As posted today on US-CERT:
§ CFNetwork HTTPProtocol
Available for: OS X
Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X
Mavericks 10.9.2
Impact: An attacker in
a privileged network position can obtain web site credentials
Description:
Set-Cookie HTTP headers would be processed even if the connection closed before
the header line was complete. An attacker could strip security settings from
the cookie by forcing the connection to close before the security settings were
sent, and then obtain the value of the unprotected cookie. This issue was
addressed by ignoring incomplete HTTP header lines.
CVE-ID
CVE-2014-1296 :
Antoine Delignat-Lavaud of Prosecco at Inria Paris
§ CoreServicesUIAgent
Available for: OS X
Mavericks 10.9.2
Impact: Visiting a
maliciously crafted website or URL may result in an unexpected application
termination or arbitrary code execution
Description: A format
string issue existed in the handling of URLs. This issue was addressed through
additional validation of URLs. This issue does not affect systems prior to OS X
Mavericks.
CVE-ID
CVE-2014-1315 : Lukasz
Pilorz of runic.pl, Erik Kooistra
§ FontParser
Available for: OS X
Mountain Lion v10.8.5
Impact: Opening a
maliciously crafted PDF file may result in an unexpected application
termination or arbitrary code execution
Description: A buffer
underflow existed in the handling of fonts in PDF files. This issue was
addressed through additional bounds checking. This issue does not affect OS X
Mavericks systems.
CVE-ID
CVE-2013-5170 : Will
Dormann of CERT/CC
§ Heimdal Kerberos
Available for: OS X
Mavericks 10.9.2
Impact: A remote
attacker may be able to cause a denial of service
Description: A
reachable abort existed in the handling of ASN.1 data. This issue was addressed
through additional validation of ASN.1 data.
CVE-ID
CVE-2014-1316 : Joonas
Kuorilehto of Codenomicon
§ ImageIO
Available for: OS X
Mavericks 10.9.2
Impact: Viewing a
maliciously crafted JPEG image may lead to an unexpected application
termination or arbitrary code execution
Description: A buffer
overflow issue existed in ImageIO's handling of JPEG images. This issue was
addressed through improved bounds checking. This issue does not affect systems
prior to OS X Mavericks.
CVE-ID
CVE-2014-1319 :
Cristian Draghici of Modulo Consulting, Karl Smith of NCC Group
§ Intel Graphics Driver
Available for: OS X Mountain
Lion v10.8.5 and OS X Mavericks 10.9.2
Impact: A malicious
application can take control of the system
Description: A
validation issue existed in the handling of a pointer from userspace. This
issue was addressed through additional validation of pointers.
CVE-ID
CVE-2014-1318 : Ian
Beer of Google Project Zero working with HP's Zero Day Initiative
§ IOKit Kernel
Available for: OS X
Mavericks 10.9.2
Impact: A local user
can read kernel pointers, which can be used to bypass kernel address space
layout randomization
Description: A set of
kernel pointers stored in an IOKit object could be retrieved from userland.
This issue was addressed through removing the pointers from the object.
CVE-ID
CVE-2014-1320 : Ian
Beer of Google Project Zero working with HP's Zero Day Initiative
§ Kernel
Available for: OS X
Mavericks 10.9.2
Impact: A local user
can read a kernel pointer, which can be used to bypass kernel address space
layout randomization
Description: A kernel
pointer stored in a XNU object could be retrieved from userland. This issue was
addressed through removing the pointer from the object.
CVE-ID
CVE-2014-1322 : Ian
Beer of Google Project Zero
§ Power Management
Available for: OS X
Mavericks 10.9.2
Impact: The screen
might not lock
Description: If a key
was pressed or the trackpad touched just after the lid was closed, the system
might have tried to wake up while going to sleep, which would have caused the
screen to be unlocked. This issue was addressed by ignoring keypresses while
going to sleep. This issue does not affect systems prior to OS X Mavericks.
CVE-ID
CVE-2014-1321 : Paul
Kleeberg of Stratis Health Bloomington MN, Julian Sincu at the
Baden-Wuerttemberg Cooperative State University (DHBW Stuttgart), Gerben Wierda
of R&A, Daniel Luz
§ Ruby
Available for: OS X
Mavericks 10.9.2
Impact: Running a Ruby
script that handles untrusted YAML tags may lead to an unexpected application
termination or arbitrary code execution
Description: An integer
overflow issue existed in LibYAML's handling of YAML tags. This issue was
addressed through additional validation of YAML tags. This issue does not
affect systems prior to OS X Mavericks.
CVE-ID
CVE-2013-6393
§ Ruby
Available for: OS X
Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X
Mavericks 10.9.2
Impact: Running a Ruby
script that uses untrusted input to create a Float object may lead to an
unexpected application termination or arbitrary code execution
Description: A heap-based
buffer overflow issue existed in Ruby when converting a string to a floating
point value. This issue was addressed through additional validation of floating
point values.
CVE-ID
CVE-2013-4164
§ Security - Secure Transport
Available for: OS X
Mountain Lion v10.8.5 and OS X Mavericks 10.9.2
Impact: An attacker
with a privileged network position may capture data or change the operations
performed in sessions protected by SSL
Description: In a
'triple handshake' attack, it was possible for an attacker to establish two
connections which had the same encryption keys and handshake, insert the
attacker's data in one connection, and renegotiate so that the connections may
be forwarded to each other. To prevent attacks based on this scenario, Secure
Transport was changed so that, by default, a renegotiation must present the
same server certificate as was presented in the original connection. This issue
does not affect Mac OS X 10.7 systems and earlier.
CVE-ID
CVE-2014-1295 :
Antoine Delignat-Lavaud, Karthikeyan Bhargavan and Alfredo Pironti of Prosecco
at Inria Paris
§ WindowServer
Available for: OS X
Mountain Lion v10.8.5 and OS X Mavericks 10.9.2
Impact: Maliciously
crafted applications can execute arbitrary code outside the sandbox
Description:
WindowServer sessions could be created by sandboxed applications. This issue
was addressed by disallowing sandboxed applications from creating WindowServer
sessions.
CVE-ID
CVE-2014-1314 :
KeenTeam working with HP's Zero Day Initiative
===================================================
In addition to this blog, I have authored the premiere book on Netiquette, " Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and PSG of Mercer County, NJ.
Great Reasons for Purchasing Netiquette IQ
===========================================
===================================================
In addition to this blog, I have authored the premiere book on Netiquette, " Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and PSG of Mercer County, NJ.
Great Reasons for Purchasing Netiquette IQ
· Get more email opens. Improve 100% or more.
· Receive more responses, interviews, appointments, prospects and sales.
· Be better understood.
· Eliminate indecision.
· Avoid being spammed 100% or more.
· Have recipient finish reading your email content.
· Save time by reducing questions.
· Increase your level of clarity.
· Improve you time management with your email.
· Have quick access to a wealth of relevant email information.
Enjoy most of what you need for email in a single book.===========================================
No comments:
Post a Comment