Home / vulnerabilities Apple Security Advisory 2015-06-30-2
Posted on 01 July 2015
Source : packetstormsecurity.org Link
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-06-30-2 OS X Yosemite v10.10.4 and Security Update
2015-005
OS X Yosemite v10.10.4 and Security Update 2015-005 are now available
and address the following:
Admin Framework
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A process may gain admin privileges without proper
authentication
Description: An issue existed when checking XPC entitlements. This
issue was addressed through improved entitlement checking.
CVE-ID
CVE-2015-3671 : Emil Kvarnhammar at TrueSec
Admin Framework
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A non-admin user may obtain admin rights
Description: An issue existed in the handling of user
authentication. This issue was addressed through improved error
checking.
CVE-ID
CVE-2015-3672 : Emil Kvarnhammar at TrueSec
Admin Framework
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: An attacker may abuse Directory Utility to gain root
privileges
Description: Directory Utility was able to be moved and modified to
achieve code execution within an entitled process. This issue was
addressed by limiting the disk location that writeconfig clients may
be executed from.
CVE-ID
CVE-2015-3673 : Patrick Wardle of Synack, Emil Kvarnhammar at TrueSec
afpserver
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the AFP server.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3674 : Dean Jerkovich of NCC Group
apache
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: An attacker may be able to access directories that are
protected with HTTP authentication without knowing the correct
credentials
Description: The default Apache configuration did not include
mod_hfs_apple. If Apache was manually enabled and the configuration
was not changed, some files that should not be accessible might have
been accessible using a specially crafted URL. This issue was
addressed by enabling mod_hfs_apple.
CVE-ID
CVE-2015-3675 : Apple
apache
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Multiple vulnerabilities exist in PHP, the most serious of
which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in PHP versions prior
to 5.5.24 and 5.4.40. These were addressed by updating PHP to
versions 5.5.24 and 5.4.40.
CVE-ID
CVE-2015-0235
CVE-2015-0273
AppleGraphicsControl
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in AppleGraphicsControl which could
have led to the disclosure of kernel memory layout. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2015-3676 : Chen Liang of KEEN Team
AppleFSCompression
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in LZVN compression that could have
led to the disclosure of kernel memory content. This issue was
addressed through improved memory handling.
CVE-ID
CVE-2015-3677 : an anonymous researcher working with HP's Zero Day
Initiative
AppleThunderboltEDMService
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the handling of
certain Thunderbolt commands from local processes. This issue was
addressed through improved memory handling.
CVE-ID
CVE-2015-3678 : Apple
ATS
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in handling
of certain fonts. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-3679 : Pawel Wylecial working with HP's Zero Day Initiative
CVE-2015-3680 : Pawel Wylecial working with HP's Zero Day Initiative
CVE-2015-3681 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3682 : Nuode Wei
Bluetooth
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the Bluetooth HCI
interface. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3683 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Certificate Trust Policy
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: An attacker with a privileged network position may be able
to intercept network traffic
Description: An intermediate certificate was incorrectly issued by
the certificate authority CNNIC. This issue was addressed through the
addition of a mechanism to trust only a subset of certificates issued
prior to the mis-issuance of the intermediate. Further details are
available at https://support.apple.com/en-us/HT204938
Certificate Trust Policy
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT202858.
CFNetwork HTTPAuthentication
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Following a maliciously crafted URL may lead to arbitrary
code execution
Description: A memory corruption issue existed in handling of
certain URL credentials. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3684 : Apple
CoreText
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1157
CVE-2015-3685 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3689 : Apple
coreTLS
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: coreTLS accepted short ephemeral Diffie-Hellman (DH)
keys, as used in export-strength ephemeral DH cipher suites. This
issue, also known as Logjam, allowed an attacker with a privileged
network position to downgrade security to 512-bit DH if the server
supported an export-strength ephemeral DH cipher suite. The issue was
addressed by increasing the default minimum size allowed for DH
ephemeral keys to 768 bits.
CVE-ID
CVE-2015-4000 : The weakdh team at weakdh.org, Hanno Boeck
DiskImages
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue existed in the
processing of disk images. This issue was addressed through improved
memory management.
CVE-ID
CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative
Display Drivers
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An issue existed in the Monitor Control Command Set
kernel extension by which a userland process could control the value
of a function pointer within the kernel. The issue was addressed by
removing the affected interface.
CVE-ID
CVE-2015-3691 : Roberto Paleari and Aristide Fattori of Emaze
Networks
EFI
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application with root privileges may be able to
modify EFI flash memory
Description: An insufficient locking issue existed with EFI flash
when resuming from sleep states. This issue was addressed through
improved locking.
CVE-ID
CVE-2015-3692 : Trammell Hudson of Two Sigma Investments, Xeno Kovah
and Corey Kallenberg of LegbaCore LLC, Pedro Vilaca
EFI
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may induce memory corruption to
escalate privileges
Description: A disturbance error, also known as Rowhammer, exists
with some DDR3 RAM that could have led to memory corruption. This
issue was mitigated by increasing memory refresh rates.
CVE-ID
CVE-2015-3693 : Mark Seaborn and Thomas Dullien of Google, working
from original research by Yoongu Kim et al (2014)
FontParser
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3694 : John Villamil (@day6reak), Yahoo Pentest Team
Graphics Driver
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An out of bounds write issue existed in NVIDIA graphics
driver. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2015-3712 : Ian Beer of Google Project Zero
Intel Graphics Driver
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Multiple buffer overflow issues exist in the Intel graphics
driver, the most serious of which may lead to arbitrary code
execution with system privileges
Description: Multiple buffer overflow issues existed in the Intel
graphics driver. These were addressed through additional bounds
checks.
CVE-ID
CVE-2015-3695 : Ian Beer of Google Project Zero
CVE-2015-3696 : Ian Beer of Google Project Zero
CVE-2015-3697 : Ian Beer of Google Project Zero
CVE-2015-3698 : Ian Beer of Google Project Zero
CVE-2015-3699 : Ian Beer of Google Project Zero
CVE-2015-3700 : Ian Beer of Google Project Zero
CVE-2015-3701 : Ian Beer of Google Project Zero
CVE-2015-3702 : KEEN Team
ImageIO
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Multiple vulnerabilities existed in libtiff, the most
serious of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in libtiff versions
prior to 4.0.4. They were addressed by updating libtiff to version
4.0.4.
CVE-ID
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130
ImageIO
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted .tiff file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
.tiff files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-3703 : Apple
Install Framework Legacy
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Several issues existed in how Install.framework's
'runner' setuid binary dropped privileges. This was addressed by
properly dropping privileges.
CVE-ID
CVE-2015-3704 : Ian Beer of Google Project Zero
IOAcceleratorFamily
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Multiple memory corruption issues existed in
IOAcceleratorFamily. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-3705 : KEEN Team
CVE-2015-3706 : KEEN Team
IOFireWireFamily
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Multiple null pointer dereference issues existed in the
FireWire driver. These issues were addressed through improved error
checking.
CVE-ID
CVE-2015-3707 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Kernel
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
APIs related to kernel extensions which could have led to the
disclosure of kernel memory layout. This issue was addressed through
improved memory management.
CVE-ID
CVE-2015-3720 : Stefan Esser
Kernel
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
HFS parameters which could have led to the disclosure of kernel
memory layout. This issue was addressed through improved memory
management.
CVE-ID
CVE-2015-3721 : Ian Beer of Google Project Zero
kext tools
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to overwrite arbitrary
files
Description: kextd followed symbolic links while creating a new
file. This issue was addressed through improved handling of symbolic
links.
CVE-ID
CVE-2015-3708 : Ian Beer of Google Project Zero
kext tools
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A local user may be able to load unsigned kernel extensions
Description: A time-of-check time-of-use (TOCTOU) race condition
condition existed while validating the paths of kernel extensions.
This issue was addressed through improved checks to validate the path
of the kernel extensions.
CVE-ID
CVE-2015-3709 : Ian Beer of Google Project Zero
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A maliciously crafted email can replace the message content
with an arbitrary webpage when the message is viewed
Description: An issue existed in the support for HTML email which
allowed message content to be refreshed with an arbitrary webpage.
The issue was addressed through restricted support for HTML content.
CVE-ID
CVE-2015-3710 : Aaron Sigel of vtty.com, Jan Soucek
ntfs
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in NTFS that could have led to the
disclosure of kernel memory content. This issue was addressed through
improved memory handling.
CVE-ID
CVE-2015-3711 : Peter Rutenbar working with HP's Zero Day Initiative
ntp
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: An attacker in a privileged position may be able to perform
a denial of service attack against two ntp clients
Description: Multiple issues existed in the authentication of ntp
packets being received by configured end-points. These issues were
addressed through improved connection state management.
CVE-ID
CVE-2015-1798
CVE-2015-1799
OpenSSL
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Multiple issues exist in OpenSSL, including one that may
allow an attacker to intercept connections to a server that supports
export-grade ciphers
Description: Multiple issues existed in OpenSSL 0.9.8zd which were
addressed by updating OpenSSL to version 0.9.8zf.
CVE-ID
CVE-2015-0209
CVE-2015-0286
CVE-2015-0287
CVE-2015-0288
CVE-2015-0289
CVE-2015-0293
QuickTime
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3661 : G. Geshev working with HP's Zero Day Initiative
CVE-2015-3662 : kdot working with HP's Zero Day Initiative
CVE-2015-3663 : kdot working with HP's Zero Day Initiative
CVE-2015-3666 : Steven Seeley of Source Incite working with HP's Zero
Day Initiative
CVE-2015-3667 : Ryan Pentney, Richard Johnson of Cisco Talos and Kai
Lu of Fortinet's FortiGuard Labs, Ryan Pentney, and Richard Johnson
of Cisco Talos and Kai Lu of Fortinet's FortiGuard Labs
CVE-2015-3668 : Kai Lu of Fortinet's FortiGuard Labs
CVE-2015-3713 : Apple
Security
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework
code for parsing S/MIME e-mail and some other signed or encrypted
objects. This issue was addressed through improved validity checking.
CVE-ID
CVE-2013-1741
Security
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Tampered applications may not be prevented from launching
Description: Apps using custom resource rules may have been
susceptible to tampering that would not have invalidated the
signature. This issue was addressed with improved resource
validation.
CVE-ID
CVE-2015-3714 : Joshua Pitts of Leviathan Security Group
Security
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to bypass code signing
checks
Description: An issue existed where code signing did not verify
libraries loaded outside the application bundle. This issue was
addressed with improved bundle verification.
CVE-ID
CVE-2015-3715 : Patrick Wardle of Synack
Spotlight
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Searching for a malicious file with Spotlight may lead to
command injection
Description: A command injection vulnerability existed in the
handling of filenames of photos added to the local photo library.
This issue was addressed through improved input validation.
CVE-ID
CVE-2015-3716 : Apple
SQLite
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflows existed in SQLite's printf
implementation. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-3717 : Peter Rutenbar working with HP's Zero Day Initiative
System Stats
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious app may be able to compromise systemstatsd
Description: A type confusion issue existed in systemstatsd's
handling of interprocess communication. By sending a maliciously
formatted message to systemstatsd, it may have been possible to
execute arbitrary code as the systemstatsd process. The issue was
addressed through additional type checking.
CVE-ID
CVE-2015-3718 : Roberto Paleari and Aristide Fattori of Emaze
Networks
TrueTypeScaler
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3719 : John Villamil (@day6reak), Yahoo Pentest Team
zip
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Extracting a maliciously crafted zip file using the unzip
tool may lead to an unexpected application termination or arbitrary
code execution
Description: Multiple memory corruption issues existed in the
handling of zip files. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2014-8139
CVE-2014-8140
CVE-2014-8141
OS X Yosemite 10.10.4 includes the security content of Safari 8.0.7.
https://support.apple.com/en-us/HT204950
OS X Yosemite 10.10.4 and Security Update 2015-005 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVksFmAAoJEBcWfLTuOo7tV1AQAIYpkOMpHp181b+70sgyZ/Ue
mFM527FFGDfLLuIW6LTcBsEFe9cfZxumB8eOFPirTNRK7krsVMo1W+faHXyWOnx7
kbWylHdhaoxnX+A6Gj0vP71V6TNNsTi9+2dmdmHUnwxZ7Ws5QCNKebumUG3MMXXo
EKxE5SNSNKyMSSYmliS26cdl8fWrmg9qTxiZQnxjOCrg/CNAolgVIRRfdMUL7i4w
aGAyrlJXOxFOuNkqdHX2luccuHFV7aW/dIXQ4MyjiRNl/bWrBQmQlneLLpPdFZlH
cMfGa2/baaNaCbU/GqhNKbO4fKYVaqQWzfUrtqX0+bRv2wmOq33ARy9KE23bYTvL
U4E9x9z87LsLXGAdjUi6MDe5g87DcmwIEigfF6/EHbDYa/2VvSdIa74XRv/JCN1+
aftHLotin76h4qV/dCAPf5J/Fr/1KFCM0IphhG7p+7fVTfyy7YDXNBiKCEZzLf8U
TUWLUCgQhobtakqwzQJ5qyF8u63xzVXj8oeTOw6iiY/BLlj9def5LMm/z6ZKGTyC
3c4+Sy5XvBHZoeiwdcndTVpnFbmmjZRdeqtdW/zX5mHnxXPa3lZiGoBDhHQgIg6J
1tTVtnO1JSLXVYDR6Evx1EH10Vgkt2wAGTLjljSLwtckoEqc78qMAT1G5U4nFffI
+gGm5FbAxjxElgA/gbaq
=KLda
-----END PGP SIGNATURE-----