Apple Security Update 2014-002 Patches Secure Transport
Posted on by Derek Erwin
Yesterday, Apple released Security Update 2014-002 for OS X with patches for 13 vulnerabilities.
This update is available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2.
Unfortunately, Apple has stopped releasing security updates for Snow Leopard, the 2009 edition operating system.
MORE: What to Do if Your Mac Can’t Run OS X Mavericks
The security-only update addresses multiple security flaws, including a vulnerability in its Secure Transport—Apple’s API mechanism for making SSL or TLS connections—that made it possible for “an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other,” Apple noted.
Apple’s security advisory further described its impact, saying, “An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL.” Apple credited members of the Prosecco research team at Inria Paris for reporting the flaw—Antoine Delignat-Lavaud, Karthikeyan Bhargavan and Alfredo Pironti.
In correlation with the release of Security Update 2014-002, Apple also patched its iOS and Apple TV implementations of Secure Transport with iOS 7.1.1 and Apple TV 6.1.1.
Security Update 2014-002 addresses the following vulnerabilities:
- CVE-2014-1296 : An attacker in a privileged network position can obtain web site credentials. Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie. This issue was addressed by ignoring incomplete HTTP header lines.
- CVE-2014-1315 : Visiting a maliciously crafted website or URL may result in an unexpected application termination or arbitrary code execution. A format string issue existed in the handling of URLs. This issue was addressed through additional validation of URLs. This issue does not affect systems prior to OS X Mavericks.
- CVE-2013-5170 : Opening a maliciously crafted PDF file may result in an unexpected application termination or arbitrary code execution. A buffer underflow existed in the handling of fonts in PDF files. This issue was addressed through additional bounds checking. This issue does not affect OS X Mavericks systems.
- CVE-2014-1316 : A remote attacker may be able to cause a denial of service. A reachable abort existed in the handling of ASN.1 data. This issue was addressed through additional validation of ASN.1 data.
- CVE-2014-1319 : Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. A buffer overflow issue existed in ImageIO’s handling of JPEG images. This issue was addressed through improved bounds checking. This issue does not affect systems prior to OS X Mavericks.
- CVE-2014-1318 : A malicious application can take control of the system. A validation issue existed in the handling of a pointer from userspace. This issue was addressed through additional validation of pointers.
- CVE-2014-1320 : A local user can read kernel pointers, which can be used to bypass kernel address space layout randomization. A set of kernel pointers stored in an IOKit object could be retrieved from userland. This issue was addressed through removing the pointers from the object.
- CVE-2014-1322 : A local user can read a kernel pointer, which can be used to bypass kernel address space layout randomization. A kernel pointer stored in a XNU object could be retrieved from userland. This issue was addressed through removing the pointer from the object.
- CVE-2014-1321 : The screen might not lock. If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep. This issue does not affect systems prior to OS X Mavericks.
- CVE-2013-6393 : Running a Ruby script that handles untrusted YAML tags may lead to an unexpected application termination or arbitrary code execution. An integer overflow issue existed in LibYAML’s handling of YAML tags. This issue was addressed through additional validation of YAML tags. This issue does not affect systems prior to OS X.
- CVE-2013-4164 : Running a Ruby script that uses untrusted input to create a Float object may lead to an unexpected application termination or arbitrary code execution. A heap-based buffer overflow issue existed in Ruby when converting a string to a floating point value. This issue was addressed through additional validation of floating point values.
- CVE-2014-1295 : An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL. In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other. To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection. This issue does not affect Mac OS X 10.7 systems and earlier.
- CVE-2014-1314 : Maliciously crafted applications can execute arbitrary code outside the sandbox. WindowServer sessions could be created by sandboxed applications. This issue was addressed by disallowing sandboxed applications from creating WindowServer sessions.
We strongly encourage all Mac users to download and install all security updates as soon as possible – it is an essential layer of security that keeps your digital life secure.
You can update through Apple’s Software Update tool by choosing Apple menu >Software Update when you’re ready to install, or you can go directly to Apple’s support page to download the updates from there.
For OS X Lion Server users, you can go here to download the 177.2 MB update.
OS X Lion users can go here to download the 126.9 MB update.
OS X Mountain Lion users can go here to download the 135.9 MB update.
OS X Mavericks users can go here to download the 80.5 MB update; this update also includes Safari 7.0.3.