APPLE-SA-2014-09-17-1

61306

http://support.apple.com/kb/HT6440

http://support.apple.com/kb/HT6441

69882

69909

1030866

appleios-cve20144363-info-disc(96075)

The remote host has Safari installed that is older than 6.2 or 7.1, and is thus unpatched for the following WebKit vulnerabilities :

 - Saved passwords and incorrect automatic filling of HTML forms contain an error that could be leveraged to obtain sensitive information. (CVE-2014-4363)
 - Multiple memory corruption errors exist in WebKit that could potentially be leveraged for arbitrary code execution. (CVE-2013-6663, CVE-2014-4410, CVE-2014-4411, CVE-2014-4412, CVE-2014-4413, CVE-2014-4414, CVE-2014-4415)
 - HTML5 application cache data handling with WebKit that allows the disclosure of sensitive information from private browsing sessions. (CVE-2014-4409)

The version of Apple Safari installed on the remote Mac OS X host is a version prior to 6.2 or 7.1. It is, therefore, affected by the following vulnerabilities :

  - An error exists related to saved passwords and the     incorrect automatic filling of HTML forms. A remote     attacker can exploit this to obtain sensitive     information. (CVE-2014-4363)

  - Multiple memory corruption errors exist related to     the included version of WebKit that can allow     application crashes or arbitrary code execution.
    (CVE-2013-6663, CVE-2014-4410, CVE-2014-4411,     CVE-2014-4412, CVE-2014-4413, CVE-2014-4414,     CVE-2014-4415)

  - An error exists related to HTML5 application cache     data handling and the included version of WebKit that     allows the disclosure of sensitive information from     private browsing sessions. (CVE-2014-4409)

The mobile device is running a version of iOS prior to version 8. It is, therefore, affected by vulnerabilities in the following components :

  - 802.1X
  - Accessibility
  - Accounts
  - Accounts Framework
  - Address Book
  - App Installation
  - Assets
  - Bluetooth
  - Certificate Trust Policy
  - CoreGraphics
  - Data Detectors
  - Foundation
  - Home and Lock Screen
  - iMessage
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOKit
  - Kernel
  - Libnotify
  - Lockdown
  - Lockdown
  - Mail
  - Profiles
  - Safari
  - Sandbox Profiles
  - Settings
  - syslog
  - Weather
  - WebKit
  - Wifi

According to its banner, the remote iOS device is missing a security update.  Versions of Apple iOS prior to 8.0 are affected by vulnerabilities within the following components :

  - 802.1X
  - Accessibility
  - Accounts Framework
  - Accounts
  - Address Book
  - App Installation
  - Assets
  - Bluetooth
  - Certificate Trust Policy
  - CoreGraphics
  - Data Detectors
  - Foundation
  - Home & Lock Screen
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOKit
  - Kernel
  - Libnotify
  - Lockdown
  - Mail
  - Profiles
  - Safari
  - Sandbox Profiles
  - Settings
  - Weather
  - WebKit
  - WiFi
  - iMessage
  - syslog

ID	Name	Product	Family	Severity
8395	Safari < 6.2 / 7.1 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
77747	Mac OS X : Apple Safari < 6.2 / 7.1 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
77745	Apple iOS < 8 Multiple Vulnerabilities	Nessus	Mobile Devices	high
8393	Apple iOS < 8.0 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	high

CVE-2014-4363

MEDIUM

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

high

high

high