Home / mailingsPDF  

APPLE-SA-2014-10-16-1 OS X Yosemite v10.10

Posted on 17 October 2014
Apple Security-announce

--===============0684737148==
Content-type: multipart/signed;
boundary="Apple-Mail=_D6AE1441-1924-4BAE-9142-B2517BB2CF0E";
protocol="application/pgp-signature"; micalg=pgp-sha1


--Apple-Mail=_D6AE1441-1924-4BAE-9142-B2517BB2CF0E
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=us-ascii

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2014-10-16-1 OS X Yosemite v10.10

OS X Yosemite v10.10 is now available and addresses the following:

802.1X
Impact: An attacker can obtain WiFi credentials
Description: An attacker could have impersonated a WiFi access
point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash,
and used the derived credentials to authenticate to the intended
access point even if that access point supported stronger
authentication methods. This issue was addressed by disabling LEAP by
default.
CVE-ID
CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim
Lamotte of Universiteit Hasselt

AFP File Server
Impact: A remote attacker could determine all the network addresses
of the system
Description: The AFP file server supported a command which returned
all the network addresses of the system. This issue was addressed by
removing the addresses from the result.
CVE-ID
CVE-2014-4426 : Craig Young of Tripwire VERT

apache
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache, the most
serious of which may lead to a denial of service. These issues were
addressed by updating Apache to version 2.4.9.
CVE-ID
CVE-2013-6438
CVE-2014-0098

App Sandbox
Impact: An application confined by sandbox restrictions may misuse
the accessibility API
Description: A sandboxed application could misuse the accessibility
API without the user's knowledge. This has been addressed by
requiring administrator approval to use the accessibility API on an
per-application basis.
CVE-ID
CVE-2014-4427 : Paul S. Ziegler of Reflare UG

Bash
Impact: In certain configurations, a remote attacker may be able to
execute arbitrary shell commands
Description: An issue existed in Bash's parsing of environment
variables. This issue was addressed through improved environment
variable parsing by better detecting the end of the function
statement. This update also incorporated the suggested CVE-2014-7169
change, which resets the parser state. In addition, this update
added a new namespace for exported functions by creating a function
decorator to prevent unintended header passthrough to Bash. The names
of all environment variables that introduce function definitions are
required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent
unintended function passing via HTTP headers.
CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy

Bluetooth
Impact: A malicious Bluetooth input device may bypass pairing
Description: Unencrypted connections were permitted from Human
Interface Device-class Bluetooth Low Energy devices. If a Mac had
paired with such a device, an attacker could spoof the legitimate
device to establish a connection. The issue was addressed by denying
unencrypted HID connections.
CVE-ID
CVE-2014-4428 : Mike Ryan of iSEC Partners

CFPreferences
Impact: The 'require password after sleep or screen saver begins'
preference may not be respected until after a reboot
Description: A session management issue existed in the handling of
system preference settings. This issue was addressed through improved
session tracking.
CVE-ID
CVE-2014-4425

Certificate Trust Policy
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at
http://support.apple.com/kb/HT6005.

CoreStorage
Impact: An encrypted volume may stay unlocked when ejected
Description: When an encrypted volume was logically ejected while
mounted, the volume was unmounted but the keys were retained, so it
could have been mounted again without the password. This issue was
addressed by erasing the keys on eject.
CVE-ID
CVE-2014-4430 : Benjamin King at See Ben Click Computer Services LLC,
Karsten Iwen, Dustin Li (http://dustin.li/), Ken J. Takekoshi, and
other anonymous researchers

CUPS
Impact: A local user can execute arbitrary code with system
privileges
Description: When the CUPS web interface served files, it would
follow symlinks. A local user could create symlinks to arbitrary
files and retrieve them through the web interface. This issue was
addressed by disallowing symlinks to be served via the CUPS web
interface.
CVE-ID
CVE-2014-3537

Dock
Impact: In some circumstances, windows may be visible even when the
screen is locked
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved state
tracking.
CVE-ID
CVE-2014-4431 : Emil Sjolander of Umea University

fdesetup
Impact: The fdesetup command may provide misleading status for the
state of encryption on disk
Description: After updating settings, but before rebooting, the
fdesetup command provided misleading status. This issue was addressed
through improved status reporting.
CVE-ID
CVE-2014-4432

iCloud Find My Mac
Impact: iCloud Lost mode PIN may be bruteforced
Description: A state persistence issue in rate limiting allowed
brute force attacks on iCloud Lost mode PIN. This issue was addressed
through improved state persistence across reboots.
CVE-ID
CVE-2014-4435 : knoy

IOAcceleratorFamily
Impact: An application may cause a denial of service
Description: A NULL pointer dereference was present in the
IntelAccelerator driver. The issue was addressed through improved
error handling.
CVE-ID
CVE-2014-4373 : cunzhang from Adlab of Venustech

IOHIDFamily
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved validation of IOHIDFamily key-mapping properties.
CVE-ID
CVE-2014-4405 : Ian Beer of Google Project Zero

IOHIDFamily
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A heap buffer overflow existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-4404 : Ian Beer of Google Project Zero

IOHIDFamily
Impact: An application may cause a denial of service
Description: A out-of-bounds memory read was present in the
IOHIDFamily driver. The issue was addressed through improved input
validation.
CVE-ID
CVE-2014-4436 : cunzhang from Adlab of Venustech

IOHIDFamily
Impact: A user may be able to execute arbitrary code with system
privileges
Description: An out-of-bounds write issue exited in the IOHIDFamily
driver. The issue was addressed through improved input validation.
CVE-ID
CVE-2014-4380 : cunzhang from Adlab of Venustech

IOKit
Impact: A malicious application may be able to read uninitialized
data from kernel memory
Description: An uninitialized memory access issue existed in the
handling of IOKit functions. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2014-4407 : @PanguTeam

IOKit
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4388 : @PanguTeam

IOKit
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4418 : Ian Beer of Google Project Zero

Kernel
Impact: A local user may be able to determine kernel memory layout
Description: Multiple uninitialized memory issues existed in the
network statistics interface, which led to the disclosure of kernel
memory content. This issue was addressed through additional memory
initialization.
CVE-ID
CVE-2014-4371 : Fermin J. Serna of the Google Security Team
CVE-2014-4419 : Fermin J. Serna of the Google Security Team
CVE-2014-4420 : Fermin J. Serna of the Google Security Team
CVE-2014-4421 : Fermin J. Serna of the Google Security Team

Kernel
Impact: A maliciously crafted file system may cause unexpected
system shutdown or arbitrary code execution
Description: A heap-based buffer overflow issue existed in the
handling of HFS resource forks. A maliciously crafted filesystem may
cause an unexpected system shutdown or arbitrary code execution with
kernel privileges. The issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4433 : Maksymilian Arciemowicz

Kernel
Impact: A malicious file system may cause unexpected system shutdown
Description: A NULL dereference issue existed in the handling of HFS
filenames. A maliciously crafted filesystem may cause an unexpected
system shutdown. This issue was addressed by avoiding the NULL
dereference.
CVE-ID
CVE-2014-4434 : Maksymilian Arciemowicz

Kernel
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: A double free issue existed in the handling of Mach
ports. This issue was addressed through improved validation of Mach
ports.
CVE-ID
CVE-2014-4375 : an anonymous researcher

Kernel
Impact: A person with a privileged network position may cause a
denial of service
Description: A race condition issue existed in the handling of IPv6
packets. This issue was addressed through improved lock state
checking.
CVE-ID
CVE-2011-2391 : Marc Heuse

Kernel
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out-of-bounds read issue existed in rt_setgate. This
may lead to memory disclosure or memory corruption. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2014-4408

Kernel
Impact: A local user can cause an unexpected system termination
Description: A reachable panic existed in the handling of messages
sent to system control sockets. This issue was addressed through
additional validation of messages.
CVE-ID
CVE-2014-4442 : Darius Davis of VMware

Kernel
Impact: Some kernel hardening measures may be bypassed
Description: The random number generator used for kernel hardening
measures early in the boot process was not cryptographically secure.
Some of its output was inferable from user space, allowing bypass of
the hardening measures. This issue was addressed by using a
cryptographically secure algorithm.
CVE-ID
CVE-2014-4422 : Tarjei Mandt of Azimuth Security

LaunchServices
Impact: A local application may bypass sandbox restrictions
Description: The LaunchServices interface for setting content type
handlers allowed sandboxed applications to specify handlers for
existing content types. A compromised application could use this to
bypass sandbox restrictions. The issue was addressed by restricting
sandboxed applications from specifying content type handlers.
CVE-ID
CVE-2014-4437 : Meder Kydyraliev of the Google Security Team

LoginWindow
Impact: Sometimes the screen might not lock
Description: A race condition existed in LoginWindow, which would
sometimes prevent the screen from locking. The issue was addressed by
changing the order of operations.
CVE-ID
CVE-2014-4438 : Harry Sintonen of nSense, Alessandro Lobina of
Helvetia Insurances, Patryk Szlagowski of Funky Monkey Labs

Mail
Impact: Mail may send email to unintended recipients
Description: A user interface inconsistency in Mail application
resulted in email being sent to addresses that were removed from the
list of recipients. The issue was addressed through improved user
interface consistency checks.
CVE-ID
CVE-2014-4439 : Patrick J Power of Melbourne, Australia

MCX Desktop Config Profiles
Impact: When mobile configuration profiles were uninstalled, their
settings were not removed
Description: Web proxy settings installed by a mobile configuration
profile were not removed when the profile was uninstalled. This issue
was addressed through improved handling of profile uninstallation.
CVE-ID
CVE-2014-4440 : Kevin Koster of Cloudpath Networks

NetFS Client Framework
Impact: File Sharing may enter a state in which it cannot be
disabled
Description: A state management issue existed in the File Sharing
framework. This issue was addressed through improved state
management.
CVE-ID
CVE-2014-4441 : Eduardo Bonsi of BEARTCOMMUNICATIONS

QuickTime
Impact: Playing a maliciously crafted m4a file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of audio
samples. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4351 : Karl Smith of NCC Group

Safari
Impact: History of pages recently visited in an open tab may remain
after clearing of history
Description: Clearing Safari's history did not clear the
back/forward history for open tabs. This issue was addressed by
clearing the back/forward history.
CVE-ID
CVE-2013-5150

Safari
Impact: Opting in to push notifications from a maliciously crafted
website may cause future Safari Push Notifications to be missed
Description: An uncaught exception issue existed in
SafariNotificationAgent's handling of Safari Push Notifications. This
issue was addressed through improved handling of Safari Push
Notifications.
CVE-ID
CVE-2014-4417 : Marek Isalski of Faelix Limited

Secure Transport
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling CBC cipher suites
when TLS connection attempts fail.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team

Security
Impact: A remote attacker may be able to cause a denial of service
Description: A null dereference existed in the handling of ASN.1
data. This issue was addressed through additional validation of ASN.1
data.
CVE-ID
CVE-2014-4443 : Coverity

Security
Impact: A local user might have access to another user's Kerberos
tickets
Description: A state management issue existed in SecurityAgent.
While Fast User Switching, sometimes a Kerberos ticket for the
switched-to user would be placed in the cache for the previous user.
This issue was addressed through improved state management.
CVE-ID
CVE-2014-4444 : Gary Simon of Sandia National Laboratories, Ragnar
Sundblad of KTH Royal Institute of Technology, Eugene Homyakov of
Kaspersky Lab

Security - Code Signing
Impact: Tampered applications may not be prevented from launching
Description: Apps signed on OS X prior to OS X Mavericks 10.9 or
apps using custom resource rules, may have been susceptible to
tampering that would not have invalidated the signature. On systems
set to allow only apps from the Mac App Store and identified
developers, a downloaded modified app could have been allowed to run
as though it were legitimate. This issue was addressed by ignoring
signatures of bundles with resource envelopes that omit resources
that may influence execution. OS X Mavericks v10.9.5 and Security
Update 2014-004 for OS X Mountain Lion v10.8.5 already contain these
changes.
CVE-ID
CVE-2014-4391 : Christopher Hickstein working with HP's Zero Day
Initiative


Note: OS X Yosemite includes Safari 8.0, which incorporates
the security content of Safari 7.1. For further details see
"About the security content of Safari 7.1" at
https://support.apple.com/kb/HT6440.


OS X Yosemite may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

 

TOP