APPLE-SA-2015-01-27-4

http://packetstormsecurity.com/files/135701/OS-X-Sysmond-XPC-Type-Confusion-Privilege-Escalation.html

http://support.apple.com/HT204244

35742

71992

1031650

https://code.google.com/p/google-security-research/issues/detail?id=121

macosx-cve20148835-priv-esc(100530)

The remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.2. Mac OS X 10.10.2 contains the following security-related fixes :

  - The IOHIDFamily allows attackers to execute arbitrary code in a kernel context. (CVE-2014-8822, CVE-2014-4487)
 - The LaunchServices module does not properly handle file-type metadata.  This can allow an attacker to bypass the Gatekeeper protection via a crafted JAR archive. (CVE-2014-8826)
 - There are unspecified vulnerabilities in the Intel Graphics driver. (CVE-2014-8819, CVE-2014-8820, CVE-2014-8821)
 - There is a data leak vulnerability in the LoginWindow component. (CVE-2014-8827)
 - There is a data leak vulnerability with the Spotlight Mail component. (CVE-2014-8839)
 - The SceneKit component is vulnerable to a heap-based buffer overflow. (CVE-2014-8830)
 - The App Store process in CommerceKit Framework is vulnerable to a local information leak. (CVE-2014-4499)
 - The indexing functionality in Spotlight is vulnerable to a sensitive data leak. (CVE-2014-8832, CVE-2014-8833)
 - The security_taskgate Bluetooth driver is vulnerable to an unspecified vulnerability. (CVE-2014-8831)
 - The Bluetooth driver is vulnerable to a remote code execution vulnerability. (CVE-2014-8836)
 - There are multiple unspecified vulnerabilities in the Bluetooth driver. (CVE-2014-8837, CVE-2014-4497)
 - The UserAccountUpdater component is vulnerable to a local data leak. (CVE-2014-8834)
 - There is a buffer overflow vulnerability in the xpc_data_get_bytes function in libxpc. (CVE-2014-8835)
 - The SceneKit component is vulnerable to an arbitrary code execution vulnerability. (CVE-2014-8829)
 - The CPU Software allows a local, physical, firmware attack. (CVE-2014-4498)
 - The IOUSBControllerUserClient::ReadRegister function in the IOUSB controller of IOUSBFamily is vulnerable to a data leak. (CVE-2014-8823)
 - The kernel does not properly validate IODataQueue object metadata fields. (CVE-2014-8824)
 - The kernel does not properly perform identitysvc validation. (CVE-2014-8825)
 - The Coresymbolicationd component in CoreSymbolication does not verify data types. (CVE-2014-8817)
 - There is an integer overflow in the CoreGraphics component which can lead to remote code execution. (CVE-2014-4481)
 - There is a buffer overflow in the FontParser component which may allow remote code execution. (CVE-2014-4483)
 - The FontParser does not properly validate crafted .dfont files which can lead to remote code execution. (CVE-2014-4484)
 - There is a buffer overflow in the XML parser in Foundation. (CVE-2014-4485)
 - The IOAcceleratorFamily does not properly handle certain types and can lead to a NULL pointer dereference. (CVE-2014-4486)
 - The IOHIDFamily does not properly validate resource-queue metadata, potentially allowing remote code execution. (CVE-2014-4488)
 - The IOHIDFamily fails to properly sanitize event queues.  This can lead to remote code execution. (CVE-2014-4489)
 - The Kernel extension API is vulnerable to a bypass of the ASLR protection mechanism. (CVE-2014-4491)
 - The kernel does not enforce read-only attributes which can allow attackers to bypass access restrictions. (CVE-2014-4495)
 - The libnetcore module fails to verify certain data types which can allow remote code execution in the _networkd context. (CVE-2014-4492)

The remote host is running a version of Mac OS X 10.8 or 10.9 that does not have Security Update 2015-001 applied. This update contains several security-related fixes for the following components :

  - AFP Server
  - Bluetooth
  - CoreGraphics
  - CoreSymbolication
  - FontParser
  - Foundation
  - Intel Graphics Driver
  - IOAcceleratorFamily
  - IOHIDFamily
  - Kernel
  - LaunchServices
  - libnetcore
  - LoginWindow
  - lukemftp
  - OpenSSL
  - Sandbox
  - SceneKit
  - Security
  - security_taskgate
  - Spotlight
  - sysmond

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.2. This update contains several security-related fixes for the following components :

  - bash
  - Bluetooth
  - CFNetwork Cache
  - CommerceKit Framework
  - CoreGraphics
  - CoreSymbolication
  - CPU Software
  - FontParser
  - Foundation
  - Intel Graphics Driver
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOKit
  - IOUSBFamily
  - Kernel
  - LaunchServices
  - libnetcore
  - LoginWindow
  - lukemftp
  - OpenSSL
  - Safari
  - SceneKit
  - Security
  - security_taskgate
  - Spotlight
  - SpotlightIndex
  - sysmond
  - UserAccountUpdater

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

ID	Name	Product	Family	Severity
8644	Mac OS X < 10.10.2 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
81088	Mac OS X Multiple Vulnerabilities (Security Update 2015-001) (POODLE)	Nessus	MacOS X Local Security Checks	critical
81087	Mac OS X 10.10.x < 10.10.2 Multiple Vulnerabilities (POODLE)	Nessus	MacOS X Local Security Checks	critical

CVE-2014-8835

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical