فا

‫ Apple OS X Multiple Vulnerabilities

IRCAD2014023173
ID: IRCAD2014023173
Release Date: 2014-02-25
Criticality level: Highly critical
Software:

Apple Macintosh OS X

Description:

A security issue and multiple vulnerabilities have been reported in Apple OS X, which can be exploited by malicious, local users to bypass certain security restrictions and gain escalated privileges and by malicious people to disclose potentially sensitive information, conduct spoofing attacks, cause a DoS (Denial of Service), and compromise a vulnerable system.

1) Two vulnerabilities exist in Apache.

2) An error in ATS when handling embedded Type 1 fonts can be exploited to cause memory corruption.

3) An error in CoreAnimation when handling certain images can be exploited to cause a heap-based buffer overflow.

4) A signedness error in CoreText when handling certain Unicode fonts can be exploited to cause memory corruption.

5) An error in cURL when handling certificates related to HTTPS connections to a URL containing an IP address can be exploited to e.g. conduct Man-in-the-Middle (MitM) attacks.

6) An error exists in Secure Transport when validating the authenticity of a SSL/TLS connection.

7) An error related to the "systemsetup" command can be exploited to manipulate the system clock.

8) An error in File Bookmark when handling file names can be exploited to cause a buffer overflow via an overly long file name.

9) An error in Finder when accessing ACLs can be exploited to corrupt the ACLs.

10) An error exists in ImageIO.

11) An error in the IOSerialFamily driver can be exploited to cause an out-of-bounds array access.

12) Two errors exist in NVidia Drivers.

Successful exploitation of vulnerabilities #‫11 and #‫12 may allow execution of arbitrary code with kernel privileges.

13) Multiple errors exist in PHP.

14) An error in QuickLook when handling certain Microsoft Office files can be exploited to cause memory corruption.

15) A double free error in QuickLook when handling Microsoft Word files can be exploited to cause memory corruption.

16) Multiple errors exist in QuickTime.

Successful exploitation of vulnerabilities #1 through #4, #8, and #‫13 through #‫16 may allow execution of arbitrary code.

17) A design error exists in Secure Transport.

Please see the vendor's advisory for a list of affected product versions.

Solution

Update to version 10.9.2 or apply Security Update 2014-001.

References:
APPLE-SA-2014-02-25-1:
Secunia:
 

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 12 اسفند 1392

امتیاز

امتیاز شما
تعداد امتیازها: 0