Updates for OS X , iOS and Apple TV
Apple today released updates for iOS 8 and OS X 10.10 (Yosemite) . Here are some of the highlights from a security point of view:
OS 10.10.1
(approx. listed in order of severity)
CVE | Impact | ISC Rating | Description |
2014-4459 | Remote Code Execution | critical | A vulnerability in Webkit could allow a malicious site to execute arbitrary code |
2014-4453 | Information Leakage | important | The index Spotlight creates on a removable drive may include content from other drives. This vulnerability was recently discussed publicly in a blog and the author discovered e-mail fragment in the Spotlight index created on a USB drive. |
2014-4460 | Information Leakage | important | Safari may not delete all cached files after leaving private browsing. If a user visits a site without private browsing after visiting the same site with private browsing enabled, then the site may be able to connect the two visits. |
2014-4458 | Information Leakage | important | The "About this Mac" feature includes unnecessary details that are reported back to Apple to determine the system model |
iOS
CVE | Impact | Severity | Description |
CVE-2014-4452 CVE-2014-4462 |
remote code execution | critical | Webkit issues that will lead to arbitrary code execution when visting a malicious webpage |
CVE-2014-4455 | unsigned code exeuction | important | A local user may execute unsinged code |
CVE-2014-4460 | information leakage | important | Safari doesn't delete all cached files when leaving private mode |
CVE-2014-4461 | privilege escalation | important | A malicious application may execute arbitrary codes using System privileges. |
CVE-2014-4451 | security feature bypass | important | An attacker may be able to exceed the maximum passcode attempt limit to bypass the lockscreen. |
CVE-2014-4463 | information leakage | important | the "leave message" feature in Facetime may have allowed sending photos from the device. |
CVE-2014-4457 | code execution | important | the debug feature would allow applications to be spawned that were not being debugged. |
CVE-2014-4453 | informtion leakage | important | iOS would submit the devices location to Spotlight Suggestion servers before the user entered a query |
Apple TV
CVE | Impact | Severity | Description |
CVE-2014-4462 | Code Execution | Critical | A memory corruption in WebKit may be used to terminate applications or run arbitrary code. |
CVE-2014-4455 | Code Execution | Important | A local user may execute unsigned code |
CVE-2014-4461 | Privilege Elevation | Important | A malicious application may be able to execute arbitrary code with system privileges. |
Keywords:
1 comment(s)ISC StormCast for Monday, November 17th 2014 http://isc.sans.edu/podcastdetail.html?id=4239
×
Diary Archives
Comments