APPLE-SA-2014-09-17-1

APPLE-SA-2014-09-17-2

60705

61318

http://support.apple.com/kb/HT6367

http://support.apple.com/kb/HT6441

http://support.apple.com/kb/HT6442

69223

1030731

apple-safari-cve20141388-code-exec(95271)

GLSA-201601-02

https://support.apple.com/kb/HT6537

The remote host is affected by the vulnerability described in GLSA-201601-02 (WebKitGTK+: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in WebKitGTK+. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attack can use multiple vectors to execute arbitrary code or       cause a denial of service condition.
  Workaround :

    There is no known workaround at this time.

This update fixes the following security issues :

  - Fix SSL connection issues with some websites after the     POODLE vulnerability fix.

  - Fix a crash when loading flash plugins.

  - Fix build on GNU Hurd - Fix build on OS X.

  - Fix documentation of     webkit_print_operation_get_page_setup().

  - Security fixes: CVE-2014-1344, CVE-2014-1384,     CVE-2014-1385, CVE-2014-1386, CVE-2014-1387,     CVE-2014-1388, CVE-2014-1389, CVE-2014-1390,     CVE-2015-2330. (bnc#879607, bnc#871792)

  - Pass autoreconf and enable libtool BuildRequires: Needed     for above patch since it touches the buildsystem.

  - Bugs fixed: boo#871792, boo#879607 and boo#879607.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Webkit release team reports :

This release fixes the following security issues : CVE-2014-1344, CVE-2014-1384, CVE-2014-1385, CVE-2014-1386, CVE-2014-1387, CVE-2014-1388, CVE-2014-1389, CVE-2014-1390.

The version of Apple iTunes on the remote host is prior to version 12.0.1. It is, therefore, affected by multiple vulnerabilities related to the included version of WebKit. The errors could lead to application crashes or arbitrary code execution.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apple iTunes installed on the remote Windows host is prior to 12.0.1. It is, therefore, affected by multiple vulnerabilities due to the included version of WebKit. The errors could lead to application crashes or arbitrary code execution.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Versions of iTunes earlier than 12.0.1 are missing updates that patch memory corruption vulnerabilities within WebKit, as well as a patch that fixes a man-in-the-middle vulnerability that affects encrypted connections to the iTunes Store via iTunes. The most severe of these vulnerabilites can result in arbitrary remote code execution or unexpected application termination.

According to its banner, the remote Apple TV device is a version prior to 7. It is, therefore, affected by multiple vulnerabilities, the most serious of which can result in arbitrary code execution.

The following components contain vulnerabilities that have since been patched in version 7.0:

  - 802.1X
  - Accounts
  - Accessibility
  - Accounts Framework
  - Address Book
  - App Installation
  - Assets
  - Bluetooth
  - CoreGraphics
  - Foundation
  - Home & Lock Screen
  - iMessage
  - IOAcceleratorFamily
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOHIDFamily
  - IOKit
  - Kernel
  - Libnotify
  - Mail
  - Profiles
  - Safari
  - Sandbox Profiles
  - syslog
  - WebKit

The mobile device is running a version of iOS prior to version 8. It is, therefore, affected by vulnerabilities in the following components :

  - 802.1X
  - Accessibility
  - Accounts
  - Accounts Framework
  - Address Book
  - App Installation
  - Assets
  - Bluetooth
  - Certificate Trust Policy
  - CoreGraphics
  - Data Detectors
  - Foundation
  - Home and Lock Screen
  - iMessage
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOKit
  - Kernel
  - Libnotify
  - Lockdown
  - Lockdown
  - Mail
  - Profiles
  - Safari
  - Sandbox Profiles
  - Settings
  - syslog
  - Weather
  - WebKit
  - Wifi

The version of Apple Safari installed on the remote Mac OS X host is a version prior to 6.1.6 or 7.0.6. It is, therefore, affected by multiple memory corruption vulnerabilities that exist in WebKit that could lead to unexpected program termination or arbitrary code execution.

According to its banner, the remote iOS device is missing a security update.  Versions of Apple iOS prior to 8.0 are affected by vulnerabilities within the following components :

  - 802.1X
  - Accessibility
  - Accounts Framework
  - Accounts
  - Address Book
  - App Installation
  - Assets
  - Bluetooth
  - Certificate Trust Policy
  - CoreGraphics
  - Data Detectors
  - Foundation
  - Home & Lock Screen
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOKit
  - Kernel
  - Libnotify
  - Lockdown
  - Mail
  - Profiles
  - Safari
  - Sandbox Profiles
  - Settings
  - Weather
  - WebKit
  - WiFi
  - iMessage
  - syslog

ID	Name	Product	Family	Severity
88391	GLSA-201601-02 : WebKitGTK+: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
83713	SUSE SLED12 / SLES12 Security Update : webkitgtk (SUSE-SU-2015:0688-1)	Nessus	SuSE Local Security Checks	medium
80455	FreeBSD : WebKit-gtk -- Multiple vulnerabilities (e9ccdb28-9802-11e4-9d9c-bcaec565249c)	Nessus	FreeBSD Local Security Checks	medium
78598	Apple iTunes < 12.0.1 Multiple Vulnerabilities (uncredentialed check)	Nessus	Peer-To-Peer File Sharing	critical
78597	Apple iTunes < 12.0.1 Multiple Vulnerabilities (credentialed check)	Nessus	Windows	critical
8561	iTunes < 12.0.1 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical
77822	Apple TV < 7 Multiple Vulnerabilities	Nessus	Misc.	high
8392	Apple TV < 7 Multiple Vulnerabilities	Nessus Network Monitor	Internet Services	critical
77745	Apple iOS < 8 Multiple Vulnerabilities	Nessus	Mobile Devices	high
77201	Mac OS X : Apple Safari < 6.1.6 / 7.0.6 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	medium
8393	Apple iOS < 8.0 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	high

CVE-2014-1388

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

medium

medium

medium

critical

critical

critical

high

critical

high

medium

high