(Apple Issues Fix for Apple TV) Apple iOS Multiple Bugs Let Remote Users Obtain Information and Execute Arbitrary Code and Local Users Gain Elevated Privileges and Deny Service
SecurityTracker Alert ID: 1030874|
SecurityTracker URL: http://securitytracker.com/id/1030874
(Links to External Site)
Date: Sep 18 2014
Denial of service via local system, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Multiple vulnerabilities were reported in Apple iOS. A remote user can cause arbitrary code to be executed on the target user's system. A local user can obtain elevated privileges on the target system. A local user can cause denial of service conditions. A remote user can obtain potentially sensitive information. Apple TV is affected by some of these vulnerabilities.|
The address book is encrypted with a key protected using only the hardware UID. A physically local user can exploit this flaw to read the address book [CVE-2014-4352].
A local user may access attachments after the parent iMessage or MMS message has been deleted [CVE-2014-4353].
The system automatically enables Bluetooth by default after upgrading iOS [CVE-2014-4354].
The lock screen may display text message previews when the preview feature has been disabled [CVE-2014-4356].
A physically local user can obtain potentially sensitive Accounts Framework information from log files [CVE-2014-4357].
An application in the background can determine which application is frontmost [CVE-2014-4361].
An application can bypass the sandbox to obtain Apple ID information [CVE-2014-4362].
A remote user in a privileged network position can intercept user credentials that are autofilled on non-secure sites [CVE-2014-4363].
A remote user can impersonate a WiFi access point to obtain the credentials via a the LEAP authentication process [CVE-2014-4364].
When the mail server has advertised the LOGINDISABLED IMAP capability, the Mail application may still send login credentials in plaintext [CVE-2014-4366].
The Voice Dial feature may be enabled after upgrading iOS [CVE-2014-4367].
When using AssistiveTouch, the device may not lock the screen [CVE-2014-4368].
An application can supply specially crafted IOAcceleratorFamily API arguments to trigger a null pointer dereference and cause the system to crash [CVE-2014-4369].
An application can trigger a null pointer dereference in IntelAccelerator driver and cause the device to restart [CVE-2014-4373].
A remote user can create a specially crafted PDF file that, when loaded by the target user, will trigger an integer overflow and execute arbitrary code [CVE-2014-4377].
A remote user can create a specially crafted PDF file that, when loaded by the target user, will trigger an out-of-bounds memory read and execute arbitrary code [CVE-2014-4378].
A remote user in a privileged network position can modify or spoof Last-Modified response headers to cause iOS to fail to update even when an update is required [CVE-2014-4383].
A local user can exploit a path traversal flaw in App Installation to retarget code signature validation to a different bundle, allowing an unverified application to be installed [CVE-2014-4384].
A local user can exploit a temporary file race condition in App Installation to allow an unverified application to be installed [CVE-2014-4386].
An application can trigger an out-of-bounds write error in IOHIDFamily to execute arbitrary code with kernel privileges [CVE-2014-4380].
An application can trigger a validation flaw in the handling of metadata fields of IODataQueue objects to execute arbitrary code with system privileges [CVE-2014-4388, CVE-2014-4418].
A local user can trigger a double-free memory error in the handling of Mach ports to execute arbitrary code or cause the kernel to crash [CVE-2014-4375].
A local user can access uninitialized kernel memory statistics to determine memory layout [CVE-2014-4371, CVE-2014-4419, CVE-2014-4420, CVE-2014-4421].
A local use can exploit a flaw in syslogd in the handling of permission changes to modify the permissions of arbitrary files [CVE-2014-4372].
An application can supply a specially crafted XML External Entity value to trigger a flaw in NSXMLParser and obtain potentially sensitive information [CVE-2014-4374].
An application can trigger an out-of-bounds memory read in the IOHIDFamily function to read kernel pointers [CVE-2014-4379]. This can be exploited to bypass kernel address space layout randomization.
An application may be able to trigger a flaw in Libnotify to execute arbitrary
code with root privileges [CVE-2014-4381].
An application can trigger an integer overflow in IOKit to execute arbitrary code with system privileges [CVE-2014-4389].
An application can trigger a heap overflow in IOHIDFamily in the handling of key-mapping properties to execute arbitrary code with system privileges [CVE-2014-4404].
An application can trigger a null pointer dereference in IOHIDFamily in the handling of key-mapping properties to execute arbitrary code with system privileges [CVE-2014-4405].
An application can trigger an uninitialized memory access flaw in IOKit to read uninitialized data from kernel memory [CVE-2014-4407].
A local user can trigger an out-of-bounds memory read in rt_setgate() to execute arbitrary code or crash the kernel [CVE-2014-4408].
A remote web site can store HTML 5 application cache data and then later read the data during private browsing [CVE-2014-4409].
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption flaw in WebKit and execute arbitrary code on the target system [CVE-2014-4410, CVE-2014-4411, CVE-2014-4412, CVE-2014-4413, CVE-2014-4414, CVE-2014-4415].
An application may be able to infer some of the output of the random number generator used for kernel hardening measures in the boot process [CVE-2014-4422].
An application can bypass the sandbox to gain information about the currently active iCloud account [CVE-2014-4423].
Pieter Robyns, Bram Bonne, Peter Quax, and Wim Lamotte of Universiteit Hasselt, Adam Weaver, Eric Seidel of Google, Hendrik Bettermann, Heli Myllykoski of OP-Pohjola Group, Jonathan Zdziarski, evad3rs, Raul Siles of DinoSec, Maneet Singh, Sean Bluestein, Silviu Schiau, Mattia Schirinzi from San Pietro Vernotico (BR) Italy, cunzhang from Adlab of Venustech, Ian Beer of Google Project Zero, Catherine aka winocm, Andreas Kurtz of NESO Security Labs, Markus TroBbach of Heilbronn University, Tarjei Mandt of Azimuth Security, @PanguTeam, Felipe Andres Manzano of Binamuse VRT (via iSIGHT Partners GVP Program), Sven Heinemann, an anonymous researcher, George Gal of VSR, Fermin J. Serna of the Google Security Team, Mark Crispin, David Silver, Suman Jana, and Dan Boneh of Stanford University, Eric Chen and Collin Jackson of Carnegie Mellon University, Apple, the Google Chrome Security Team, Yosuke Hasegawa (NetAgent Co., Led.), and Tielei Wang and YeongJin Jang of Georgia Tech Information Security Center (GTISC) reported these vulnerabilities.
A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.|
A local user can obtain elevated privileges on the target system.
A local user can cause denial of service conditions on the target system.
A remote user can obtain potentially sensitive information.
Apple has issued a fix for CVE-2014-4357, CVE-2014-4364, CVE-2014-4369, CVE-2014-4371, CVE-2014-4372, CVE-2014-4373, CVE-2014-4375, CVE-2014-4377, CVE-2014-4378, CVE-2014-4379, CVE-2014-4380, CVE-2014-4381, CVE-2014-4383, CVE-2014-4388, CVE-2014-4389, CVE-2014-4404, CVE-2014-4405, CVE-2014-4407, CVE-2014-4408, CVE-2014-4410, CVE-2014-4411, CVE-2014-4412, CVE-2014-4413, CVE-2014-4414, CVE-2014-4415, CVE-2014-4418, CVE-2014-4419, CVE-2014-4420, |
CVE-2014-4421, and CVE-2014-4422 for Apple TV (7.0).
The Apple advisory is available at:
Vendor URL: support.apple.com/kb/HT6441 (Links to External Site)
Access control error, Boundary error, State error|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
[Original Message Not Available for Viewing]
Go to the Top of This SecurityTracker Archive Page