Updates for OS X , iOS and Apple TV, (Mon, Nov 17th)

Apple today released updates for iOS 8 and OS X 10.10 (Yosemite) . Here are some of the highlights from a security point of view:

OS 10.10.1

(approx. listed in order of severity)

CVE Impact ISC Rating Description
2014-4459 Remote Code Execution critical A vulnerability in Webkit could allow a malicious site to execute arbitrary code
2014-4453 Information Leakage important The index Spotlight creates on a removable drive may include content from other drives. This vulnerability was recently discussed publicly in a blog and the author discovered e-mail fragment in the Spotlight index created on a USB drive.
2014-4460 Information Leakage important Safari may not delete all cached files after leaving private browsing. If a user visits a site without private browsing after visiting the same site with private browsing enabled, then the site may be able to connect the two visits.
2014-4458 Information Leakage important The About this Mac feature includes unnecessary details that are reported back to Apple to determine the system model

iOS

CVE Impact Severity Description
CVE-2014-4452
CVE-2014-4462
remote code execution critical Webkit issues that will lead to arbitrary code execution when visting a malicious webpage
CVE-2014-4455 unsigned code exeuction important A local user may execute unsinged code
CVE-2014-4460 information leakage important Safari doesnt delete all cached files when leaving private mode
CVE-2014-4461 privilege escalation important A malicious application may execute arbitrary codes using System privileges.
CVE-2014-4451 security feature bypass important An attacker may be able to exceed the maximum passcode attempt limit to bypass the lockscreen.
CVE-2014-4463 information leakage important the leave message feature in Facetime may have allowed sending photos from the device.
CVE-2014-4457 code execution important the debug feature would allow applications to be spawned that were not being debugged.
CVE-2014-4453 informtion leakage important iOS would submit the devices location to Spotlight Suggestion servers before the user entered a query

Apple TV

CVE Impact Severity Description
CVE-2014-4462 Code Execution Critical A memory corruption in WebKit may be used to terminate applications or run arbitrary code.
CVE-2014-4455 Code Execution Important A local user may execute unsigned code
CVE-2014-4461 Privilege Elevation Important A malicious application may be able to execute arbitrary code with system privileges.


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

CyberSafe-WP-Admin