Cybersecurity threats 2014: new vulnerabilities in Apple products

Posted: November 20, 2014 in Vulnerabilities
Tags: , , , ,

Apple vulnerabilitiesMultiple Vulnerabilities in Apple OS X, Apple iOS, and Apple TV

Danger level: High
Availability fixes: Yes
Number of vulnerabilities: 7

CVE ID: CVE-2014-4451, CVE-2014-4452, CVE-2014-4453, CVE-2014-4458, CVE-2014-4459, CVE-2014-4462, CVE-2014-4463

Vector of operation: Remote
Impact: Disclosure of sensitive data, Security Bypass, system compromise

Affected Products: Apple Macintosh OS X, Apple iOS 8.x, Apple TV 7.x
Affected versions: Apple OS X versions up to 10.10.1, Apple iOS versions up to 8.1.1, Apple TV to version 7.0.2

Description:
The vulnerabilities allows a remote attacker to compromise a vulnerable system.

1. [CVE-2014-4451] The vulnerability is due to an error in the component Lock Screen (in Apple iOS before 8.1.1). This can be exploited to bypass the restriction on the maximum number of password attempts.

2. [CVE-2014-4452] The vulnerability is due to unknown errors in WebKit (in Apple iOS before 8.1.1 and Apple TV before 7.0.2). This can be exploited to memory corruption and application crash.

Note: Successful exploitation this vulnerability allows execution of arbitrary code on the target system via crafted page objects in an HTML document.

3. [CVE-2014-4453] The vulnerability is due to an error in the component Spotlight (in Apple iOS before 8.1.1 and OS X before 10.10.1). A remote attacker can, for example,  via unspecified vectors, determine the approximate location of the user.

4. [CVE-2014-4458] The vulnerability is due to an error in the component About This Mac (in Apple OS X before 10.10.1). This can be exploited to obtain sensitive information via the contents of certain files cookie.

5. [CVE-2014-4459] The vulnerability is due to an error of Use-after-free vulnerability in WebKit (in Apple OS X before 10.10.1), when processing objects of pages. This can be exploited to corrupt memory.

6. [CVE-2014-4462] The vulnerability is due to an error in WebKit (in Apple iOS before 8.1.1 and Apple TV before 7.0.2), allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash).

7. [CVE-2014-4463] The vulnerability is due to an error in the component Lock Screen (Apple iOS before 8.1.1). A remote user can by using the function Leave a Message in FaceTime to bypass the lock-screen protection mechanism and to gain access to protected photos in the Photo Library.

Note: Successful exploitation allows remote attacker execution of arbitrary code on the target system.

Solution: Install the latest versions of products from the manufacturer.

References:


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s