Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30335
HistoryFeb 28, 2014 - 12:00 a.m.

APPLE-SA-2014-02-25-1 OS X Mavericks 10.9.2 and Security Update 2014-001

2014-02-2800:00:00
vulners.com
60
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2014-02-25-1 OS X Mavericks 10.9.2 and Security Update
2014-001

OS X Mavericks 10.9.2 and Security Update 2014-001 is now available
and addresses the following:

Apache
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache, the most
serious of which may lead to cross-site scripting. These issues were
addressed by updating Apache to version 2.2.26.
CVE-ID
CVE-2013-1862
CVE-2013-1896

App Sandbox
Available for: OS X Mountain Lion v10.8.5
Impact: The App Sandbox may be bypassed
Description: The LaunchServices interface for launching an
application allowed sandboxed apps to specify the list of arguments
passed to the new process. A compromised sandboxed application could
abuse this to bypass the sandbox. This issue was addressed by
preventing sandboxed applications from specifying arguments. This
issue does not affect systems running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2013-5179 : Friedrich Graeter of The Soulmen GbR

ATS
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description: A memory corruption issue existed in the handling of
handling of Type 1 fonts. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1254 : Felix Groebert of the Google Security Team

ATS
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: A memory corruption issue existed in the handling of
Mach messages passed to ATS. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-1262 : Meder Kydyraliev of the Google Security Team

ATS
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: An arbitrary free issue existed in the handling of Mach
messages passed to ATS. This issue was addressed through additional
validation of Mach messages.
CVE-ID
CVE-2014-1255 : Meder Kydyraliev of the Google Security Team

ATS
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: A buffer overflow issue existed in the handling of Mach
messages passed to ATS. This issue was addressed by additional bounds
checking.
CVE-ID
CVE-2014-1256 : Meder Kydyraliev of the Google Security Team

Certificate Trust Policy
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Root certificates have been updated
Description: The set of system root certificates has been updated.
The complete list of recognized system roots may be viewed via the
Keychain Access application.

CFNetwork Cookies
Available for: OS X Mountain Lion v10.8.5
Impact: Session cookies may persist even after resetting Safari
Description: Resetting Safari did not always delete session cookies
until Safari was closed. This issue was addressed through improved
handling of session cookies. This issue does not affect systems
running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2014-1257 : Rob Ansaldo of Amherst College, Graham Bennett

CoreAnimation
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Visiting a maliciously crafted site may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in CoreAnimation's
handling of images. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1258 : Karl Smith of NCC Group

CoreText
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: Applications that use CoreText may be vulnerable to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in CoreText in the handling
of Unicode fonts. This issue is addressed through improved bounds
checking.
CVE-ID
CVE-2014-1261 : Lucas Apa and Carlos Mario Penagos of IOActive Labs

curl
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: When using curl to connect to an HTTPS URL containing
an IP address, the IP address was not validated against the
certificate. This issue does not affect systems prior to OS X
Mavericks v10.9.
CVE-ID
CVE-2014-1263 : Roland Moriz of Moriz GmbH

Data Security
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may capture
or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of
the connection. This issue was addressed by restoring missing
validation steps.
CVE-ID
CVE-2014-1266

Date and Time
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: An unprivileged user may change the system clock
Description: This update changes the behavior of the systemsetup
command to require administrator privileges to change the system
clock.
CVE-ID
CVE-2014-1265

File Bookmark
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a file with a maliciously crafted name may lead to
an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of file
names. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1259

Finder
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: Accessing a file's ACL via Finder may lead to other users
gaining unauthorized access to files
Description: Accessing a file's ACL via Finder may corrupt the ACLs
on the file. This issue was addressed through improved handling of
ACLs.
CVE-ID
CVE-2014-1264

ImageIO
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed by better JPEG handling.
CVE-ID
CVE-2013-6629 : Michal Zalewski

IOSerialFamily
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: Executing a malicious application may result in arbitrary
code execution within the kernel
Description: An out of bounds array access existed in the
IOSerialFamily driver. This issue was addressed through additional
bounds checking. This issue does not affect systems running OS X
Mavericks v10.9 or later.
CVE-ID
CVE-2013-5139 : @dent1zt

LaunchServices
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: A file could show the wrong extension
Description: An issue existed in the handling of certain unicode
characters that could allow filenames to show incorrect extensions.
The issue was addressed by filtering unsafe unicode characters from
display in filenames. This issue does not affect systems running OS X
Mavericks v10.9 or later.
CVE-ID
CVE-2013-5178 : Jesse Ruderman of Mozilla Corporation, Stephane Sudre
of Intego

NVIDIA Drivers
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Executing a malicious application could result in arbitrary
code execution within the graphics card
Description: An issue existed that allowed writes to some trusted
memory on the graphics card. This issue was addressed by removing the
ability of the host to write to that memory.
CVE-ID
CVE-2013-5986 : Marcin Koscielnicki from the X.Org Foundation
Nouveau project
CVE-2013-5987 : Marcin Koscielnicki from the X.Org Foundation
Nouveau project

PHP
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Multiple vulnerabilities in PHP
Description: Multiple vulnerabilities existed in PHP, the most
serious of which may have led to arbitrary code execution. These
issues were addressed by updating PHP to version 5.4.22 on OS X
Mavericks v10.9, and 5.3.28 on OS X Lion and Mountain Lion.
CVE-ID
CVE-2013-4073
CVE-2013-4113
CVE-2013-4248
CVE-2013-6420

QuickLook
Available for: OS X Mountain Lion v10.8.5
Impact: Downloading a maliciously crafted Microsoft Office file may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in QuickLook's
handling of Microsoft Office files. Downloading a maliciously crafted
Microsoft Office file may have led to an unexpected application
termination or arbitrary code execution. This issue does not affect
systems running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2014-1260 : Felix Groebert of the Google Security Team

QuickLook
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Downloading a maliciously crafted Microsoft Word document
may lead to an unexpected application termination or arbitrary code
execution
Description: A double free issue existed in QuickLook's handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team

QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'ftab'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1246 : An anonymous researcher working with HP's Zero Day
Initiative

QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
'dref' atoms. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1247 : Tom Gallagher & Paul Bates working with HP's Zero Day
Initiative

QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'ldat'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1248 : Jason Kratzer working with iDefense VCP

QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a maliciously crafted PSD image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PSD
images. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1249 : dragonltx of Tencent Security Team

QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An out of bounds byte swapping issue existed in the
handling of 'ttfo' elements. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-1250 : Jason Kratzer working with iDefense VCP

QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in the handling of 'stsz'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1245 : Tom Gallagher & Paul Bates working with HP's Zero Day
Initiative

Secure Transport
Available for: OS X Mountain Lion v10.8.5
Impact: An attacker may be able to decrypt data protected by SSL
Description: There were known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite used a block cipher in CBC mode.
To address these issues for applications using Secure Transport, the
1-byte fragment mitigation was enabled by default for this
configuration.
CVE-ID
CVE-2011-3389 : Juliano Rizzo and Thai Duong

OS X Mavericks v10.9.2 includes the content of Safari 7.0.2.

OS X Mavericks v10.9.2 and Security Update 2014-001 may be obtained from
the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTDNeoAAoJEPefwLHPlZEwaRAP/3i/2qRvNv6JqmE9p48uEyXn
mlxwXpMyop+vrgMmuiSP14EGSv06HO04PNUtaWPxm7tVYXu0tMtjDcYdIu40TAy6
U0T6QhRZC/uag1DCvdEOvqRUajKmmPtHTCJ6OsQGtGJHlEM+S5XgxRr7qgfkHMfb
OlqFsgpdL/AAiYNfzItN2C+r2Lfwro6LDlxhikpASojlMFQrk8nJ6irRv617anSZ
3DwJW2iJxNfpVrgqA1Nrx1fkrPmeT/8jgGuEP6RaKiWIbfXjRG5BW9WuarMqmaP8
C6XoTaJaqEO9zb7F2uJR0HIYpJd065y/xiYNm91yDWIjdrO3wVgNVPGo1pHVyYsY
Y7lcyHUVJortKF8SHquw0j3Ujeugu8iWp6ND/00/4dGvwb0jzrxPUxkEmJ43130O
t2Obtxdsaa+ub8cZHDN93WB3FQR5hd+KaeXLJC55q0qYY8o8zqdPqXAlYAP2gUQX
iB4Bs7NAh2CNJWNTtk2soTjZOwPvPLSPZ6I3w5i0HVP7HQl5K8chjihAwSeyezCZ
q5gxCiK0lBW88AUd9n3L7ZOW2Rg53mh6+RiUL/VQ7TfidoP417VDKum300pZkgNv
kBCklX9ya7QeLjOMnbnsTk32qG+TiDPgiGZ5IrK6C6T26dexJWbm8tuwPjy5r8mI
aiYIh+SzR0rBdMZRgyzv
=+DAJ
-----END PGP SIGNATURE-----

Related

securityvulns 12
nessus 47
seebug 5
openvas 46
kaspersky 2
fedora 10
prion 15
debiancve 3
gentoo 2
ubuntucve 5
cve 11
redhat 8
ubuntu 1
freebsd 2
suse 2
ibm 4
checkpoint_advisories 6
oraclelinux 2
f5 3
mageia 1
httpd 1
exploitpack 1
centos 3
veracode 3
hackerone 1
checkpoint_security 1
amazon 1
cisco 1
securityvulns
securityvulns
Apple Mac OS X multiple security vulnerabilities
2014-02-28 00:00:00
Apple QuickTime multiple security vulnerabilities
2014-02-28 00:00:00
APPLE-SA-2014-02-25-3 QuickTime 7.7.5
2014-02-28 00:00:00
nessus
nessus
Mac OS X 10.9.x < 10.9.2 Multiple Vulnerabilities
2014-02-25 00:00:00
Mac OS X Multiple Vulnerabilities (Security Update 2014-001) (BEAST)
2014-02-25 00:00:00
Apple Quicktime 7.7.5 Multiple Vulnerabilities
2014-02-26 00:00:00
seebug
seebug
Apple Mac OS X多个安全漏洞(APPLE-SA-2014-02-25-1)
2014-02-26 00:00:00
PHP OpenSSL Extension 'openssl_x509_parse()'内存破坏漏洞
2013-12-18 00:00:00
Apache HTTP Server mod_dav.c 拒绝服务漏洞(CVE-2013-1896)
2013-07-17 00:00:00
openvas
openvas
Apple Mac OS X Multiple Vulnerabilities -04 Sep14
2014-09-22 00:00:00
Apple Mac OS X Multiple Vulnerabilities -07 Sep14
2014-09-22 00:00:00
Apple Mac OS X Multiple Vulnerabilities -05 Sep14
2014-09-22 00:00:00
kaspersky
kaspersky
KLA10016 Multiple vulnerabilities in Apple QuickTime
2014-02-25 00:00:00
KLA10068 Multiple vulnerabilities in Apache httpd
2013-07-22 00:00:00
fedora
fedora
[SECURITY] Fedora 19 Update: php-5.5.7-1.fc19
2013-12-13 05:03:19
[SECURITY] Fedora 19 Update: php-5.5.11-1.fc19
2014-04-15 15:45:54
[SECURITY] Fedora 18 Update: php-5.4.23-1.fc18
2013-12-20 02:04:53
prion
prion
Security feature bypass
2014-01-21 18:55:00
Design/Logic Flaw
2013-10-24 03:48:00
Design/Logic Flaw
2014-01-21 18:55:00
debiancve
debiancve
CVE-2013-5986
2014-01-21 18:55:00
CVE-2013-5987
2014-01-21 18:55:00
CVE-2013-1896
2013-07-10 20:55:00
gentoo
gentoo
NVIDIA Drivers: Privilege Escalation
2014-02-02 00:00:00
Apache HTTP Server: Multiple vulnerabilities
2013-09-23 00:00:00
ubuntucve
ubuntucve
CVE-2013-5986
2014-01-21 00:00:00
CVE-2013-5987
2014-01-21 00:00:00
CVE-2013-1862
2013-06-10 00:00:00
cve
cve
CVE-2013-5986
2014-01-21 18:55:00
CVE-2013-5179
2013-10-24 03:48:00
CVE-2013-5987
2014-01-21 18:55:00
redhat
redhat
(RHSA-2013:1133) Moderate: httpd security update
2013-08-05 15:27:06
(RHSA-2013:1134) Moderate: httpd security update
2013-08-05 15:32:30
(RHSA-2013:1063) Critical: php security update
2013-07-15 00:00:00
ubuntu
ubuntu
Apache HTTP Server vulnerabilities
2013-07-15 00:00:00
freebsd
freebsd
apache22 -- several vulnerabilities
2013-06-21 00:00:00
PHP5 -- Heap corruption in XML parser
2013-07-10 00:00:00
suse
suse
Security update for PHP5 (important)
2014-07-07 19:04:42
Security update for PHP5 (important)
2014-07-05 02:05:05
ibm
ibm
Security Bulletin: Vulnerabilities in PHP affect IBM Chassis Management Module (CMM) (CVE-2013-4248, CVE-2013-6420, CVE-2014-2497, CVE-2014-4049)
2019-01-31 01:55:01
Security Bulletin: Vulnerabilities in php5 affect IBM Flex System Manager (FSM): (CVE-2013-4248 CVE-2013-6420 CVE-2014-2497 CVE-2014-4049)
2019-01-31 01:30:01
Security Bulletin: Unprivileged GPU access vulnerability - CVE-2013-5987
2023-04-20 02:28:14
checkpoint_advisories
checkpoint_advisories
Apache HTTP Server mod_dav MERGE Request Denial of Service - Ver2 (CVE-2013-1896)
2014-12-28 00:00:00
PHP OpenSSL Extension X.509 Certificate Memory Corruption (CVE-2013-6420)
2013-12-26 00:00:00
Apache HTTP Server mod_rewrite RewriteLog Command Execution (CVE-2013-1862)
2013-09-09 00:00:00
oraclelinux
oraclelinux
httpd security update
2013-08-13 00:00:00
libjpeg security update
2013-12-09 00:00:00
f5
f5
SOL14733 - Apache HTTP server vulnerability CVE-2013-1896
2013-10-04 00:00:00
K15169 : PHP vulnerability CVE-2013-4113
2015-05-14 00:00:00
K14733 : Apache HTTP server vulnerability CVE-2013-1896
2014-12-10 00:00:00
mageia
mageia
Updated apache packages fix CVE-2013-1896
2013-07-26 15:34:30
httpd
httpd
Apache Httpd < 2.2.25 : mod_dav crash
2013-03-07 00:00:00
exploitpack
exploitpack
Apple macOS 10.13.5 - Local Privilege Escalation
2019-02-13 00:00:00
centos
centos
php53 security update
2013-07-12 21:36:11
httpd, mod_ssl security update
2013-08-13 17:32:49
php security update
2013-07-12 21:32:43
veracode
veracode
Denial Of Service (DoS)
2019-01-15 08:57:40
Denial Of Service (DoS)
2019-01-15 08:56:08
Information Disclosure
2019-01-15 08:53:01
hackerone
hackerone
Sandbox Escape: OSX ATS memory corruption may lead to App Sandbox bypass
2014-02-26 00:00:00
checkpoint_security
checkpoint_security
Check Point response to Apple CVE-2014-1266
2014-02-23 22:00:00
amazon
amazon
Critical: php54
2013-07-12 15:56:00
cisco
cisco
Apache HTTP Server MERGE Request Denial of Service Vulnerability
2013-07-11 17:33:19
JSON
Related for SECURITYVULNS:DOC:30335
securityvulns12nessus47seebug5openvas46kaspersky2fedora10prion15debiancve3gentoo2ubuntucve5cve11redhat8ubuntu1freebsd2suse2ibm4checkpoint_advisories6oraclelinux2f53mageia1httpd1exploitpack1centos3veracode3hackerone1checkpoint_security1amazon1cisco1