OS X Mavericks 10.9.4 and Security Update 2014-003 are now available and include a long list of security bug fixes. Apple rolled out these updates in conjunction with Apple TV 6.1.2, Safari versions 6.1.5 and 7.0.5, and iOS 7.1.2.
This update is available for: OS X Lion 10.7.5, OS X Lion Server 10.7.5, OS X Mountain Lion 10.8.5, and OS X Mavericks 10.9 to 10.9.3.
Altogether, Security Update 2014-003 addresses 19 vulnerabilities (CVEs) and includes an update to the certificate trust policy, according to Apple’s product security page.
Security Update 2014-003 addresses the following vulnerabilities:
CVE-2014-1370 : Opening a maliciously crafted zip file may lead to an unexpected application termination or arbitrary code execution. The byte-swapping implementation in copyfile in Apple OS X before 10.9.4 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted AppleDouble file in a ZIP archive. This issue was addressed through improved bounds checking.
CVE-2014-0015 : A remote attacker may be able to gain access to another user’s session. cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.
CVE-2014-1371 : A sandboxed application may be able to circumvent sandbox restrictions. An unvalidated array index issue existed in the Dock’s handling of messages from applications. A maliciously crafted message could cause an invalid function pointer to be dereferenced, which could lead to an unexpected application termination or arbitrary code execution.
CVE-2014-1372 : Graphics Driver in Apple OS X before 10.9.4 does not properly restrict read operations during processing of an unspecified system call, which allows local users to obtain sensitive information from kernel memory and bypass the ASLR protection mechanism via a crafted call. This issue was addressed through improved bounds checking.
CVE-2014-1317 : An attacker with access to a system may be able to recover Apple ID credentials. An issue existed in the handling of iBooks logs. iBooks Commerce in Apple OS X before 10.9.4 places Apple ID credentials in the iBooks log, which allows local users to obtain sensitive information by reading this file. This issue was addressed by disallowing logging of credentials.
CVE-2014-1373 : A malicious application may be able to execute arbitrary code with system privileges. A validation issue existed in the handling of an OpenGL API call. This issue was addressed through improved bounds checking.
CVE-2014-1375 : A local user can read a kernel pointer, which can be used to bypass kernel address space layout randomization. A kernel pointer stored in an IOKit object could be retrieved from userland. This issue was addressed by removing the pointer from the object.
CVE-2014-1376 : A malicious application may be able to execute arbitrary code with system privileges. A validation issue existed in the handling of an OpenCL API call. This issue was addressed through improved bounds checking.
CVE-2014-1377 : A malicious application may be able to execute arbitrary code with system privileges. An array indexing issue existed in IOAcceleratorFamily. This issue was addressed through improved bounds checking.
CVE-2014-1378 : A local user can read a kernel pointer, which can be used to bypass kernel address space layout randomization. A kernel pointer stored in an IOKit object could be retrieved from userland. This issue was addressed by using a unique ID instead of a pointer.
CVE-2014-1355 : A local user could cause an unexpected system restart. The IOKit implementation in the kernel in Apple iOS before 7.1.2 and Apple TV before 6.1.2, and in IOReporting in Apple OS X before 10.9.4, allows local users to cause a denial of service (NULL pointer dereference and reboot) via crafted API arguments. This issue was addressed through additional validation of IOKit API arguments.
CVE-2014-1359 : A malicious application may be able to execute arbitrary code with system privileges. Integer underflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application. This issue was addressed through improved bounds checking.
CVE-2014-1356 : A malicious application may be able to execute arbitrary code with system privileges. Heap-based buffer overflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application that sends IPC messages. This issue was addressed through improved bounds checking.
CVE-2014-1357 : A malicious application may be able to execute arbitrary code with system privileges. Heap-based buffer overflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application that generates log messages. This issue was addressed through improved bounds checking.
CVE-2014-1358 : A malicious application may be able to execute arbitrary code with system privileges. Integer overflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application. This issue was addressed through improved bounds checking.
CVE-2014-1379 : A malicious application may be able to execute arbitrary code with system privileges. Multiple null dereference issues existed in kernel graphics drivers. A maliciously crafted 32-bit executable may have been able to obtain elevated privileges.
CVE-2014-1380 : The Security – Keychain component in Apple OS X before 10.9.4 does not properly implement keystroke observers, which allows physically proximate attackers to bypass the screen-lock protection mechanism, and enter characters into an arbitrary window under the lock window, via keyboard input. This issue was addressed through improved keystroke observer management.
CVE-2014-1361 : Two bytes of memory could be disclosed to a remote attacker. An uninitialized memory access issue existing in the handling of DTLS messages in a TLS connection. This issue was addressed by only accepting DTLS messages in a DTLS connection.
CVE-2014-1381 : A malicious application may be able to execute arbitrary code with system privileges. Thunderbolt in Apple OS X before 10.9.4 does not properly restrict IOThunderBoltController API calls, which allows attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted call. This issue was addressed through improved bounds checking.
We strongly encourage all Mac users to download and install all security updates as soon as possible – it is an essential layer of security that keeps your digital life secure.
You can update through Apple’s Software Update tool by choosing Apple menu >Software Update when you’re ready to install, or you can go directly to Apple’s support page to download the updates from there.
