Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: jspokes
jspokes Author
User level: Level 1
9 points

CVE-2015-1130 - Protection on Mountain Lion

So Apple has been alerted to a serious OSX security flaw that so far they have only fixed in Yosemite.


About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004 - Apple Support


What can we do to protect our usage on Mountain Lion when apple haven't fixed known security problems?


I can't update to Yosemite. Far too many driver, application and music productions related issues. Sure Gatekeeper asks if we want to Open untrusted applications, but I've certainly got a number of applications that are not digitally signed and necessary for what I do.

MacBook Pro, OS X Mountain Lion (10.8.5)

Posted on Apr 10, 2015 3:23 PM

Reply
32 replies
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Jul 4, 2015 1:14 AM in response to WZZZ

WZZZ wrote:


This is certainly a vulnerability, and even Apple's fix included in 10.10.3 is apparently a miserable failure.

So it's apparently all better now:


APPLE-SA-2015-06-30-2 OS X Yosemite v10.10.4 and Security Update

2015-005


OS X Yosemite v10.10.4 and Security Update 2015-005 are now available

and address the following:


Admin Framework

Available for: OS X Mavericks v10.9.5,

OS X Yosemite v10.10 to v10.10.3

Impact: A process may gain admin privileges without proper

authentication

Description: An issue existed when checking XPC entitlements. This

issue was addressed through improved entitlement checking.

CVE-ID

CVE-2015-3671 : Emil Kvarnhammar at TrueSec


Admin Framework

Available for: OS X Mavericks v10.9.5,

OS X Yosemite v10.10 to v10.10.3

Impact: A non-admin user may obtain admin rights

Description: An issue existed in the handling of user

authentication. This issue was addressed through improved error

checking.

CVE-ID

CVE-2015-3672 : Emil Kvarnhammar at TrueSec


Admin Framework

Available for: OS X Yosemite v10.10 to v10.10.3

Impact: An attacker may abuse Directory Utility to gain root

privileges

Description: Directory Utility was able to be moved and modified to

achieve code execution within an entitled process. This issue was

addressed by limiting the disk location that writeconfig clients may

be executed from.

CVE-ID

CVE-2015-3673 : Patrick Wardle of Synack, Emil Kvarnhammar at TrueSec

Reply
User profile for user: WZZZ
WZZZ
User level: Level 6
13,220 points

Jul 4, 2015 5:10 AM in response to MadMacs0

Yeah, I saw that. And I think both Wardle and Kvarnhammar are saying it's fixed now, both in 10.9 and 10.10. But leaves me still wondering if 10.8 was left out, or if it didn't need it to begin with, which the rootpipe tester seems to think is the case. And Apple, to their everlasting credit, didn't do anything about Logjam, except in 10.10, where the fix for the D-H SSL3 vulnerabilities is system wide. They left Safari in all lower versions still vulnerable, and nothing for those OSs.

Reply

CVE-2015-1130 - Protection on Mountain Lion

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up