Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Updates for OS X , iOS and Apple TV - SANS Internet Storm Center

SANS Site Network

Current Site

SANS Internet Storm Center

Other SANS Sites Help

Graduate Degree Programs

Security Training

Security Certification

Security Awareness Training

Penetration Testing

Industrial Control Systems

Cyber Defense Foundations

DFIR

Software Security

Government OnSite Training

SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Log In or Sign Up for Free!

Updates for OS X , iOS and Apple TV

Apple today released updates for iOS 8 and OS X 10.10 (Yosemite) . Here are some of the highlights from a security point of view:

OS 10.10.1

(approx. listed in order of severity)

CVE	Impact	ISC Rating	Description
2014-4459	Remote Code Execution	critical	A vulnerability in Webkit could allow a malicious site to execute arbitrary code
2014-4453	Information Leakage	important	The index Spotlight creates on a removable drive may include content from other drives. This vulnerability was recently discussed publicly in a blog and the author discovered e-mail fragment in the Spotlight index created on a USB drive.
2014-4460	Information Leakage	important	Safari may not delete all cached files after leaving private browsing. If a user visits a site without private browsing after visiting the same site with private browsing enabled, then the site may be able to connect the two visits.
2014-4458	Information Leakage	important	The "About this Mac" feature includes unnecessary details that are reported back to Apple to determine the system model

iOS

CVE	Impact	Severity	Description
CVE-2014-4452 CVE-2014-4462	remote code execution	critical	Webkit issues that will lead to arbitrary code execution when visting a malicious webpage
CVE-2014-4455	unsigned code exeuction	important	A local user may execute unsinged code
CVE-2014-4460	information leakage	important	Safari doesn't delete all cached files when leaving private mode
CVE-2014-4461	privilege escalation	important	A malicious application may execute arbitrary codes using System privileges.
CVE-2014-4451	security feature bypass	important	An attacker may be able to exceed the maximum passcode attempt limit to bypass the lockscreen.
CVE-2014-4463	information leakage	important	the "leave message" feature in Facetime may have allowed sending photos from the device.
CVE-2014-4457	code execution	important	the debug feature would allow applications to be spawned that were not being debugged.
CVE-2014-4453	informtion leakage	important	iOS would submit the devices location to Spotlight Suggestion servers before the user entered a query

Apple TV

CVE	Impact	Severity	Description
CVE-2014-4462	Code Execution	Critical	A memory corruption in WebKit may be used to terminate applications or run arbitrary code.
CVE-2014-4455	Code Execution	Important	A local user may execute unsigned code
CVE-2014-4461	Privilege Elevation	Important	A malicious application may be able to execute arbitrary code with system privileges.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022

Johannes

4478 Posts
ISC Handler

Nov 17th 2014

Thread locked Subscribe

Nov 17th 2014
7 years ago

Are the OS X vulnerabilities present on older versions of the OS?

Anonymous

Quote

Nov 17th 2014
7 years ago

Sign Up for Free or Log In to start participating in the conversation!