copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0558 - [OSX] OS X: Multiple vulnerabilities

Date: 23 April 2014
References: ESB-2013.1503  ASB-2013.0130  ESB-2013.1692  ESB-2013.1700  ESB-2013.1733  ESB-2013.1732  ESB-2014.0020  ESB-2014.0130.2  ESB-2014.0307  ESB-2014.0324  
ESB-2014.0431  ESB-2014.0432  ESB-2014.0539  ESB-2014.0560  ESB-2014.0561  ESB-2014.0745  ESB-2014.0775  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0558
                         Security Update 2014-002
                               23 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          OS X
Publisher:        Apple
Operating System: OS X
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
                  Denial of Service               -- Remote/Unauthenticated      
                  Provide Misleading Information  -- Remote with User Interaction
                  Access Confidential Data        -- Remote with User Interaction
                  Unauthorised Access             -- Console/Physical            
Resolution:       Patch/Upgrade
CVE Names:        CVE-2014-1322 CVE-2014-1321 CVE-2014-1320
                  CVE-2014-1319 CVE-2014-1318 CVE-2014-1316
                  CVE-2014-1315 CVE-2014-1314 CVE-2014-1296
                  CVE-2014-1295 CVE-2013-6393 CVE-2013-5170
                  CVE-2013-4164  

Reference:        ASB-2013.0130
                  ESB-2014.0539
                  ESB-2014.0432
                  ESB-2014.0431
                  ESB-2014.0324
                  ESB-2014.0307
                  ESB-2014.0130.2
                  ESB-2014.0020
                  ESB-2013.1733
                  ESB-2013.1732
                  ESB-2013.1700
                  ESB-2013.1692
                  ESB-2013.1503

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2014-04-22-1 Security Update 2014-002

Security Update 2014-002 is now available and addresses the
following:

CFNetwork HTTPProtocol
Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
Impact:  An attacker in a privileged network position can obtain web
site credentials
Description:  Set-Cookie HTTP headers would be processed even if the
connection closed before the header line was complete. An attacker
could strip security settings from the cookie by forcing the
connection to close before the security settings were sent, and then
obtain the value of the unprotected cookie. This issue was addressed
by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris

CoreServicesUIAgent
Available for:  OS X Mavericks v10.9.2
Impact:  Visiting a maliciously crafted website or URL may result in
an unexpected application termination or arbitrary code execution
Description:  A format string issue existed in the handling of URLs.
This issue was addressed through additional validation of URLs. This
issue does not affect systems prior to OS X Mavericks.
CVE-ID
CVE-2014-1315 : Lukasz Pilorz of runic.pl, Erik Kooistra

FontParser
Available for:  OS X Mountain Lion v10.8.5
Impact:  Opening a maliciously crafted PDF file may result in an
unexpected application termination or arbitrary code execution
Description:  A buffer underflow existed in the handling of fonts in
PDF files. This issue was addressed through additional bounds
checking. This issue does not affect OS X Mavericks systems.
CVE-ID
CVE-2013-5170 : Will Dormann of CERT/CC

Heimdal Kerberos
Available for:  OS X Mavericks v10.9.2
Impact:  A remote attacker may be able to cause a denial of service
Description:  A reachable abort existed in the handling of ASN.1
data. This issue was addressed through additional validation of ASN.1
data.
CVE-ID
CVE-2014-1316 : Joonas Kuorilehto of Codenomicon

ImageIO
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
Impact:  Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow issue existed in ImageIO's handling
of JPEG images. This issue was addressed through improved bounds
checking. This issue does not affect systems prior to OS X Mavericks.
CVE-ID
CVE-2014-1319 : Cristian Draghici of Modulo Consulting, Karl Smith of
NCC Group

Intel Graphics Driver
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
Impact:  A malicious application can take control of the system
Description:  A validation issue existed in the handling of a pointer
from userspace. This issue was addressed through additional
validation of pointers.
CVE-ID
CVE-2014-1318 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative

IOKit Kernel
Available for:  OS X Mavericks v10.9.2
Impact:  A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description:  A set of kernel pointers stored in an IOKit object
could be retrieved from userland. This issue was addressed through
removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's
Zero Day Initiative

Kernel
Available for:  OS X Mavericks v10.9.2
Impact:  A local user can read a kernel pointer, which can be used to
bypass kernel address space layout randomization
Description:  A kernel pointer stored in a XNU object could be
retrieved from userland. This issue was addressed through removing
the pointer from the object.
CVE-ID
CVE-2014-1322 : Ian Beer of Google Project Zero

Power Management
Available for:  OS X Mavericks v10.9.2
Impact:  The screen might not lock
Description:  If a key was pressed or the trackpad touched just after
the lid was closed, the system might have tried to wake up while
going to sleep, which would have caused the screen to be unlocked.
This issue was addressed by ignoring keypresses while going to sleep.
This issue does not affect systems prior to OS X Mavericks.
CVE-ID
CVE-2014-1321 : Paul Kleeberg of Stratis Health Bloomington MN,
Julian Sincu at the Baden-Wuerttemberg Cooperative State University
(DHBW Stuttgart), Gerben Wierda of R&A, Daniel Luz

Ruby
Available for:  OS X Mavericks v10.9.2
Impact:  Running a Ruby script that handles untrusted YAML tags may
lead to an unexpected application termination or arbitrary code
execution
Description:  An integer overflow issue existed in LibYAML's handling
of YAML tags. This issue was addressed through additional validation
of YAML tags. This issue does not affect systems prior to OS X
Mavericks.
CVE-ID
CVE-2013-6393

Ruby
Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
Impact:  Running a Ruby script that uses untrusted input to create a
Float object may lead to an unexpected application termination or
arbitrary code execution
Description:  A heap-based buffer overflow issue existed in Ruby when
converting a string to a floating point value. This issue was
addressed through additional validation of floating point values.
CVE-ID
CVE-2013-4164

Security - Secure Transport
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
Impact:  An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description:  In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection. This
issue does not affect Mac OS X 10.7 systems and earlier.
CVE-ID
CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and
Alfredo Pironti of Prosecco at Inria Paris

WindowServer
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
Impact:  Maliciously crafted applications can execute arbitrary code
outside the sandbox
Description:  WindowServer sessions could be created by sandboxed
applications. This issue was addressed by disallowing sandboxed
applications from creating WindowServer sessions.
CVE-ID
CVE-2014-1314 : KeenTeam working with HP's Zero Day Initiative

Note: Security Update 2014-002 for OS X Mavericks systems includes
the security content of Safari 7.0.3:
http://support.apple.com/kb/HT6181

Security Update 2014-002 may be obtained via the Apple Software
Update application, and from the Apple's Software Downloads web
site: http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJTVqgEAAoJEPefwLHPlZEw0L8P/RIqgQPc1/RnmPBCKVnZ0QyI
8V9jV07LyXTPySL3at/sAFac148ZYqu9cSKtRWB1oAQCnC8C20EIDLBvsysmKT/a
zqLUP8ZGcd4jC4UYUleVgl4U9SXkp0L/HwpASXeRHGeUd/tN4eCBEgDfKSMdm8/s
4S70gTQPRRsQR3D8RkcOITJVFCaDFy/em3AbEJyAm7yDsDOinJdRrirRe7W1Q/p6
KBOmQYb73m0ykg08jgCjohxhTE9gpNeMeR7smN+7GsRb6XFlUOJGtnlePyLm1hN3
85e0KRnQyhTGXJ7y6MTmKzzwJ6/iVZvEeXK1IFwXEkwLLmp5uhp7wfT3DkZZSnBm
+uo5g2aSQ80+7ZR9psUQwXOn8/6cFyKbG5tHxkh8IY6qLacvHP5yBcw3gqlUNPg5
2vCNWqhL8fEqncx7K1QC8CxwLQMVw9QnolukdjOxT66+kI0F/mDGeGdf/mYkGBJF
ZECjWZsoekGq4TMu75MPn8BlwFpaLnObPi9pC+56BDhEz7f39bqBvkAaW61cQgj4
lRwlEHWNBFlO9XVkQwdmYrZoaeAAVxGG+iPt225dmXXZtWGMs5nYIzPj8GzRoNWQ
gYAGZAOBr6pGJCQmfJIy4tLKj0H9za9pxX9RqavKrZyEtTcxpUmrh91mGZiI4eo0
7hmpILk22+6xv6pWCw8D
=WWPv
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU1cY7RLndAQH1ShLAQLBxA//UeP3eWJ3X3Ry4e/i6onQTCdOGYzh4V/U
k192uVg8Rh8h4dROB0H/oPh5NCO/26kkZQD7yQ0KVeDlpudW7Xo5WUlOn7QB6ciy
0+iDUQZ88nn1nJi9i9Hnxg2AoTIv5qLAu71EYms0N4s0ivDMVdCrwkmFAOqr+odp
qMLXCx7Vigr/icG+GdHBuIruaAC9aHGvbAMH/Ejp9kQw6cj1H5fHH2LFGJ/fLIMU
00ShMaXm+FpbTB1QpIyqqr6dhGXkIzx1R5fbVyFTFbN6jCm5w3ZabH/NxeaSpWyd
RWqVZe1RZgvGQ5GSEh0risn651NX51A5+F1PBVdofKDtomMatlYgTZu2eTu09+Uo
ERtT4/eUGnNUNqVLkih95X7ooXBvcyZTkm7NvgzUUKiC33McnWo4N9ABhH0fqFfl
Gd8WNHf0KczCI7HRKjgmJ9aHTVTAFtYAo4fDtxINHhEcfLgiCkbR53l6Wmn4aXBY
1D2+8+X9iG7VaoHugFYLl9xRUOWPgLzdjNzWi/Vv/z/I/Z9dj85fy/t+NhuuTnoL
k8o4y+HTfWBqN5RLFf/0R27tgNWVU7+GSyCSyhJx0+L16XnPI6G9ioSMtxq6kTYQ
yRrg6yAHzhzLUnH4ADuUMfEGYklXfMOD2zhqecMjP5pIPxcfpYLdyOeZZ4R7qHEC
mdqcNHosSyM=
=bQzQ
-----END PGP SIGNATURE-----