2875
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to miaubiz.
core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in
Blink, as used in Google Chrome before 28.0.1500.71, allows remote
attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors.
CVE-2013-2927
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1323
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to banty.
CVE-2014-1326
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1329
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1330
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1331
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1333
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1334
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1335
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1336
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1337
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1338
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1339
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Atte Kettunen of OUSPG.
CVE-2014-1341
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1342
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1343
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1731
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to an anonymous member of the Blink development community.
core/html/HTMLSelectElement.cpp in the DOM implementation in Blink,
as used in Google Chrome before 34.0.1847.131 on Windows and OS X
and before 34.0.1847.132 on Linux, does not properly check renderer
state upon a focus event, which allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors that leverage "type confusion" for SELECT elements.
CVE-2014-1346
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Erling Ellingsen of Facebook.
CVE-2014-1344
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Ian Beer of Google Project Zero.
CVE-2014-1384
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1385
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1387
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Google Chrome Security Team.
CVE-2014-1388
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1389
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1390
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
For the 2.4 series, these problems have been fixed in release 2.4.8.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
January 26, 2015
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-22-2 iOS 7.1.1
iOS 7.1.1 is now available and addresses the following:
CFNetwork HTTPProtocol
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position can obtain web
site credentials
Description: Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris
IOKit Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description: A set of kernel pointers stored in an IOKit object
could be retrieved from userland. This issue was addressed through
removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
Security - Secure Transport
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection.
CVE-ID
CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and
Alfredo Pironti of Prosecco at Inria Paris
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTVet5AAoJEPefwLHPlZEwx3YP/iL/NwYn7T1q1ezvAVHQ6T3F
9X+ylJYZ+Ago+ij0wdzlDNJfVLPPbWde3biss6p10zDtLHHJK1jOQJLcZOBHtABG
7+OjIxFw5ZZCmWfOkF/GkfL/kBZllN0GuDCb7v4DVUf6GQPtWBsszQ9pre9Peotx
TZOHxpPd2TBdz1GkLoFSd4I2yXIT5uIkRfvv9vgDXeNihDMlrJdq8ZBSlfKt+eXT
kQ3+hGW2knT7np3BdWPQgqo9+YIfcAXN4Rnj0rPXVzzeKwpUrVjLwJgivecwhB7w
mF+AWfH5oajw+ANzMeFm/DirlAADcM5LgdxtHnXH2Xh1NV5tOCSnaYWyFK4Nadex
rVEWTOW4VxSb881dOikwY182kBlpaMjVgpvb04GA5zMAW+MtS7o4hj/H6ywGe7zm
t7ZdyAo7i3QRFwBGEcJw1KjyTWnP1ILuBC9dekek+3DmxRAeQuBsrbPz2cxXPf9V
jlvnxwiRzc/VqgAIyhCtgj0S3sEAMxnVXYSrbZpTpi1ZifiTriyyX291mS8xZBcF
LZaNUzusQnEkyE+iGODKi+OPvgUnACIK8gWjMIDbwX99Fmd3LXU1fTpvdlkeuDBS
LKBvZQs0JyYqOxkhU7PsRI6WN1F2nQHuMnb0mlFruejTrRbgyHxvMK6lpVP0nMoK
Av6eIuVxA8q9Lm6TCh+h
=ilSw
-----END PGP SIGNATURE-----
| VAR-201404-0201 | CVE-2014-1308 | Apple Safari Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0001
------------------------------------------------------------------------
Date reported : January 26, 2015
Advisory ID : WSA-2015-0001
Advisory URL : http://webkitgtk.org/security/WSA-2015-0001.html
Affected versions : 2.4 series before 2.4.1, 2.4.2 and 2.4.8.
CVE identifiers : CVE-2013-2871, CVE-2014-1292, CVE-2014-1298,
CVE-2014-1299, CVE-2014-1300, CVE-2014-1303,
CVE-2014-1304, CVE-2014-1305, CVE-2014-1307,
CVE-2014-1308, CVE-2014-1309, CVE-2014-1311,
CVE-2014-1313, CVE-2014-1713, CVE-2014-1297,
CVE-2013-2875, CVE-2013-2927, CVE-2014-1323,
CVE-2014-1326, CVE-2014-1329, CVE-2014-1330,
CVE-2014-1331, CVE-2014-1333, CVE-2014-1334,
CVE-2014-1335, CVE-2014-1336, CVE-2014-1337,
CVE-2014-1338, CVE-2014-1339, CVE-2014-1341,
CVE-2014-1342, CVE-2014-1343, CVE-2014-1731,
CVE-2014-1346, CVE-2014-1344, CVE-2014-1384,
CVE-2014-1385, CVE-2014-1387, CVE-2014-1388,
CVE-2014-1389, CVE-2014-1390.
Several vulnerabilities were discovered on the 2.4 stable series of
WebKitGTK+.
CVE-2013-2871
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to miaubiz.
CVE-2014-1292
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1298
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1299
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics.
CVE-2014-1300
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero working with HP's Zero Day
Initiative.
CVE-2014-1303
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to KeenTeam working with HP's Zero Day Initiative.
CVE-2014-1304
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1305
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1307
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1308
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1309
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to cloudfuzzer.
CVE-2014-1311
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1313
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1713
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to VUPEN working with HP's Zero Day Initiative.
CVE-2014-1297
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero.
CVE-2013-2875
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to miaubiz.
core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in
Blink, as used in Google Chrome before 28.0.1500.71, allows remote
attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors.
CVE-2013-2927
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1323
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to banty.
CVE-2014-1326
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1329
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1330
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1331
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1333
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1334
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1335
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1336
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1337
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1338
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1339
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Atte Kettunen of OUSPG.
CVE-2014-1341
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1342
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1343
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1731
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to an anonymous member of the Blink development community.
core/html/HTMLSelectElement.cpp in the DOM implementation in Blink,
as used in Google Chrome before 34.0.1847.131 on Windows and OS X
and before 34.0.1847.132 on Linux, does not properly check renderer
state upon a focus event, which allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors that leverage "type confusion" for SELECT elements.
CVE-2014-1346
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Erling Ellingsen of Facebook.
CVE-2014-1344
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Ian Beer of Google Project Zero.
CVE-2014-1384
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1385
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1387
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Google Chrome Security Team.
CVE-2014-1388
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1389
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1390
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
For the 2.4 series, these problems have been fixed in release 2.4.8.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
January 26, 2015
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-22-2 iOS 7.1.1
iOS 7.1.1 is now available and addresses the following:
CFNetwork HTTPProtocol
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position can obtain web
site credentials
Description: Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris
IOKit Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description: A set of kernel pointers stored in an IOKit object
could be retrieved from userland. This issue was addressed through
removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
Security - Secure Transport
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection.
CVE-ID
CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and
Alfredo Pironti of Prosecco at Inria Paris
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTVet5AAoJEPefwLHPlZEwx3YP/iL/NwYn7T1q1ezvAVHQ6T3F
9X+ylJYZ+Ago+ij0wdzlDNJfVLPPbWde3biss6p10zDtLHHJK1jOQJLcZOBHtABG
7+OjIxFw5ZZCmWfOkF/GkfL/kBZllN0GuDCb7v4DVUf6GQPtWBsszQ9pre9Peotx
TZOHxpPd2TBdz1GkLoFSd4I2yXIT5uIkRfvv9vgDXeNihDMlrJdq8ZBSlfKt+eXT
kQ3+hGW2knT7np3BdWPQgqo9+YIfcAXN4Rnj0rPXVzzeKwpUrVjLwJgivecwhB7w
mF+AWfH5oajw+ANzMeFm/DirlAADcM5LgdxtHnXH2Xh1NV5tOCSnaYWyFK4Nadex
rVEWTOW4VxSb881dOikwY182kBlpaMjVgpvb04GA5zMAW+MtS7o4hj/H6ywGe7zm
t7ZdyAo7i3QRFwBGEcJw1KjyTWnP1ILuBC9dekek+3DmxRAeQuBsrbPz2cxXPf9V
jlvnxwiRzc/VqgAIyhCtgj0S3sEAMxnVXYSrbZpTpi1ZifiTriyyX291mS8xZBcF
LZaNUzusQnEkyE+iGODKi+OPvgUnACIK8gWjMIDbwX99Fmd3LXU1fTpvdlkeuDBS
LKBvZQs0JyYqOxkhU7PsRI6WN1F2nQHuMnb0mlFruejTrRbgyHxvMK6lpVP0nMoK
Av6eIuVxA8q9Lm6TCh+h
=ilSw
-----END PGP SIGNATURE-----
| VAR-201404-0200 | CVE-2014-1307 | Apple Safari Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0001
------------------------------------------------------------------------
Date reported : January 26, 2015
Advisory ID : WSA-2015-0001
Advisory URL : http://webkitgtk.org/security/WSA-2015-0001.html
Affected versions : 2.4 series before 2.4.1, 2.4.2 and 2.4.8.
CVE identifiers : CVE-2013-2871, CVE-2014-1292, CVE-2014-1298,
CVE-2014-1299, CVE-2014-1300, CVE-2014-1303,
CVE-2014-1304, CVE-2014-1305, CVE-2014-1307,
CVE-2014-1308, CVE-2014-1309, CVE-2014-1311,
CVE-2014-1313, CVE-2014-1713, CVE-2014-1297,
CVE-2013-2875, CVE-2013-2927, CVE-2014-1323,
CVE-2014-1326, CVE-2014-1329, CVE-2014-1330,
CVE-2014-1331, CVE-2014-1333, CVE-2014-1334,
CVE-2014-1335, CVE-2014-1336, CVE-2014-1337,
CVE-2014-1338, CVE-2014-1339, CVE-2014-1341,
CVE-2014-1342, CVE-2014-1343, CVE-2014-1731,
CVE-2014-1346, CVE-2014-1344, CVE-2014-1384,
CVE-2014-1385, CVE-2014-1387, CVE-2014-1388,
CVE-2014-1389, CVE-2014-1390.
Several vulnerabilities were discovered on the 2.4 stable series of
WebKitGTK+.
CVE-2013-2871
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to miaubiz.
CVE-2014-1292
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1298
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1299
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics.
CVE-2014-1300
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero working with HP's Zero Day
Initiative.
CVE-2014-1303
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to KeenTeam working with HP's Zero Day Initiative.
CVE-2014-1304
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1305
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1307
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1308
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1309
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to cloudfuzzer.
CVE-2014-1311
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1313
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1713
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to VUPEN working with HP's Zero Day Initiative.
CVE-2014-1297
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero.
CVE-2013-2875
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to miaubiz.
core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in
Blink, as used in Google Chrome before 28.0.1500.71, allows remote
attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors.
CVE-2013-2927
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1323
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to banty.
CVE-2014-1326
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1329
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1330
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1331
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1333
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1334
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1335
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1336
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1337
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1338
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1339
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Atte Kettunen of OUSPG.
CVE-2014-1341
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1342
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1343
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1731
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to an anonymous member of the Blink development community.
core/html/HTMLSelectElement.cpp in the DOM implementation in Blink,
as used in Google Chrome before 34.0.1847.131 on Windows and OS X
and before 34.0.1847.132 on Linux, does not properly check renderer
state upon a focus event, which allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors that leverage "type confusion" for SELECT elements.
CVE-2014-1346
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Erling Ellingsen of Facebook.
CVE-2014-1344
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Ian Beer of Google Project Zero.
CVE-2014-1384
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1385
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1387
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Google Chrome Security Team.
CVE-2014-1388
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1389
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1390
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
For the 2.4 series, these problems have been fixed in release 2.4.8.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
January 26, 2015
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-22-2 iOS 7.1.1
iOS 7.1.1 is now available and addresses the following:
CFNetwork HTTPProtocol
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position can obtain web
site credentials
Description: Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris
IOKit Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description: A set of kernel pointers stored in an IOKit object
could be retrieved from userland. This issue was addressed through
removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
Security - Secure Transport
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection.
CVE-ID
CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and
Alfredo Pironti of Prosecco at Inria Paris
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTVet5AAoJEPefwLHPlZEwx3YP/iL/NwYn7T1q1ezvAVHQ6T3F
9X+ylJYZ+Ago+ij0wdzlDNJfVLPPbWde3biss6p10zDtLHHJK1jOQJLcZOBHtABG
7+OjIxFw5ZZCmWfOkF/GkfL/kBZllN0GuDCb7v4DVUf6GQPtWBsszQ9pre9Peotx
TZOHxpPd2TBdz1GkLoFSd4I2yXIT5uIkRfvv9vgDXeNihDMlrJdq8ZBSlfKt+eXT
kQ3+hGW2knT7np3BdWPQgqo9+YIfcAXN4Rnj0rPXVzzeKwpUrVjLwJgivecwhB7w
mF+AWfH5oajw+ANzMeFm/DirlAADcM5LgdxtHnXH2Xh1NV5tOCSnaYWyFK4Nadex
rVEWTOW4VxSb881dOikwY182kBlpaMjVgpvb04GA5zMAW+MtS7o4hj/H6ywGe7zm
t7ZdyAo7i3QRFwBGEcJw1KjyTWnP1ILuBC9dekek+3DmxRAeQuBsrbPz2cxXPf9V
jlvnxwiRzc/VqgAIyhCtgj0S3sEAMxnVXYSrbZpTpi1ZifiTriyyX291mS8xZBcF
LZaNUzusQnEkyE+iGODKi+OPvgUnACIK8gWjMIDbwX99Fmd3LXU1fTpvdlkeuDBS
LKBvZQs0JyYqOxkhU7PsRI6WN1F2nQHuMnb0mlFruejTrRbgyHxvMK6lpVP0nMoK
Av6eIuVxA8q9Lm6TCh+h
=ilSw
-----END PGP SIGNATURE-----
| VAR-201405-0459 | CVE-2014-0786 | Ecava IntegraXor Guest Acccount Information Disclosure Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Ecava IntegraXor before 4.1.4393 allows remote attackers to read cleartext credentials for administrative accounts via SELECT statements that leverage the guest role. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Ecava IntegraXor. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of the "guest" user. The issue lies in the ability the retrieve all project credentials. By abusing this flaw an attacker can disclose credentials and leverage this situation to achieve remote code execution. Ecava IntegraXor is a human interface product that uses HTML and SVG. Ecava IntegraXor has an unspecified error that allows an attacker to exploit a vulnerability to obtain sensitive account information.
An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Ecava IntegraXor is prone to an information-disclosure vulnerability.
Versions prior to IntegraXor 4.1.4393 are vulnerable
| VAR-201404-0106 | CVE-2013-3588 | Zyxel P660 series modem/router denial of service vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The web management interface on Zyxel P660 devices allows remote attackers to cause a denial of service (reboot) via a flood of TCP SYN packets. ZyXEL Communications Corp. Provided by P660 The web management screen of the series shows service disruption (DoS) Vulnerabilities exist.The product may be restarted by a remote third party. Zyxel P660 Series Routers are ADSL router devices. Zyxel P660 series routers are prone to a remote denial-of-service vulnerability