Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Updates for OS X , iOS and Apple TV - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updates for OS X , iOS and Apple TV

Apple today released updates for iOS 8 and OS X 10.10 (Yosemite) . Here are some of the highlights from a security point of view:

OS 10.10.1

(approx. listed in order of severity)

CVE Impact ISC Rating Description
2014-4459 Remote Code Execution critical A vulnerability in Webkit could allow a malicious site to execute arbitrary code
2014-4453 Information Leakage important The index Spotlight creates on a removable drive may include content from other drives. This vulnerability was recently discussed publicly in a blog and the author discovered e-mail fragment in the Spotlight index created on a USB drive. 
2014-4460 Information Leakage important Safari may not delete all cached files after leaving private browsing. If a user visits a site without private browsing after visiting the same site with private browsing enabled, then the site may be able to connect the two visits.
2014-4458 Information Leakage important The "About this Mac" feature includes unnecessary details that are reported back to Apple to determine the system model

iOS

CVE Impact Severity Description
CVE-2014-4452
​CVE-2014-4462
remote code execution critical Webkit issues that will lead to arbitrary code execution when visting a malicious webpage
CVE-2014-4455 unsigned code exeuction important A local user may execute unsinged code
CVE-2014-4460 information leakage important Safari doesn't delete all cached files when leaving private mode
CVE-2014-4461 privilege escalation important A malicious application may execute arbitrary codes using System privileges.
CVE-2014-4451 security feature bypass important An attacker may be able to exceed the maximum passcode attempt limit to bypass the lockscreen.
CVE-2014-4463 information leakage important the "leave message" feature in Facetime may have allowed sending photos from the device.
CVE-2014-4457 code execution important the debug feature would allow applications to be spawned that were not being debugged.
CVE-2014-4453 informtion leakage important iOS would submit the devices location to Spotlight Suggestion servers before the user entered a query

 

Apple TV

CVE Impact Severity Description
CVE-2014-4462 Code Execution Critical A memory corruption in WebKit may be used to terminate applications or run arbitrary code.
CVE-2014-4455 Code Execution Important A local user may execute unsigned code
CVE-2014-4461 Privilege Elevation Important A malicious application may be able to execute arbitrary code with system privileges.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS San Jose 2019

Johannes

3580 Posts
ISC Handler
Are the OS X vulnerabilities present on older versions of the OS?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!