APPLE-SA-2015-01-27-4

http://support.apple.com/HT204244

http://www.mozilla.org/security/announce/2014/mfsa2014-90.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

http://www.reddit.com/r/netsec/comments/2ocxac/apple_coregraphics_framework_on_os_x_1010_is/

https://bugzilla.mozilla.org/show_bug.cgi?id=1092855

Versions of Mozilla Firefox ESR earlier than 31.3 are unpatched for the following vulnerabilities :

 - Security Bypass that can be leveraged when processing specially crafted Chrome-based CSS stylesheets with improperly declared namespaces. (CVE-2014-1589)
 - Information Disclosure due to the way Content Security Policy leaks data through violation reports. (CVE-2014-1591)
 - Multiple Unspecified Memory Corruption Vulnerabilities. (CVE-2014-1587)(CVE-2014-1588)
 - Multiple Local Information Disclosure Vulnerabilities requiring interactive access to exploit. (CVE-2014-1595)
 - Security Vulnerability due to bad casting from 'BasicThebesLayer' to 'BasicContainerLayer'. (CVE-2014-1594)
 - Denial of Service Vulnerability can occur when passing a js object to 'XMLHttpRequest' that mimics an input stream. (CVE-2014-1590)
 - Use After Free Memory Corruption Vulnerability when creating a second root element during the parsing of an HTML5 document which contains 'document.open()'. (CVE-2014-1592)
 - Buffer Overflow Vulnerability when handling specially crafted media content. (CVE-2014-1593)
 - A flaw exists and is triggered as 'XrayWrappers' filter objects are not properly validated when stored in the program. This may allow a context-dependent attacker to bypass security protection mechanisms. (CVE-2014-8632)

The remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.2. This update contains several security-related fixes for the following components :

  - bash
  - Bluetooth
  - CFNetwork Cache
  - CommerceKit Framework
  - CoreGraphics
  - CoreSymbolication
  - CPU Software
  - FontParser
  - Foundation
  - Intel Graphics Driver
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOKit
  - IOUSBFamily
  - Kernel
  - LaunchServices
  - libnetcore
  - LoginWindow
  - lukemftp
  - OpenSSL
  - Safari
  - SceneKit
  - Security
  - security_taskgate
  - Spotlight
  - SpotlightIndex
  - sysmond
  - UserAccountUpdater

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

Mozilla Firefox has been updated to the 31.3ESR release fixing bugs and security issues.

  - Mozilla developers and community identified and fixed     several memory safety bugs in the browser engine used in     Firefox and other Mozilla-based products. Some of these     bugs showed evidence of memory corruption under certain     circumstances, and we presume that with enough effort at     least some of these could be exploited to run arbitrary     code. (MFSA 2014-83 / CVE-2014-1588 / CVE-2014-1587)

  - Security researcher Joe Vennix from Rapid7 reported that     passing a JavaScript object to XMLHttpRequest that     mimics an input stream will a crash. This crash is not     exploitable and can only be used for denial of service     attacks. (MFSA 2014-85 / CVE-2014-1590)

  - Security researcher Berend-Jan Wever reported a     use-after-free created by triggering the creation of a     second root element while parsing HTML written to a     document created with document.open(). This leads to a     potentially exploitable crash. (MFSA 2014-87 /     CVE-2014-1592)

  - Security researcher Abhishek Arya (Inferno) of the     Google Chrome Security Team used the Address Sanitizer     tool to discover a buffer overflow during the parsing of     media content. This leads to a potentially exploitable     crash. (MFSA 2014-88 / CVE-2014-1593)

  - Security researchers Byoungyoung Lee, Chengyu Song, and     Taesoo Kim at the Georgia Tech Information Security     Center (GTISC) reported a bad casting from the     BasicThebesLayer to BasicContainerLayer, resulting in     undefined behavior. This behavior is potentially     exploitable with some compilers but no clear mechanism     to trigger it through web content was identified. (MFSA     2014-89 / CVE-2014-1594)

  - Security researcher Kent Howard reported an Apple issue     present in OS X 10.10 (Yosemite) where log files are     created by the CoreGraphics framework of OS X in the     /tmp local directory. These log files contain a record     of all inputs into Mozilla programs during their     operation. In versions of OS X from versions 10.6     through 10.9, the CoreGraphics had this logging ability     but it was turned off by default. In OS X 10.10, this     logging was turned on by default for some applications     that use a custom memory allocator, such as jemalloc,     because of an initialization bug in the framework. This     issue has been addressed in Mozilla products by     explicitly turning off the framework's logging of input     events. On vulnerable systems, this issue can result in     private data such as usernames, passwords, and other     inputed data being saved to a log file on the local     system. (MFSA 2014-90 / CVE-2014-1595)

The Mozilla Project reports :

ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data

MFSA-2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory

MFSA-2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer

MFSA-2014-88 Buffer overflow while parsing media content

MFSA-2014-87 Use-after-free during HTML5 parsing

MFSA-2014-86 CSP leaks redirect data via violation reports

MFSA-2014-85 XMLHttpRequest crashes with some input streams

MFSA-2014-84 XBL bindings accessible via improper CSS declarations

MFSA-2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)

Versions of Mozilla Thunderbird prior to 31.3 are prone to the following vulnerabilities :

 - Multiple Unspecified Memory Corruption Vulnerabilities.(CVE-2014-1587)(CVE-2014-1588)
 - Multiple Local Information Disclosure Vulnerabilities requiring interactive access to exploit.(CVE-2014-1595)
 - Security Vulnerability due to bad casting from BasicThebesLayer to BasicContainerLayer.(CVE-2014-1594)
 - Denial of Service Vulnerability can occur when passing a js object to XMLHttpRequest that mimics an input stream.(CVE-2014-1590)
 - Use After Free Memory Corruption Vulnerability when creating a second root element during the parsing of an HTML5 document which contains 'document.open()'.(CVE-2014-1592)
 - Buffer Overflow Vulnerability when handling specially crafted media content.(CVE-2014-1593)

Versions of Mozilla Firefox earlier than 34.0 are unpatched for the following vulnerabilities :

 - Security Bypass that can be leveraged when processing specially crafted Chrome-based CSS stylesheets with improperly declared namespaces. (CVE-2014-1589)
 - Information Disclosure due to the way Content Security Policy leaks data through violation reports. (CVE-2014-1591)
 - Multiple Unspecified Memory Corruption Vulnerabilities. (CVE-2014-1587)(CVE-2014-1588)
 - Multiple Local Information Disclosure Vulnerabilities requiring interactive access to exploit. (CVE-2014-1595)
 - Security Vulnerability due to bad casting from 'BasicThebesLayer' to 'BasicContainerLayer'. (CVE-2014-1594)
 - Denial of Service Vulnerability can occur when passing a js object to 'XMLHttpRequest' that mimics an input stream. (CVE-2014-1590)
 - Use After Free Memory Corruption Vulnerability when creating a second root element during the parsing of an HTML5 document which contains 'document.open()'. (CVE-2014-1592)
 - Buffer Overflow Vulnerability when handling specially crafted media content. (CVE-2014-1593)
 - A flaw exists and is triggered as 'XrayWrappers' filter objects are not properly validated when stored in the program. This may allow a context-dependent attacker to bypass security protection mechanisms. (CVE-2014-8632)

The version of Thunderbird installed on the remote Mac OS X host is a version prior to 31.3. It is, therefore, affected by the following vulnerabilities :

  - A remote code execution vulnerability exists in Mozilla     Network Security Services (NSS) due to a flaw in     'quickder.c' that is triggered when handling PKCS#1     signatures during the decoding of ASN.1 DER.
    (CVE-2014-1569)

  - Multiple memory safety flaws exist within the browser     engine. Exploiting these, an attacker can cause a denial     of service or execute arbitrary code. (CVE-2014-1587,     CVE-2014-1588)

  - A denial of service vulnerability exists due to     improper parsing of a JavaScript object to the     XMLHttpRequest API which can result in a crash.
    (CVE-2014-1590)

  - A use-after-free error exists due the creation of a     second XML root element when parsing HTML written to a     document created with 'document.open()' function which     can result in arbitrary code execution. (CVE-2014-1592)

  - A buffer overflow vulnerability exists in the     'mozilla::FileBlockCache::Read' function when parsing     media which can result in arbitrary code execution.
    (CVE-2014-1593)

  - A casting error exists when casting from the     'BasicThebesLayer' layer to the 'BasicContainerLayer'     layer which can result in arbitrary code execution.
    (CVE-2014-1594)

  - An information disclosure vulnerability exists due to     the CoreGraphic framework creating log files containing     sensitive information in the '/tmp' directory.
    (CVE-2014-1595)

The version of Firefox installed on the remote Mac OS X host is a version prior to 34.0. It is, therefore, affected by the following vulnerabilities :

  - A security bypass vulnerability exists due to the     'XrayWrappers' filter not properly validating object     properties. This allows a remote attacker to bypass     security protection mechanisms to access protected     objects. (CVE-2014-8631)

  - A security bypass vulnerability exists due to Chrome     Object Wrappers (COW) being passed as native interfaces.
    This allows a remote attacker to access normally     protected objects. (CVE-2014-8632)

  - A remote code execution vulnerability exists in Mozilla     Network Security Services (NSS) due to a flaw in     'quickder.c' that is triggered when handling PKCS#1     signatures during the decoding of ASN.1 DER.
    (CVE-2014-1569)

  - Multiple memory safety flaws exist within the browser     engine. Exploiting these, an attacker can cause a denial     of service or execute arbitrary code. (CVE-2014-1587,     CVE-2014-1588)

  - A security bypass vulnerability exists due improper     declaration of chrome accessible CSS primary namespaces     allowing for XML Binding Language (XBL) bindings to be     triggered remotely. (CVE-2014-1589)

  - A denial of service vulnerability exists due to     improper parsing of a JavaScript object to the     XMLHttpRequest API which can result in a crash.
    (CVE-2014-1590)

  - An information disclosure vulnerability exists due to     Content Security Policy (CSP) violation reports     triggered by a redirect not properly removing path     information which can reveal sensitive information.
    Note that this only affects Firefox 33. (CVE-2014-1591)

  - A use-after-free error exists due the creation of a     second XML root element when parsing HTML written to a     document created with 'document.open()' function which     can result in arbitrary code execution. (CVE-2014-1592)

  - A buffer overflow vulnerability exists in the     'mozilla::FileBlockCache::Read' function when parsing     media which can result in arbitrary code execution.
    (CVE-2014-1593)

  - A casting error exists when casting from the     'BasicThebesLayer' layer to the 'BasicContainerLayer'     layer which can result in arbitrary code execution.
    (CVE-2014-1594)

  - An information disclosure vulnerability exists due to     the CoreGraphic framework creating log files containing     sensitive information in the '/tmp' directory.
    (CVE-2014-1595)

The version of Firefox ESR 31.x installed on the remote Mac OS X host is prior to 31.3. It is, therefore, affected by the following vulnerabilities :

  - Multiple memory safety flaws exist within the browser     engine. Exploiting these, an attacker can cause a denial     of service or execute arbitrary code. (CVE-2014-1587,     CVE-2014-1588)

  - A denial of service vulnerability exists due to     improper parsing of a JavaScript object to the     XMLHttpRequest API which can result in a crash.
    (CVE-2014-1590)

  - A use-after-free error exists due the creation of a     second XML root element when parsing HTML written to a     document created with 'document.open()' function which     can result in arbitrary code execution. (CVE-2014-1592)

  - A buffer overflow vulnerability exists in the     'mozilla::FileBlockCache::Read' function when parsing     media which can result in arbitrary code execution.
    (CVE-2014-1593)

  - A casting error exists when casting from the     'BasicThebesLayer' layer to the 'BasicContainerLayer'     layer which can result in arbitrary code execution.
    (CVE-2014-1594)

  - An information disclosure vulnerability exists due to     the CoreGraphic framework creating log files containing     sensitive information in the '/tmp' directory.
    (CVE-2014-1595)

ID	Name	Product	Family	Severity
701249	Mozilla Firefox ESR < 31.3 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
81087	Mac OS X 10.10.x < 10.10.2 Multiple Vulnerabilities (POODLE)	Nessus	MacOS X Local Security Checks	critical
80023	SuSE 11.3 Security Update : Mozilla Firefox (SAT Patch Number 10064)	Nessus	SuSE Local Security Checks	medium
79707	FreeBSD : mozilla -- multiple vulnerabilities (7ae61870-9dd2-4884-a2f2-f19bb5784d09)	Nessus	FreeBSD Local Security Checks	high
8589	Mozilla Thunderbird < 31.3 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	medium
8588	Mozilla Firefox < 34.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
79663	Mozilla Thunderbird < 31.3 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
79662	Firefox < 34.0 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
79661	Firefox ESR 31.x < 31.3 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	medium

CVE-2014-1595

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins