Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

CVE-2015-1130 - Protection on Mountain Lion

So Apple has been alerted to a serious OSX security flaw that so far they have only fixed in Yosemite.


About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004 - Apple Support


What can we do to protect our usage on Mountain Lion when apple haven't fixed known security problems?


I can't update to Yosemite. Far too many driver, application and music productions related issues. Sure Gatekeeper asks if we want to Open untrusted applications, but I've certainly got a number of applications that are not digitally signed and necessary for what I do.

MacBook Pro, OS X Mountain Lion (10.8.5)

Posted on Apr 10, 2015 3:23 PM

Reply
32 replies

Apr 13, 2015 1:45 PM in response to jspokes

jspokes, am I reading this correct (from the security researchers link you provided)? It looks like Apple has flatly declined to fix this?


Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older.


If Microsoft said something similar, it would be international news, and they would be tarred and feathered by the user base. Unbelievable. 😠

Apr 13, 2015 11:52 PM in response to jspokes

jspokes wrote:


That's interesting. Can you point us to any links To the CVEs?

For whatever reason this isn't available from the Apple Product Security archives:

APPLE-SA-2014-10-16-1 OS X Yosemite v10.10


OS X Yosemite v10.10 is now available and addresses the following:


802.1X

Impact: An attacker can obtain WiFi credentials

Description: An attacker could have impersonated a WiFi access

point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash,

and used the derived credentials to authenticate to the intended

access point even if that access point supported stronger

authentication methods. This issue was addressed by disabling LEAP by

default.

CVE-ID

CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim

Lamotte of Universiteit Hasselt


AFP File Server

Impact: A remote attacker could determine all the network addresses

of the system

Description: The AFP file server supported a command which returned

all the network addresses of the system. This issue was addressed by

removing the addresses from the result.

CVE-ID

CVE-2014-4426 : Craig Young of Tripwire VERT


apache

Impact: Multiple vulnerabilities in Apache

Description: Multiple vulnerabilities existed in Apache, the most

serious of which may lead to a denial of service. These issues were

addressed by updating Apache to version 2.4.9.

CVE-ID

CVE-2013-6438

CVE-2014-0098


App Sandbox

Impact: An application confined by sandbox restrictions may misuse

the accessibility API

Description: A sandboxed application could misuse the accessibility

API without the user's knowledge. This has been addressed by

requiring administrator approval to use the accessibility API on an

per-application basis.

CVE-ID

CVE-2014-4427 : Paul S. Ziegler of Reflare UG


Bash

Impact: In certain configurations, a remote attacker may be able to

execute arbitrary shell commands

Description: An issue existed in Bash's parsing of environment

variables. This issue was addressed through improved environment

variable parsing by better detecting the end of the function

statement. This update also incorporated the suggested CVE-2014-7169

change, which resets the parser state. In addition, this update

added a new namespace for exported functions by creating a function

decorator to prevent unintended header passthrough to Bash. The names

of all environment variables that introduce function definitions are

required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent

unintended function passing via HTTP headers.

CVE-ID

CVE-2014-6271 : Stephane Chazelas

CVE-2014-7169 : Tavis Ormandy


Bluetooth

Impact: A malicious Bluetooth input device may bypass pairing

Description: Unencrypted connections were permitted from Human

Interface Device-class Bluetooth Low Energy devices. If a Mac had

paired with such a device, an attacker could spoof the legitimate

device to establish a connection. The issue was addressed by denying

unencrypted HID connections.

CVE-ID

CVE-2014-4428 : Mike Ryan of iSEC Partners


CFPreferences

Impact: The 'require password after sleep or screen saver begins'

preference may not be respected until after a reboot

Description: A session management issue existed in the handling of

system preference settings. This issue was addressed through improved

session tracking.

CVE-ID

CVE-2014-4425


Certificate Trust Policy

Impact: Update to the certificate trust policy

Description: The certificate trust policy was updated. The complete

list of certificates may be viewed at

http://support.apple.com/kb/HT6005.


CoreStorage

Impact: An encrypted volume may stay unlocked when ejected

Description: When an encrypted volume was logically ejected while

mounted, the volume was unmounted but the keys were retained, so it

could have been mounted again without the password. This issue was

addressed by erasing the keys on eject.

CVE-ID

CVE-2014-4430 : Benjamin King at See Ben Click Computer Services LLC,

Karsten Iwen, Dustin Li (http://dustin.li/), Ken J. Takekoshi, and

other anonymous researchers


CUPS

Impact: A local user can execute arbitrary code with system

privileges

Description: When the CUPS web interface served files, it would

follow symlinks. A local user could create symlinks to arbitrary

files and retrieve them through the web interface. This issue was

addressed by disallowing symlinks to be served via the CUPS web

interface.

CVE-ID

CVE-2014-3537


Dock

Impact: In some circumstances, windows may be visible even when the

screen is locked

Description: A state management issue existed in the handling of the

screen lock. This issue was addressed through improved state

tracking.

CVE-ID

CVE-2014-4431 : Emil Sjolander of Umea University


fdesetup

Impact: The fdesetup command may provide misleading status for the

state of encryption on disk

Description: After updating settings, but before rebooting, the

fdesetup command provided misleading status. This issue was addressed

through improved status reporting.

CVE-ID

CVE-2014-4432


iCloud Find My Mac

Impact: iCloud Lost mode PIN may be bruteforced

Description: A state persistence issue in rate limiting allowed

brute force attacks on iCloud Lost mode PIN. This issue was addressed

through improved state persistence across reboots.

CVE-ID

CVE-2014-4435 : knoy


IOAcceleratorFamily

Impact: An application may cause a denial of service

Description: A NULL pointer dereference was present in the

IntelAccelerator driver. The issue was addressed through improved

error handling.

CVE-ID

CVE-2014-4373 : cunzhang from Adlab of Venustech


IOHIDFamily

Impact: A malicious application may be able to execute arbitrary

code with system privileges

Description: A null pointer dereference existed in IOHIDFamily's

handling of key-mapping properties. This issue was addressed through

improved validation of IOHIDFamily key-mapping properties.

CVE-ID

CVE-2014-4405 : Ian Beer of Google Project Zero


IOHIDFamily

Impact: A malicious application may be able to execute arbitrary

code with system privileges

Description: A heap buffer overflow existed in IOHIDFamily's

handling of key-mapping properties. This issue was addressed through

improved bounds checking.

CVE-ID

CVE-2014-4404 : Ian Beer of Google Project Zero


IOHIDFamily

Impact: An application may cause a denial of service

Description: A out-of-bounds memory read was present in the

IOHIDFamily driver. The issue was addressed through improved input

validation.

CVE-ID

CVE-2014-4436 : cunzhang from Adlab of Venustech


IOHIDFamily

Impact: A user may be able to execute arbitrary code with system

privileges

Description: An out-of-bounds write issue exited in the IOHIDFamily

driver. The issue was addressed through improved input validation.

CVE-ID

CVE-2014-4380 : cunzhang from Adlab of Venustech


IOKit

Impact: A malicious application may be able to read uninitialized

data from kernel memory

Description: An uninitialized memory access issue existed in the

handling of IOKit functions. This issue was addressed through

improved memory initialization.

CVE-ID

CVE-2014-4407 : @PanguTeam


IOKit

Impact: A malicious application may be able to execute arbitrary

code with system privileges

Description: A validation issue existed in the handling of certain

metadata fields of IODataQueue objects. This issue was addressed

through improved validation of metadata.

CVE-ID

CVE-2014-4388 : @PanguTeam


IOKit

Impact: A malicious application may be able to execute arbitrary

code with system privileges

Description: A validation issue existed in the handling of certain

metadata fields of IODataQueue objects. This issue was addressed

through improved validation of metadata.

CVE-ID

CVE-2014-4418 : Ian Beer of Google Project Zero


Kernel

Impact: A local user may be able to determine kernel memory layout

Description: Multiple uninitialized memory issues existed in the

network statistics interface, which led to the disclosure of kernel

memory content. This issue was addressed through additional memory

initialization.

CVE-ID

CVE-2014-4371 : Fermin J. Serna of the Google Security Team

CVE-2014-4419 : Fermin J. Serna of the Google Security Team

CVE-2014-4420 : Fermin J. Serna of the Google Security Team

CVE-2014-4421 : Fermin J. Serna of the Google Security Team


Kernel

Impact: A maliciously crafted file system may cause unexpected

system shutdown or arbitrary code execution

Description: A heap-based buffer overflow issue existed in the

handling of HFS resource forks. A maliciously crafted filesystem may

cause an unexpected system shutdown or arbitrary code execution with

kernel privileges. The issue was addressed through improved bounds

checking.

CVE-ID

CVE-2014-4433 : Maksymilian Arciemowicz


Kernel

Impact: A malicious file system may cause unexpected system shutdown

Description: A NULL dereference issue existed in the handling of HFS

filenames. A maliciously crafted filesystem may cause an unexpected

system shutdown. This issue was addressed by avoiding the NULL

dereference.

CVE-ID

CVE-2014-4434 : Maksymilian Arciemowicz


Kernel

Impact: A local user may be able to cause an unexpected system

termination or arbitrary code execution in the kernel

Description: A double free issue existed in the handling of Mach

ports. This issue was addressed through improved validation of Mach

ports.

CVE-ID

CVE-2014-4375 : an anonymous researcher


Kernel

Impact: A person with a privileged network position may cause a

denial of service

Description: A race condition issue existed in the handling of IPv6

packets. This issue was addressed through improved lock state

checking.

CVE-ID

CVE-2011-2391 : Marc Heuse


Kernel

Impact: A local user may be able to cause an unexpected system

termination or arbitrary code execution in the kernel

Description: An out-of-bounds read issue existed in rt_setgate. This

may lead to memory disclosure or memory corruption. This issue was

addressed through improved bounds checking.

CVE-ID

CVE-2014-4408


Kernel

Impact: A local user can cause an unexpected system termination

Description: A reachable panic existed in the handling of messages

sent to system control sockets. This issue was addressed through

additional validation of messages.

CVE-ID

CVE-2014-4442 : Darius Davis of VMware


Kernel

Impact: Some kernel hardening measures may be bypassed

Description: The random number generator used for kernel hardening

measures early in the boot process was not cryptographically secure.

Some of its output was inferable from user space, allowing bypass of

the hardening measures. This issue was addressed by using a

cryptographically secure algorithm.

CVE-ID

CVE-2014-4422 : Tarjei Mandt of Azimuth Security


LaunchServices

Impact: A local application may bypass sandbox restrictions

Description: The LaunchServices interface for setting content type

handlers allowed sandboxed applications to specify handlers for

existing content types. A compromised application could use this to

bypass sandbox restrictions. The issue was addressed by restricting

sandboxed applications from specifying content type handlers.

CVE-ID

CVE-2014-4437 : Meder Kydyraliev of the Google Security Team


LoginWindow

Impact: Sometimes the screen might not lock

Description: A race condition existed in LoginWindow, which would

sometimes prevent the screen from locking. The issue was addressed by

changing the order of operations.

CVE-ID

CVE-2014-4438 : Harry Sintonen of nSense, Alessandro Lobina of

Helvetia Insurances, Patryk Szlagowski of Funky Monkey Labs


Mail

Impact: Mail may send email to unintended recipients

Description: A user interface inconsistency in Mail application

resulted in email being sent to addresses that were removed from the

list of recipients. The issue was addressed through improved user

interface consistency checks.

CVE-ID

CVE-2014-4439 : Patrick J Power of Melbourne, Australia


MCX Desktop Config Profiles

Impact: When mobile configuration profiles were uninstalled, their

settings were not removed

Description: Web proxy settings installed by a mobile configuration

profile were not removed when the profile was uninstalled. This issue

was addressed through improved handling of profile uninstallation.

CVE-ID

CVE-2014-4440 : Kevin Koster of Cloudpath Networks


NetFS Client Framework

Impact: File Sharing may enter a state in which it cannot be

disabled

Description: A state management issue existed in the File Sharing

framework. This issue was addressed through improved state

management.

CVE-ID

CVE-2014-4441 : Eduardo Bonsi of BEARTCOMMUNICATIONS


QuickTime

Impact: Playing a maliciously crafted m4a file may lead to an

unexpected application termination or arbitrary code execution

Description: A buffer overflow existed in the handling of audio

samples. This issue was addressed through improved bounds checking.

CVE-ID

CVE-2014-4351 : Karl Smith of NCC Group


Safari

Impact: History of pages recently visited in an open tab may remain

after clearing of history

Description: Clearing Safari's history did not clear the

back/forward history for open tabs. This issue was addressed by

clearing the back/forward history.

CVE-ID

CVE-2013-5150


Safari

Impact: Opting in to push notifications from a maliciously crafted

website may cause future Safari Push Notifications to be missed

Description: An uncaught exception issue existed in

SafariNotificationAgent's handling of Safari Push Notifications. This

issue was addressed through improved handling of Safari Push

Notifications.

CVE-ID

CVE-2014-4417 : Marek Isalski of Faelix Limited


Secure Transport

Impact: An attacker may be able to decrypt data protected by SSL

Description: There are known attacks on the confidentiality of SSL

3.0 when a cipher suite uses a block cipher in CBC mode. An attacker

could force the use of SSL 3.0, even when the server would support a

better TLS version, by blocking TLS 1.0 and higher connection

attempts. This issue was addressed by disabling CBC cipher suites

when TLS connection attempts fail.

CVE-ID

CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of

Google Security Team


Security

Impact: A remote attacker may be able to cause a denial of service

Description: A null dereference existed in the handling of ASN.1

data. This issue was addressed through additional validation of ASN.1

data.

CVE-ID

CVE-2014-4443 : Coverity


Security

Impact: A local user might have access to another user's Kerberos

tickets

Description: A state management issue existed in SecurityAgent.

While Fast User Switching, sometimes a Kerberos ticket for the

switched-to user would be placed in the cache for the previous user.

This issue was addressed through improved state management.

CVE-ID

CVE-2014-4444 : Gary Simon of Sandia National Laboratories, Ragnar

Sundblad of KTH Royal Institute of Technology, Eugene Homyakov of

Kaspersky Lab


Security - Code Signing

Impact: Tampered applications may not be prevented from launching

Description: Apps signed on OS X prior to OS X Mavericks 10.9 or

apps using custom resource rules, may have been susceptible to

tampering that would not have invalidated the signature. On systems

set to allow only apps from the Mac App Store and identified

developers, a downloaded modified app could have been allowed to run

as though it were legitimate. This issue was addressed by ignoring

signatures of bundles with resource envelopes that omit resources

that may influence execution. OS X Mavericks v10.9.5 and Security

Update 2014-004 for OS X Mountain Lion v10.8.5 already contain these

changes.

CVE-ID

CVE-2014-4391 : Christopher Hickstein working with HP's Zero Day

Initiative



Note: OS X Yosemite includes Safari 8.0, which incorporates

the security content of Safari 7.1. For further details see

"About the security content of Safari 7.1" at

https://support.apple.com/kb/HT6440.

Now compare that to the Security Update for Mountain Lion and Mavericks that came out the same day:

APPLE-SA-2014-10-16-2 Security Update 2014-005


Security Update 2014-005 is now available and addresses the

following:


Secure Transport

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

Impact: An attacker may be able to decrypt data protected by SSL

Description: There are known attacks on the confidentiality of SSL

3.0 when a cipher suite uses a block cipher in CBC mode. An attacker

could force the use of SSL 3.0, even when the server would support a

better TLS version, by blocking TLS 1.0 and higher connection

attempts. This issue was addressed by disabling CBC cipher suites

when TLS connection attempts fail.

CVE-ID

CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of

Google Security Team

Apr 14, 2015 12:35 AM in response to mkadc

mkadc wrote:


Are all those security holes only present in Yosemite, or were they all along in pre-Yosemite's?

Since this was the first release of Yosemite they would have to be fixes to Mavericks 10.9.5 and probably previous versions, but you would have to look up each CVE to be certain.

then one should not consider anything below 10.10 as as "supported" OS anymore, right?

Not fully supported would probably be a better choice of words. XProtect is still being updated in 10.6.7 and above and Security Update 2025-004 which came out the same day as Yosemite 10.10.3 applied to most of the same vulnerabilities in 10.8.5 and 10.9.5.

Apr 14, 2015 2:12 AM in response to MadMacs0

OK, you got my curiosity burning, so i spent around an hour looking through these. Let me say it is not appropriate or prudent to details all my findings. This is exactly what malware writers do looking for vulnerabilities. It is not easy and shouldn't be easy finding out this information. I am comfortable that:


  • Many vulnerabilities were introduced in 10.9.5, therefore earlier versions are safe. They were then fixed with the release of 10.0.
  • Some key ones like the famous Bash aka Shellshock bugs had specific updates for quite old systems as they were deemed major threats
  • Some vulnerabilities go back a long way, but in most cases their impact is low so only newer systems were fixed. This is fair enough. At least the last few O/S version were patched.
  • The periodic combo updates like Security Update 2014-004 (Mountain Lion) address many of these issues.


The difference with this one is that its a major vulnerability in very recent O/S versions that Apple need to fix quickly. I'd like to give Apple benefit of the doubt and hope they will fix this.

CVE-2015-1130 - Protection on Mountain Lion

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.