jspokes

Q: CVE-2015-1130 - Protection on Mountain Lion

So Apple has been alerted to a serious OSX security flaw that so far they have only fixed in Yosemite.

 

About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004 - Apple Support

 

What can we do to protect our usage on Mountain Lion when apple haven't fixed known security problems?

 

I can't update to Yosemite. Far too many driver, application and music productions related issues. Sure Gatekeeper asks if we want to Open untrusted applications, but I've certainly got a number of applications that are not digitally signed and necessary for what I do.

MacBook Pro, OS X Mountain Lion (10.8.5)

Posted on Apr 10, 2015 3:23 PM

Close

Q: CVE-2015-1130 - Protection on Mountain Lion

  • All replies
  • Helpful answers

Page 1 of 3 last Next
  • by Eric Root,

    Eric Root Eric Root Apr 11, 2015 8:39 AM in response to jspokes
    Level 9 (71,450 points)
    iTunes
    Apr 11, 2015 8:39 AM in response to jspokes

    .

  • by mkadc,

    mkadc mkadc Apr 13, 2015 12:14 AM in response to jspokes
    Level 1 (0 points)
    Apr 13, 2015 12:14 AM in response to jspokes

    I truly can't believe that Apple isn't going to fix this on the pre-10.10 supported OSes.

     

    I have filed a bug report with Apple and hope that many people will do the same.

     

    Disappointment is the word!!!

  • by John Caradimas,

    John Caradimas John Caradimas Apr 13, 2015 12:48 AM in response to jspokes
    Level 1 (19 points)
    Servers Enterprise
    Apr 13, 2015 12:48 AM in response to jspokes

    Just filled a bug report with Apple. This is ridiculous. Knowingly leaving a security flaw open on previous OSs is looking for a lot of legal troubles.

  • by kOoLiNuS,

    kOoLiNuS kOoLiNuS Apr 13, 2015 6:43 AM in response to mkadc
    Level 1 (13 points)
    Apr 13, 2015 6:43 AM in response to mkadc

    Please help me to understand.

    Those two updates DO NOT apply for the issued problem. Am I right?

     

    Security Update 2015-004 Mountain Lion

    Security Update 2015-004 Mavericks

     

    Thanks!

  • by John Caradimas,

    John Caradimas John Caradimas Apr 13, 2015 7:08 AM in response to kOoLiNuS
    Level 1 (19 points)
    Servers Enterprise
    Apr 13, 2015 7:08 AM in response to kOoLiNuS

    No, these security updates do not appear to close the door.

  • by Bill in Santa Cruz,

    Bill in Santa Cruz Bill in Santa Cruz Apr 13, 2015 10:54 AM in response to jspokes
    Level 2 (435 points)
    Apr 13, 2015 10:54 AM in response to jspokes

    This is outrageous that the only fix is to upgrade to Yosemite.  What are Apple thinking?  This is seriously one of the WORST decisions they could make.

  • by teepareep,

    teepareep teepareep Apr 13, 2015 1:26 PM in response to jspokes
    Level 1 (0 points)
    Apr 13, 2015 1:26 PM in response to jspokes

    I concur. What a joke. Is this meant to force an early update and bring everyone in line with their release cycle?

  • by Bill in Santa Cruz,

    Bill in Santa Cruz Bill in Santa Cruz Apr 13, 2015 1:45 PM in response to jspokes
    Level 2 (435 points)
    Apr 13, 2015 1:45 PM in response to jspokes

    jspokes, am I reading this correct (from the security researchers link you provided)?  It looks like Apple has flatly declined to fix this?

     

    Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older.

     

    If Microsoft said something similar, it would be international news, and they would be tarred and feathered by the user base.  Unbelievable. 

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 13, 2015 11:24 PM in response to Bill in Santa Cruz
    Level 5 (4,791 points)
    Apr 13, 2015 11:24 PM in response to Bill in Santa Cruz

    When Yosemite was released it contained dozens of security updates that have never been applied to Mountain Lion or Mavericks, so this is just another one, perhaps more of a threat, but only time will tell.

  • by jspokes,

    jspokes jspokes Apr 13, 2015 11:37 PM in response to MadMacs0
    Level 1 (0 points)
    Apr 13, 2015 11:37 PM in response to MadMacs0

    That's interesting. Can you point us to any links To the CVEs?

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 13, 2015 11:52 PM in response to jspokes
    Level 5 (4,791 points)
    Apr 13, 2015 11:52 PM in response to jspokes

    jspokes wrote:

     

    That's interesting. Can you point us to any links To the CVEs?

    For whatever reason this isn't available from the Apple Product Security archives:

    APPLE-SA-2014-10-16-1 OS X Yosemite v10.10

     

    OS X Yosemite v10.10 is now available and addresses the following:

     

    802.1X

    Impact:  An attacker can obtain WiFi credentials

    Description:  An attacker could have impersonated a WiFi access

    point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash,

    and used the derived credentials to authenticate to the intended

    access point even if that access point supported stronger

    authentication methods. This issue was addressed by disabling LEAP by

    default.

    CVE-ID

    CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim

    Lamotte of Universiteit Hasselt

     

    AFP File Server

    Impact:  A remote attacker could determine all the network addresses

    of the system

    Description:  The AFP file server supported a command which returned

    all the network addresses of the system. This issue was addressed by

    removing the addresses from the result.

    CVE-ID

    CVE-2014-4426 : Craig Young of Tripwire VERT

     

    apache

    Impact:  Multiple vulnerabilities in Apache

    Description:  Multiple vulnerabilities existed in Apache, the most

    serious of which may lead to a denial of service. These issues were

    addressed by updating Apache to version 2.4.9.

    CVE-ID

    CVE-2013-6438

    CVE-2014-0098

     

    App Sandbox

    Impact:  An application confined by sandbox restrictions may misuse

    the accessibility API

    Description:  A sandboxed application could misuse the accessibility

    API without the user's knowledge. This has been addressed by

    requiring administrator approval to use the accessibility API on an

    per-application basis.

    CVE-ID

    CVE-2014-4427 : Paul S. Ziegler of Reflare UG

     

    Bash

    Impact:  In certain configurations, a remote attacker may be able to

    execute arbitrary shell commands

    Description:  An issue existed in Bash's parsing of environment

    variables. This issue was addressed through improved environment

    variable parsing by better detecting the end of the function

    statement. This update also incorporated the suggested CVE-2014-7169

    change, which resets the parser state. In addition, this update

    added a new namespace for exported functions by creating a function

    decorator to prevent unintended header passthrough to Bash. The names

    of all environment variables that introduce function definitions are

    required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent

    unintended function passing via HTTP headers.

    CVE-ID

    CVE-2014-6271 : Stephane Chazelas

    CVE-2014-7169 : Tavis Ormandy

     

    Bluetooth

    Impact:  A malicious Bluetooth input device may bypass pairing

    Description:  Unencrypted connections were permitted from Human

    Interface Device-class Bluetooth Low Energy devices. If a Mac had

    paired with such a device, an attacker could spoof the legitimate

    device to establish a connection. The issue was addressed by denying

    unencrypted HID connections.

    CVE-ID

    CVE-2014-4428 : Mike Ryan of iSEC Partners

     

    CFPreferences

    Impact:  The 'require password after sleep or screen saver begins'

    preference may not be respected until after a reboot

    Description:  A session management issue existed in the handling of

    system preference settings. This issue was addressed through improved

    session tracking.

    CVE-ID

    CVE-2014-4425

     

    Certificate Trust Policy

    Impact:  Update to the certificate trust policy

    Description:  The certificate trust policy was updated. The complete

    list of certificates may be viewed at

    http://support.apple.com/kb/HT6005.

     

    CoreStorage

    Impact:  An encrypted volume may stay unlocked when ejected

    Description:  When an encrypted volume was logically ejected while

    mounted, the volume was unmounted but the keys were retained, so it

    could have been mounted again without the password. This issue was

    addressed by erasing the keys on eject.

    CVE-ID

    CVE-2014-4430 : Benjamin King at See Ben Click Computer Services LLC,

    Karsten Iwen, Dustin Li (http://dustin.li/), Ken J. Takekoshi, and

    other anonymous researchers

     

    CUPS

    Impact:  A local user can execute arbitrary code with system

    privileges

    Description:  When the CUPS web interface served files, it would

    follow symlinks. A local user could create symlinks to arbitrary

    files and retrieve them through the web interface. This issue was

    addressed by disallowing symlinks to be served via the CUPS web

    interface.

    CVE-ID

    CVE-2014-3537

     

    Dock

    Impact:  In some circumstances, windows may be visible even when the

    screen is locked

    Description:  A state management issue existed in the handling of the

    screen lock. This issue was addressed through improved state

    tracking.

    CVE-ID

    CVE-2014-4431 : Emil Sjolander of Umea University

     

    fdesetup

    Impact:  The fdesetup command may provide misleading status for the

    state of encryption on disk

    Description:  After updating settings, but before rebooting, the

    fdesetup command provided misleading status. This issue was addressed

    through improved status reporting.

    CVE-ID

    CVE-2014-4432

     

    iCloud Find My Mac

    Impact:  iCloud Lost mode PIN may be bruteforced

    Description:  A state persistence issue in rate limiting allowed

    brute force attacks on iCloud Lost mode PIN. This issue was addressed

    through improved state persistence across reboots.

    CVE-ID

    CVE-2014-4435 : knoy

     

    IOAcceleratorFamily

    Impact:  An application may cause a denial of service

    Description:  A NULL pointer dereference was present in the

    IntelAccelerator driver. The issue was addressed through improved

    error handling.

    CVE-ID

    CVE-2014-4373 : cunzhang from Adlab of Venustech

     

    IOHIDFamily

    Impact:  A malicious application may be able to execute arbitrary

    code with system privileges

    Description:  A null pointer dereference existed in IOHIDFamily's

    handling of key-mapping properties. This issue was addressed through

    improved validation of IOHIDFamily key-mapping properties.

    CVE-ID

    CVE-2014-4405 : Ian Beer of Google Project Zero

     

    IOHIDFamily

    Impact:  A malicious application may be able to execute arbitrary

    code with system privileges

    Description:  A heap buffer overflow existed in IOHIDFamily's

    handling of key-mapping properties. This issue was addressed through

    improved bounds checking.

    CVE-ID

    CVE-2014-4404 : Ian Beer of Google Project Zero

     

    IOHIDFamily

    Impact:  An application may cause a denial of service

    Description:  A out-of-bounds memory read was present in the

    IOHIDFamily driver. The issue was addressed through improved input

    validation.

    CVE-ID

    CVE-2014-4436 : cunzhang from Adlab of Venustech

     

    IOHIDFamily

    Impact:  A user may be able to execute arbitrary code with system

    privileges

    Description:  An out-of-bounds write issue exited in the IOHIDFamily

    driver. The issue was addressed through improved input validation.

    CVE-ID

    CVE-2014-4380 : cunzhang from Adlab of Venustech

     

    IOKit

    Impact:  A malicious application may be able to read uninitialized

    data from kernel memory

    Description:  An uninitialized memory access issue existed in the

    handling of IOKit functions. This issue was addressed through

    improved memory initialization.

    CVE-ID

    CVE-2014-4407 : @PanguTeam

     

    IOKit

    Impact:  A malicious application may be able to execute arbitrary

    code with system privileges

    Description:  A validation issue existed in the handling of certain

    metadata fields of IODataQueue objects. This issue was addressed

    through improved validation of metadata.

    CVE-ID

    CVE-2014-4388 : @PanguTeam

     

    IOKit

    Impact:  A malicious application may be able to execute arbitrary

    code with system privileges

    Description:  A validation issue existed in the handling of certain

    metadata fields of IODataQueue objects. This issue was addressed

    through improved validation of metadata.

    CVE-ID

    CVE-2014-4418 : Ian Beer of Google Project Zero

     

    Kernel

    Impact:  A local user may be able to determine kernel memory layout

    Description:  Multiple uninitialized memory issues existed in the

    network statistics interface, which led to the disclosure of kernel

    memory content. This issue was addressed through additional memory

    initialization.

    CVE-ID

    CVE-2014-4371 : Fermin J. Serna of the Google Security Team

    CVE-2014-4419 : Fermin J. Serna of the Google Security Team

    CVE-2014-4420 : Fermin J. Serna of the Google Security Team

    CVE-2014-4421 : Fermin J. Serna of the Google Security Team

     

    Kernel

    Impact:  A maliciously crafted file system may cause unexpected

    system shutdown or arbitrary code execution

    Description:  A heap-based buffer overflow issue existed in the

    handling of HFS resource forks. A maliciously crafted filesystem may

    cause an unexpected system shutdown or arbitrary code execution with

    kernel privileges. The issue was addressed through improved bounds

    checking.

    CVE-ID

    CVE-2014-4433 : Maksymilian Arciemowicz

     

    Kernel

    Impact:  A malicious file system may cause unexpected system shutdown

    Description:  A NULL dereference issue existed in the handling of HFS

    filenames. A maliciously crafted filesystem may cause an unexpected

    system shutdown. This issue was addressed by avoiding the NULL

    dereference.

    CVE-ID

    CVE-2014-4434 : Maksymilian Arciemowicz

     

    Kernel

    Impact:  A local user may be able to cause an unexpected system

    termination or arbitrary code execution in the kernel

    Description:  A double free issue existed in the handling of Mach

    ports. This issue was addressed through improved validation of Mach

    ports.

    CVE-ID

    CVE-2014-4375 : an anonymous researcher

     

    Kernel

    Impact:  A person with a privileged network position may cause a

    denial of service

    Description:  A race condition issue existed in the handling of IPv6

    packets. This issue was addressed through improved lock state

    checking.

    CVE-ID

    CVE-2011-2391 : Marc Heuse

     

    Kernel

    Impact:  A local user may be able to cause an unexpected system

    termination or arbitrary code execution in the kernel

    Description:  An out-of-bounds read issue existed in rt_setgate. This

    may lead to memory disclosure or memory corruption. This issue was

    addressed through improved bounds checking.

    CVE-ID

    CVE-2014-4408

     

    Kernel

    Impact:  A local user can cause an unexpected system termination

    Description:  A reachable panic existed in the handling of messages

    sent to system control sockets. This issue was addressed through

    additional validation of messages.

    CVE-ID

    CVE-2014-4442 : Darius Davis of VMware

     

    Kernel

    Impact:  Some kernel hardening measures may be bypassed

    Description:  The random number generator used for kernel hardening

    measures early in the boot process was not cryptographically secure.

    Some of its output was inferable from user space, allowing bypass of

    the hardening measures. This issue was addressed by using a

    cryptographically secure algorithm.

    CVE-ID

    CVE-2014-4422 : Tarjei Mandt of Azimuth Security

     

    LaunchServices

    Impact:  A local application may bypass sandbox restrictions

    Description:  The LaunchServices interface for setting content type

    handlers allowed sandboxed applications to specify handlers for

    existing content types. A compromised application could use this to

    bypass sandbox restrictions. The issue was addressed by restricting

    sandboxed applications from specifying content type handlers.

    CVE-ID

    CVE-2014-4437 : Meder Kydyraliev of the Google Security Team

     

    LoginWindow

    Impact:  Sometimes the screen might not lock

    Description:  A race condition existed in LoginWindow, which would

    sometimes prevent the screen from locking. The issue was addressed by

    changing the order of operations.

    CVE-ID

    CVE-2014-4438 : Harry Sintonen of nSense, Alessandro Lobina of

    Helvetia Insurances, Patryk Szlagowski of Funky Monkey Labs

     

    Mail

    Impact:  Mail may send email to unintended recipients

    Description:  A user interface inconsistency in Mail application

    resulted in email being sent to addresses that were removed from the

    list of recipients. The issue was addressed through improved user

    interface consistency checks.

    CVE-ID

    CVE-2014-4439 : Patrick J Power of Melbourne, Australia

     

    MCX Desktop Config Profiles

    Impact:  When mobile configuration profiles were uninstalled, their

    settings were not removed

    Description:  Web proxy settings installed by a mobile configuration

    profile were not removed when the profile was uninstalled. This issue

    was addressed through improved handling of profile uninstallation.

    CVE-ID

    CVE-2014-4440 : Kevin Koster of Cloudpath Networks

     

    NetFS Client Framework

    Impact:  File Sharing may enter a state in which it cannot be

    disabled

    Description:  A state management issue existed in the File Sharing

    framework. This issue was addressed through improved state

    management.

    CVE-ID

    CVE-2014-4441 : Eduardo Bonsi of BEARTCOMMUNICATIONS

     

    QuickTime

    Impact:  Playing a maliciously crafted m4a file may lead to an

    unexpected application termination or arbitrary code execution

    Description:  A buffer overflow existed in the handling of audio

    samples. This issue was addressed through improved bounds checking.

    CVE-ID

    CVE-2014-4351 : Karl Smith of NCC Group

     

    Safari

    Impact:  History of pages recently visited in an open tab may remain

    after clearing of history

    Description:  Clearing Safari's history did not clear the

    back/forward history for open tabs. This issue was addressed by

    clearing the back/forward history.

    CVE-ID

    CVE-2013-5150

     

    Safari

    Impact:  Opting in to push notifications from a maliciously crafted

    website may cause future Safari Push Notifications to be missed

    Description:  An uncaught exception issue existed in

    SafariNotificationAgent's handling of Safari Push Notifications. This

    issue was addressed through improved handling of Safari Push

    Notifications.

    CVE-ID

    CVE-2014-4417 : Marek Isalski of Faelix Limited

     

    Secure Transport

    Impact:  An attacker may be able to decrypt data protected by SSL

    Description:  There are known attacks on the confidentiality of SSL

    3.0 when a cipher suite uses a block cipher in CBC mode. An attacker

    could force the use of SSL 3.0, even when the server would support a

    better TLS version, by blocking TLS 1.0 and higher connection

    attempts. This issue was addressed by disabling CBC cipher suites

    when TLS connection attempts fail.

    CVE-ID

    CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of

    Google Security Team

     

    Security

    Impact:  A remote attacker may be able to cause a denial of service

    Description:  A null dereference existed in the handling of ASN.1

    data. This issue was addressed through additional validation of ASN.1

    data.

    CVE-ID

    CVE-2014-4443 : Coverity

     

    Security

    Impact:  A local user might have access to another user's Kerberos

    tickets

    Description:  A state management issue existed in SecurityAgent.

    While Fast User Switching, sometimes a Kerberos ticket for the

    switched-to user would be placed in the cache for the previous user.

    This issue was addressed through improved state management.

    CVE-ID

    CVE-2014-4444 : Gary Simon of Sandia National Laboratories, Ragnar

    Sundblad of KTH Royal Institute of Technology, Eugene Homyakov of

    Kaspersky Lab

     

    Security - Code Signing

    Impact:  Tampered applications may not be prevented from launching

    Description:  Apps signed on OS X prior to OS X Mavericks 10.9 or

    apps using custom resource rules, may have been susceptible to

    tampering that would not have invalidated the signature. On systems

    set to allow only apps from the Mac App Store and identified

    developers, a downloaded modified app could have been allowed to run

    as though it were legitimate. This issue was addressed by ignoring

    signatures of bundles with resource envelopes that omit resources

    that may influence execution. OS X Mavericks v10.9.5 and Security

    Update 2014-004 for OS X Mountain Lion v10.8.5 already contain these

    changes.

    CVE-ID

    CVE-2014-4391 : Christopher Hickstein working with HP's Zero Day

    Initiative

     

     

    Note: OS X Yosemite includes Safari 8.0, which incorporates

    the security content of Safari 7.1. For further details see

    "About the security content of Safari 7.1" at

    https://support.apple.com/kb/HT6440.

    Now compare that to the Security Update for Mountain Lion and Mavericks that came out the same day:

    APPLE-SA-2014-10-16-2 Security Update 2014-005

     

    Security Update 2014-005 is now available and addresses the

    following:

     

    Secure Transport

    Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

    Impact:  An attacker may be able to decrypt data protected by SSL

    Description:  There are known attacks on the confidentiality of SSL

    3.0 when a cipher suite uses a block cipher in CBC mode. An attacker

    could force the use of SSL 3.0, even when the server would support a

    better TLS version, by blocking TLS 1.0 and higher connection

    attempts. This issue was addressed by disabling CBC cipher suites

    when TLS connection attempts fail.

    CVE-ID

    CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of

    Google Security Team

  • by mkadc,

    mkadc mkadc Apr 14, 2015 12:06 AM in response to MadMacs0
    Level 1 (0 points)
    Apr 14, 2015 12:06 AM in response to MadMacs0

    What does this mean? Are all those security holes only present in Yosemite, or were they all along in pre-Yosemite's?

     

    If it's truly the latter, then one should not consider anything below 10.10 as as "supported" OS anymore, right?

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 14, 2015 12:35 AM in response to mkadc
    Level 5 (4,791 points)
    Apr 14, 2015 12:35 AM in response to mkadc

    mkadc wrote:

     

    Are all those security holes only present in Yosemite, or were they all along in pre-Yosemite's?

    Since this was the first release of Yosemite they would have to be fixes to Mavericks 10.9.5 and probably previous versions, but you would have to look up each CVE to be certain.

    then one should not consider anything below 10.10 as as "supported" OS anymore, right?

    Not fully supported would probably be a better choice of words. XProtect is still being updated in 10.6.7 and above and Security Update 2025-004 which came out the same day as Yosemite 10.10.3 applied to most of the same vulnerabilities in 10.8.5 and 10.9.5.

Page 1 of 3 last Next