Thursday, April 23, 2015

Not In-The-Wild:
iOS 8 SSL Certificate Parsing Bug:
Crash, Crash, Crash

--

Interest Level: Background

The system used to encrypt data sent across the Internet has had a bad time this past year. A parade of bugs and exploits have been found. Related problems in hash functions have been found. Fraudulent security certificates have been forged by questionable certificate authorities. Google has injected a level of paranoia as well as demands for technology improvements, while itself ignoring its own aspirations. The result is a complicated and confusing mess that leaves users wondering what is safe and what is not.

On Wednesday, Dan Goodin of Ars Technica reported a new twist in the Internet encryption contortions by way of a report and public presentation from the company Skycure. They have found a bug in iOS 8 that allows an attack on iOS devices over Wi-Fi through the use of a malicious SSL security certificate. This attack can trigger Apple devices running iOS 8 to go into an endless crash loop while in the connection vicinity of the offending Wi-Fi network.

Note that this bug is NOT yet being exploited in the wild. It is at this point simply of interest while we wait for Apple to patch the bug and prevent it from becoming a real problem for users.

Below, I have linked both Dan Goodin's article and the source blog post from Skycure.

If you're interested in higher level Mac and iOS security, this is well worth a read. Otherwise, it's in the background as only a potential problem to iOS users.

iOS bug sends iPhones into endless crash cycle when exposed to rogue Wi-Fi
SSL cert parsing error allows attackers to create "No iOS Zone," researchers say.
- Dan Goodin, Ars Technica

“No iOS Zone” – A New Vulnerability Allows DoS Attacks on iOS Devices
- Yair Amit, Skycure

Both articles provide videos illustrating the SSL certificate bug.

Share and Enjoy,
:-Derek

--

Upcoming Changes To The Mac-Security Blog

--

In order for me to continue this blog amidst the other work I do, I'm going to make two basic changes.

The first is that this blog is going to generally change from longer posts with my commentary to shorter informative posts that act as alerts to those interested in what's going on in Macintosh and iOS security. This allows me to be more spontaneous and not have to spend a great deal of time writing.

The second is that the geek-level of this blog is going to increase considerably. Translation: I'm going to raise the level of what I post to that of my own level of understanding and interest in Mac and iOS security. This allows me to be more spontaneous and closely fit my blog posts with what I am discussing on the net with others about Mac security.

As such, I expect this blog will at time challenge the understanding and comprehension of some readers. I also expect criticism that the blog draws attention to esoteric and unimportant aspects of Mac security. The usual phrase used for such criticism is FUD: Fear, Uncertainty and Doubt. This means that taking my posts too seriously may mean my posts sound needlessly alarmist. We will hopefully sort out how to address this situation as my new approach progresses.

The overall reason for these changes is that my time is limited, but I still want to share the latest news regarding all aspects of Mac and iOS security. I regularly chatter about computer security with several people on the Internet. I'd like save myself time and effort by synchronizing my blog posts with my background security chatter.

We'll see how well this works over time. For the moment, it's a strategy that allows me to be more active on the blog and may well help many readers keep up with what's going on both on important and esoteric levels.

Please feedback at me to help me know the impact of this new approach.

Thanks!

:-Derek

--

Tuesday, March 10, 2015

CIA Hacked Apple Hardware and Software!
Including: Xcode Development Software, the OS X Updater, iPhone and iPad

--
This post is to draw attention to a report out today from The Gaurdian that the US CIA hacked together a corrupt version of Apple's XCode development software that allowed the insertion of surveillance backdoors into the resulting developed programs.

CIA 'tried to crack security of Apple devices'
Agency tried to create dummy version of development software that would allow it to insert surveillance back doors into apps
The modified version of Xcode would allow the CIA, NSA or other agencies to insert surveillance backdoors into any app created using the compromised development software. The revelation has already provoked a strong backlash among security researchers on Twitter and elsewhere, and is likely to prompt security audits among Apple developers.

The latest revelations of sustained hacking efforts against Apple devices are set to further strain already difficult relations between the technology company and the US government.

Apple had previously been a partner in the Prism programme, in effect a legal backdoor to obtain user information by the NSA and its allies, but in the wake of the Snowden revelations it has stepped up efforts to protect user privacy, including introducing end-to-end encryption on iMessages.

Tim Cook, the CEO of Apple, warned Barack Obama in public remarks this month that history had shown “sacrificing our right to privacy can have dire consequences”.
The original report of this situation was published on The Intercept website earlier today:

THE CIA CAMPAIGN TO STEAL APPLE’S SECRETS
BY JEREMY SCAHILL AND JOSH BEGLEY
RESEARCHERS WORKING with the Central Intelligence Agency have conducted a multi-year, sustained effort to break the security of Apple’s iPhones and iPads, according to top-secret documents obtained by The Intercept.

The security researchers presented their latest tactics and achievements at a secret annual gathering, called the “Jamboree,” where attendees discussed strategies for exploiting security flaws in household and commercial electronics. The conferences have spanned nearly a decade, with the first CIA-sponsored meeting taking place a year before the first iPhone was released.
By targeting essential security keys used to encrypt data stored on Apple’s devices, the researchers have sought to thwart the company’s attempts to provide mobile security to hundreds of millions of Apple customers across the globe. Studying both “physical” and “non-invasive” techniques, U.S. government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.
. . . .
The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store.

The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.

Researchers also claimed they had successfully modified the OS X updater, a program used to deliver updates to laptop and desktop computers, to install a “keylogger.”
[All bolding above is mine, added for the emphasis of key information.]

The depth of success of the CIA's Apple gear hacking strategies is unclear. But it is evident that a corrupt version of Xcode was successfully created with the intention of distributing it to unsuspecting software developers. Presumably, back-doored Mac and iOS software resulting from the use of this corrupt version of Xcode exist in the wild. No doubt there will now be efforts to determine exactly what software is affected.

Me Stuff

My point of view regarding the incessant hacking of computer technology by the US CIA, NSA, etc. is mixed. 

We already know that the CIA and NSA have illegally spied on US citizens on US soil without a legal warrant or justified cause specified in the Fourth Amendment to the US Constitution. All such acts must be prosecuted, without question. It makes no difference if the resulting impeachments reach the top of the executive office or US Congress. These are treasonous crimes. Trials for treason are required.

The legality of secretly damaging/hacking copyrighted and patented software for the purpose of surveillance is out of the scope of my knowledge. However, I find it difficult to imagine these acts could be found to be legally justified.

Whether these acts have been and continue to be in pursuit of the protection and defense of US citizens remains significantly unanswered. There has been to this point extremely little publicly released data that indicates these efforts by the US CIA, NSA, etc. have resulted in useful information. We may never know. We're stuck having to hear statements asserting that governmental hacking has been useful and important from the mouths of proven liars such as James R. Clapper, the current US Director of National Intelligence. I've heard retired General Clapper speak publicly. He appears to be an intelligent, serious and earnest defender of US citizens. And yet he is guilty of knowingly lying under oath to the US Congress. He is also a vehement critic of whistle-blower and patriot Edward Snowden. With such people representing US intelligence strategies, clearly the credibility of the ongoing damaging/hacking of computer technology is extremely dubious. That's shameful. 

All US citizens of course would like to believe their government behaves legally in their best interests, instead of against them. We are left instead with a government that has severely damaged its credibility. New information further damaging that credibility continues to be published on a consistent basis. No evidence of reform of US intelligence gathering agencies or their methods has been forthcoming. The phrase 'hell bent' comes to my mind. I'm not interested in 'hell' anything. I personally demand that my government be 100% accountable to, loyal to and in the defense of its citizens at all times within the framework of the US Constitution and laws. 

If the US intelligence agencies can work within their mandatory legal framework, then I support them. If not, then I want those responsible tried and punished for their crimes against US citizens, We The People, even if that includes impeachment of the current and past Presidents of the USA. 

I've stated my views regarding government surveillance crimes in public on many occasions. My statements here are nothing new to those concerned and I am glad to report that there have been thus far no obvious repercussions. I wish and hope that every US citizen speaks up against illegal government surveillance of US citizens on US soil. If we don't, the obvious consequence is a totalitarian police state, as history has consistently proven. That would be a very bad and criminal thing.
--

Coming up: Coverage of Apple's security updates for March! I'm impressed.
--

Wednesday, March 4, 2015

Java Installs Adware With Plugin,
Part Of Growing Mac Adware Attacks

--

Sadly, like a lot of customer adverse companies, Oracle is now packing adware with its Java plugin installer. Beware!

My colleague Thomas Reed caught up with the situation and has done some testing to see what's going on. I recommend reading his 'The Safe Mac' article found here:

Java now installing adware
Despite the fragility of the adware install process, this is still going to be a problem for many people installing Java. Oracle should be ashamed of themselves! Since Java has repeatedly posed security problems in the past, and Oracle has now shown a willingness to infect their own users with adware, I strongly recommend avoiding Java if at all possible. For those who must have Java, Trouton has posted information in his Der Flounder article on how to run the Java installer only, found inside the adware-riddled Java 8 Update 40 application, which should install Java without the toolbar. 
For those affected by this Ask Toolbar, I have added detection of the Ask browser extensions and support files to my AdwareMedic app and my Adware Removal Guide. And thanks to Rich Trouton for bringing attention to this issue!
Rich Trouton's article on the Java adware problem can be found here:

Oracle’s Java 8 Update 40 – The Good, the Bad and the Ugly
You will be prompted to set Ask.com as your browser homepage, with the choice to do so checked off by default. If left checked, Safari’s homepage will be set with a search.ask.com URL and a Safari extension will be used to install an Ask.com toolbar.


Thomas Reed found that the Java installer will install a corresponding plugin depending upon which web browser you have set as your default. With regards to Safari, he found that it also had to be running at the time for the adware installer to work, if it worked at all.

Needless to say, DON'T fall for the adware installation! You don't want that crap on your Mac. If you do get skewered, grab a copy of Thomas' free/donationware Adware Medic and get rid of it.


ATTACK OF THE ADWARE!

The Windows community has been getting hammered with adware for many years. Now the adware rats have caught up with the Mac community and are infesting the stuff into everything possible. I wrote an article last year, over at MacSmarticles, about the ruination of VersionTracker after CNET/CBS made it just as bad as the rest of their Downloads.CNET.com website. It is now nearly impossible to download anything from the CNET site without having adware foisted at you by its installers. The same thing is going on at just about every other downloads website. I gladly point out that MacUpdate.com is an exception as well as MajorGeeks.com. These are the only two download websites I trust at this point in time.

Recently, the computer manufacturer Lenovo has been slammed by the computer community for infesting their computers with crapware that included a diabolical adware program called Superfish. The adware was built on a code foundation provided by the company Komodia. Their awful software features:

- Faked security certificates used to allow the software to spy on your SSL/TLS, HTTPS connections over the Internet.
- A private encryption key that is protected by the password "komodia". That password doesn't just work in Superfish, but in ALL Komodia software that makes use of spying on HTTPS web streams. The number of affected applications is expected to be near 100.

It has also been discovered that other programs pull the same security trickery:

EFF unearths evidence of possible Superfish-style attacks in the wild
Crypto-busting apps may have been exploited against visitors of Google and dozens more.
by Dan Goodin

One such program is PrivDog, provided by Internet security certificate provider Comodo Group, who have already suffered scandal by releasing nine fraudulent certificates faking themselves to be the likes of Google, Yahoo, Skype and Windows Live. This gives Comodo two black eyes.

Then add to this situation the fact that at least two anti-malware applications have been found to perform the same faked security certificate trick as a method for catching malware being downloaded to your computer. They are provided as 'deep inspection' features of their software, which I obviously suggest you TURN OFF. Those two anti-malware programs are Malwarebytes and Avast. I found out about Malwarebytes via word-of-mouth and am waiting for solid verification.

No doubt, other such questionable software, crapware and adware will be uncovered in the coming months and some of it will run on Macs.


The message: 
Be Careful What You Install.

--

Monday, February 2, 2015

CRITICAL Adobe Flash FAIL Yet-Again:
Third Zero-Day Attack ITW In Three Weeks

--

[UPDATE 3: Adobe's patched version of Flash Player, v16.0.0.305, is now universally available. I added the link and summary text of their relevant security document below. Apple also updated XProtect to prevent use of earlier, vulnerable versions of Flash Player. Thank you Apple! 

And there is peace again across our land for at least this day. But the wary eye remains ever vigilant.

Update 2: Adobe Flash Player v16.0.0.305 is now available directly from Adobe's website:

https://get.adobe.com/flashplayer/

Please download and install now in order to avoid the ongoing exploit of previous versions of Flash.

Update 1: Adobe updated their related security statement on Wednesday:

(February 4): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning on February 4. This version includes a fix for CVE-2015-0313. Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
]

~ ~ ~ ~ ~


There is an exploit of older versions of Adobe Flash Player active in-the-wild (ITW). Adobe has now provided Flash Player version v16.0.0.305 at its website, as noted in the updates above. P
lease download and install the update ASAP! 

My pal and collaborator Al V notes that Apple has updated their XProtect system in OS X to disable exploited/vulnerable versions of Flash Player, those being earlier than 16.0.0.305 and 13.0.0.269.


• Here is Adobe's full security bulletin about the zero-day and update:

https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
Summary

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.  

Adobe is aware of reports that CVE-2015-0313 is actively being exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.  Adobe recommends users update their product installations to the latest versions: 

Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.305

Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.269. 

Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.442. 

Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.305.
• Here is Adobe's earlier alert about the zero-day exploit:

https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
Summary

A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Adobe expects to release an update for Flash Player during the week of February 2.
A relevant article on the attack over at Forbes:

Hackers Abuse Another Adobe Zero-Day To Attack Thousands Of Web Users
Visitors to any affected site would have been redirected to an attacker-controlled page where an exploit kit would attempt to compromise the target system by targeting the Adobe Flash zero-day.
My brief advice:

Have a Flash blocking add-on in ALL your web browsers. ALL.

Safari has it's own Flash blocking system which you can reach in its Preferences here:

1) Preferenced: Security: Manage Website Settings... (button):

2) On the left of the pane, choose 'Adobe Flash Player'.

3) On the resulting right side:

- a) REMOVE all 'Configured Websites' using the minus (-) button.

- b) Set 'When visiting other websites' to 'Block' using the popup menu.

This setting forces Safari to put up a 'blocked' notice. You can then click that notice to approve each individual website you visit. Just remember that at this point some very prominent, usually safe websites are being compromised with this zero-day. Be extremely careful what you unblock.

OR: Just UNINSTALL nasty Flash. POS.


--

ADDENDUM:

Snarky The Register posted a fun and poignant article on the subject:

According to Trend Micro, the Angler exploit kit was updated to leverage this particular flaw, and used to inject malware into PCs visiting web video site dailymotion.com via a dodgy ad network. 
Web browsers were told to fetch retilio.com/skillt.swf, which was booby-trapped to exploit the zero-day security hole. 
"So far we’ve seen around 3,294 hits related to the exploit, and with an attack already seen in the wild, it’s likely there are other attacks leveraging this zero-day, posing a great risk of system compromise to unprotected systems," said Peter Pi, threats analyst at Trend. . . .
The worst, very worst, part of it all is that Steve Jobs was right. ® 
(^_^)

Tuesday, January 27, 2015

OS X 10.10.2 Yosemite, Safari Updates and
Security Update 2015-001 From Apple:
58 New Security Patches

--

[Update: The link to Apple's security document for 10.10.2 & 2015-001 has be added below.]

Apple has released the latest OS X update to OS X 10.10.2 Yosemite as well as Security Update 2015-001. Included with these updates are new updates of Safari with its own security patches. There is a total of 58 new security patches. You can obtain the updates via the Updates tab in the App Store application or eventually at:

http://www.apple.com/support/downloads/


Below, I have provided the full Apple security documents for 10.10.2, Security Update 2015-001 and Safari. You can also access them at Apple's website:


The security content document for OS X 10.10.2 Yosemite as well as Security Update 2015-001 can be found at:

http://support.apple.com/en-us/HT204244

The security content document for Safari 8.0.3, 7.1.3 and 6.2.3 is available at:


https://support.apple.com/kb/HT204243


I've highlighted at the CVE numbers in Apple's OS X 10.10.2 security document. (CVE = Common Vulnerabilities and Exposures). If you'd like more information about any of the CVEs, use the link on the right of this page marked 'CVE Search'. It will take you to the search page at Mitre.org. If you can't find a specific CVE there or the CVE has no description, it is because the developer of the affected software has requested that the CVE information not yet be made public.


~ ~ ~ ~ ~

APPLE-SA-2015-01-27-4 
OS X 10.10.2 and Security Update 2015-001

OS X 10.10.2 and Security Update 2015-001 are now available and address the following:

AFP Server
Available for:  OS X Mavericks v10.9.5
Impact:  A remote attacker may be able to determine all the network addresses of the system
Description:  The AFP file server supported a command which returned all the network addresses of the system. This issue was addressed by removing the addresses from the result.
CVE-ID
CVE-2014-4426 : Craig Young of Tripwire VERT

bash
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Multiple vulnerabilities in bash, including one that may allow local attackers to execute arbitrary code 
Description:  Multiple vulnerabilities existed in bash. These issues were addressed by updating bash to patch level 57. 
CVE-ID
CVE-2014-6277
CVE-2014-7186
CVE-2014-7187

Bluetooth
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  An integer signedness error existed in IOBluetoothFamily which allowed manipulation of kernel memory. This issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems.
CVE-ID
CVE-2014-4497

Bluetooth
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  An error existed in the Bluetooth driver that allowed a malicious application to control the size of a write to kernel memory. The issue was addressed through additional input validation. 
CVE-ID
CVE-2014-8836 : Ian Beer of Google Project Zero

Bluetooth
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  Multiple security issues existed in the Bluetooth driver, allowing a malicious application to execute arbitrary code with system privilege. The issues were addressed through additional input validation.
CVE-ID
CVE-2014-8837 : Roberto Paleari and Aristide Fattori of Emaze Networks

CFNetwork Cache
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Website cache may not be fully cleared after leaving private browsing
Description:  A privacy issue existed where browsing data could remain in the cache after leaving private browsing. This issue was addressed through a change in caching behavior. CVE-ID
CVE-2014-4460

CoreGraphics
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution 
Description:  An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. 
CVE-ID
CVE-2014-4481 : Felipe Andres Manzano of the Binamuse VRT, via the iSIGHT Partners GVP Program

CPU Software
Available for:  OS X Yosemite v10.10 and v10.10.1, for: MacBook Pro Retina, MacBook Air (Mid 2013 and later), iMac (Late 2013 and later), Mac Pro (Late 2013) 
Impact:  A malicious Thunderbolt device may be able to affect firmware flashing
Description:  Thunderbolt devices could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates.
CVE-ID
CVE-2014-4498 : Trammell Hudson of Two Sigma Investments

CommerceKit Framework
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  An attacker with access to a system may be able to recover Apple ID credentials
Description:  An issue existed in the handling of App Store logs. The App Store process could log Apple ID credentials in the log when additional logging was enabled. This issue was addressed by disallowing logging of credentials.
CVE-ID
CVE-2014-4499 : Sten Petersen

CoreGraphics
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Some third-party applications with non-secure text entry and mouse events may log those events
Description:  Due to the combination of an uninitialized variable and an application's custom allocator, non-secure text entry and mouse events may have been logged. This issue was addressed by ensuring that logging is off by default. This issue did not affect systems prior to OS X Yosemite.
CVE-ID
CVE-2014-1595 : Steven Michaud of Mozilla working with Kent Howard

CoreGraphics
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 
Impact:  Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution 
Description:  A memory corruption issue existed in the handling of PDF files. The issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems. 
CVE-ID
CVE-2014-8816 : Mike Myers, of Digital Operatives LLC

CoreSymbolication
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  Multiple type confusion issues existed in coresymbolicationd's handling of XPC messages. These issues were addressed through improved type checking. 
CVE-ID
CVE-2014-8817 : Ian Beer of Google Project Zero

FontParser
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Processing a maliciously crafted .dfont file may lead to an unexpected application termination or arbitrary code execution 
Description:  A memory corruption issue existed in the handling of .dfont files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4484 : Gaurav Baruah working with HP's Zero Day Initiative

FontParser
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution 
Description:  A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. 
CVE-ID
CVE-2014-4483 : Apple

Foundation
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Viewing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution 
Description:  A buffer overflow existed in the XML parser. This issue was addressed through improved bounds checking. 
CVE-ID
CVE-2014-4485 : Apple

Intel Graphics Driver
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Multiple vulnerabilities in Intel graphics driver 
Description:  Multiple vulnerabilities existed in the Intel graphics driver, the most serious of which may have led to arbitrary code execution with system privileges. This update addresses the issues through additional bounds checks.
CVE-ID
CVE-2014-8819 : Ian Beer of Google Project Zero CVE-2014-8820 : Ian Beer of Google Project Zero 
CVE-2014-8821 : Ian Beer of Google Project Zero

IOAcceleratorFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A null pointer dereference existed in IOAcceleratorFamily's handling of certain IOService userclient types. This issue was addressed through improved validation of IOAcceleratorFamily contexts.
CVE-ID
CVE-2014-4486 : Ian Beer of Google Project Zero

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A buffer overflow existed in IOHIDFamily. This issue was addressed with improved bounds checking. 
CVE-ID
CVE-2014-4487 : TaiG Jailbreak Team

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in IOHIDFamily's handling of resource queue metadata. This issue was addressed through improved validation of metadata.
CVE-ID
CVE-2014-4488 : Apple

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A null pointer dereference existed in IOHIDFamily's handling of event queues. This issue was addressed through improved validation of IOHIDFamily event queue initialization. 
CVE-ID
CVE-2014-4489 : @beist

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Executing a malicious application may result in arbitrary code execution within the kernel
Description:  A bounds checking issue existed in a user client vended by the IOHIDFamily driver which allowed a malicious application to overwrite arbitrary portions of the kernel address space. The issue is addressed by removing the vulnerable user client method. 
CVE-ID
CVE-2014-8822 : Vitaliy Toropov working with HP's Zero Day Initiative

IOKit
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments.
CVE-ID
CVE-2014-4389 : Ian Beer of Google Project Zero

IOUSBFamily
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A privileged application may be able to read arbitrary data from kernel memory
Description:  A memory access issue existed in the handling of IOUSB controller user client functions. This issue was addressed through improved argument validation.
CVE-ID
CVE-2014-8823 : Ian Beer of Google Project Zero

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  Specifying a custom cache mode allowed writing to kernel read-only shared memory segments. This issue was addressed by not granting write permissions as a side-effect of some custom cache modes.
CVE-ID
CVE-2014-4495 : Ian Beer of Google Project Zero

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID
CVE-2014-8824 : @PanguTeam

Kernel
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A local attacker can spoof directory service responses to the kernel, elevate privileges, or gain kernel execution Description:  Issues existed in identitysvc validation of the directory service resolving process, flag handling, and error handling. This issue was addressed through improved validation. 
CVE-ID
CVE-2014-8825 : Alex Radocea of CrowdStrike

Kernel
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A local user may be able to determine kernel memory layout 
Description:  Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization.
CVE-ID
CVE-2014-4371 : Fermin J. Serna of the Google Security Team 
CVE-2014-4419 : Fermin J. Serna of the Google Security Team 
CVE-2014-4420 : Fermin J. Serna of the Google Security Team 
CVE-2014-4421 : Fermin J. Serna of the Google Security Team

Kernel
Available for:  OS X Mavericks v10.9.5
Impact:  A person with a privileged network position may cause a denial of service
Description:  A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking.
CVE-ID
CVE-2011-2391

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Maliciously crafted or compromised applications may be able to determine addresses in the kernel
Description:  An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them.
CVE-ID
CVE-2014-4491 : @PanguTeam, Stefan Esser

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. This issue was addressed through relocation of the metadata. CVE-ID
CVE-2014-4461 : @PanguTeam

LaunchServices
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious JAR file may bypass Gatekeeper checks 
Description:  An issue existed in the handling of application launches which allowed certain malicious JAR files to bypass Gatekeeper checks. This issue was addressed through improved handling of file type metadata.
CVE-ID
CVE-2014-8826 : Hernan Ochoa of Amplia Security

libnetcore
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious, sandboxed app can compromise the networkd daemon
Description:  Multiple type confusion issues existed in networkd's handling of interprocess communication. By sending networkd a maliciously formatted message, it may have been possible to execute arbitrary code as the networkd process. The issue is addressed through additional type checking.
CVE-ID
CVE-2014-4492 : Ian Beer of Google Project Zero

LoginWindow
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A Mac may not lock immediately upon wake 
Description:  An issue existed in the rendering of the lock screen. This issue was address through improved screen rendering while locked.
CVE-ID
CVE-2014-8827 : Xavier Bertels of Mono, and multiple OS X seed testers

lukemftp
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Using the command line ftp tool to fetch files from a malicious http server may lead to arbitrary code execution 
Description:  A command injection issue existed in the handling of HTTP redirects. This issue was addressed through improved validation of special characters.
CVE-ID
CVE-2014-8517

OpenSSL
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Multiple vulnerabilities in OpenSSL 0.9.8za, including one that may allow an attacker to downgrade connections to use weaker cipher-suites in applications using the library 
Description:  Multiple vulnerabilities existed in OpenSSL 0.9.8za. These issues were addressed by updating OpenSSL to version 0.9.8zc. 
CVE-ID
CVE-2014-3566
CVE-2014-3567
CVE-2014-3568

Sandbox
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 
Impact:  A sandboxed process may be able to circumvent sandbox restrictions
Description:  A design issue existed in the caching of sandbox profiles which allowed sandboxed applications to gain write access to the cache. This issue was addressed by restricting write access to paths containing a "com.apple.sandbox" segment. This issue does not affect OS X Yosemite v10.10 or later. 
CVE-ID
CVE-2014-8828 : Apple

SceneKit
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 
Impact:  A malicious application could execute arbitrary code leading to compromise of user information
Description:  Multiple out of bounds write issues existed in SceneKit. These issues were addressed through improved bounds checking.
CVE-ID
CVE-2014-8829 : Jose Duart of the Google Security Team

SceneKit
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Viewing a maliciously crafted Collada file may lead to an unexpected application termination or arbitrary code execution 
Description:  A heap buffer overflow existed in SceneKit's handling of Collada files. Viewing a maliciously crafted Collada file may have led to an unexpected application termination or arbitrary code execution. This issue was addressed through improved validation of accessor elements.
CVE-ID
CVE-2014-8830 : Jose Duart of Google Security Team

Security
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A downloaded application signed with a revoked Developer ID certificate may pass Gatekeeper checks
Description:  An issue existed with how cached application certificate information was evaluated. This issue was addressed with cache logic improvements.
CVE-ID
CVE-2014-8838 : Apple

security_taskgate
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  An app may access keychain items belonging to other apps 
Description:  An access control issue existed in the Keychain. Applications signed with self-signed or Developer ID certificates could access keychain items whose access control lists were based on keychain groups. This issue was addressed by validating the signing identity when granting access to keychain groups. 
CVE-ID
CVE-2014-8831 : Apple

Spotlight
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  The sender of an email could determine the IP address of the recipient
Description:  Spotlight did not check the status of Mail's "Load remote content in messages" setting. This issue was addressed by improving configuration checking.
CVE-ID
CVE-2014-8839 : John Whitehead of The New York Times, Frode Moe of LastFriday.no

Spotlight
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Spotlight may save unexpected information to an external hard drive
Description:  An issue existed in Spotlight where memory contents may have been written to external hard drives when indexing. This issue was addressed with better memory management. 
CVE-ID
CVE-2014-8832 : F-Secure

SpotlightIndex
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Spotlight may display results for files not belonging to the user
Description:  A deserialization issue existed in Spotlight's handling of permission caches. A user performing a Spotlight query may have been shown search results referencing files for which they don't have sufficient privileges to read. This issue was addressed with improved bounds checking.
CVE-ID
CVE-2014-8833 : David J Peacock, Independent Technology Consultant

sysmond
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with root privileges
Description:  A type confusion vulnerability existed in sysmond that allowed a local application to escalate privileges. The issue was addressed with improved type checking.
CVE-ID
CVE-2014-8835 : Ian Beer of Google Project Zero

UserAccountUpdater
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Printing-related preference files may contain sensitive information about PDF documents
Description:  OS X Yosemite v10.10 addressed an issue in the handling of password-protected PDF files created from the Print dialog where passwords may have been included in printing preference files. This update removes such extraneous information that may have been present in printing preference files.
CVE-ID
CVE-2014-8834 : Apple

Note: OS X Yosemite 10.10.2 includes the security content of Safari 8.0.3. For further details see https://support.apple.com/kb/HT204243

OS X Yosemite 10.10.2 and Security Update 2015-001 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

~ ~ ~ ~ ~

About the security content of Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3

This document describes the security content of Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3. 

Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3

WebKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
CVE-ID
CVE-2014-3192 : cloudfuzzer
CVE-2014-4476 : Apple
CVE-2014-4477 : lokihardt@ASRT working with HP’s Zero Day Initiative
CVE-2014-4479 : Apple




--