Post view

OS X Mavericks セキュリティアップデート 2014-002

OS X Mavericks 10.9の通知センターは「アップデート準備完了」のメッセージが出ているから、「再起動」をクリックするだけでいいんだ。

osxupdate20140201.jpg

osxupdate20140202.jpg

Safariをバージョン7.0.3にアップデートした。

osxupdate20140203.jpg

セキュリティアップデート 2014-002 をすべてのユーザに推奨します。このアップデートを適用すると OS X のセキュリティが向上します。このアップデートには、Safari 7.0.3 も含まれます。

このアップデートのセキュリティコンテンツについて詳しくは、次の Web サイトを参照してください:http://support.apple.com/kb/HT1222?viewlocale=ja_JP

Safari 7.0.3 のコンテンツについて詳しくは、次の Web サイトを参照してください:http://support.apple.com/kb/HT6195?viewlocale=ja_JP

Security Update 2014-002

Learn about Security Update 2014-002.

 

  • CFNetwork HTTPProtocol

    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X Mavericks 10.9.2

    Impact: An attacker in a privileged network position can obtain web site credentials

    Description: Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie. This issue was addressed by ignoring incomplete HTTP header lines.

    CVE-ID

    CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris

  • CoreServicesUIAgent

    Available for: OS X Mavericks 10.9.2

    Impact: Visiting a maliciously crafted website or URL may result in an unexpected application termination or arbitrary code execution

    Description: A format string issue existed in the handling of URLs. This issue was addressed through additional validation of URLs. This issue does not affect systems prior to OS X Mavericks.

    CVE-ID

    CVE-2014-1315 : Lukasz Pilorz of runic.pl, Erik Kooistra

  • FontParser

    Available for: OS X Mountain Lion v10.8.5

    Impact: Opening a maliciously crafted PDF file may result in an unexpected application termination or arbitrary code execution

    Description: A buffer underflow existed in the handling of fonts in PDF files. This issue was addressed through additional bounds checking. This issue does not affect OS X Mavericks systems.

    CVE-ID

    CVE-2013-5170 : Will Dormann of CERT/CC

  • Heimdal Kerberos

    Available for: OS X Mavericks 10.9.2

    Impact: A remote attacker may be able to cause a denial of service

    Description: A reachable abort existed in the handling of ASN.1 data. This issue was addressed through additional validation of ASN.1 data.

    CVE-ID

    CVE-2014-1316 : Joonas Kuorilehto of Codenomicon

  • ImageIO

    Available for: OS X Mavericks 10.9.2

    Impact: Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow issue existed in ImageIO's handling of JPEG images. This issue was addressed through improved bounds checking. This issue does not affect systems prior to OS X Mavericks.

    CVE-ID

    CVE-2014-1319 : Cristian Draghici of Modulo Consulting, Karl Smith of NCC Group

  • Intel Graphics Driver

    Available for: OS X Mountain Lion v10.8.5 and OS X Mavericks 10.9.2

    Impact: A malicious application can take control of the system

    Description: A validation issue existed in the handling of a pointer from userspace. This issue was addressed through additional validation of pointers.

    CVE-ID

    CVE-2014-1318 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative

  • IOKit Kernel

    Available for: OS X Mavericks 10.9.2

    Impact: A local user can read kernel pointers, which can be used to bypass kernel address space layout randomization

    Description: A set of kernel pointers stored in an IOKit object could be retrieved from userland. This issue was addressed through removing the pointers from the object.

    CVE-ID

    CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative

  • Kernel

    Available for: OS X Mavericks 10.9.2

    Impact: A local user can read a kernel pointer, which can be used to bypass kernel address space layout randomization

    Description: A kernel pointer stored in a XNU object could be retrieved from userland. This issue was addressed through removing the pointer from the object.

    CVE-ID

    CVE-2014-1322 : Ian Beer of Google Project Zero

  • Power Management

    Available for: OS X Mavericks 10.9.2

    Impact: The screen might not lock

    Description: If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep. This issue does not affect systems prior to OS X Mavericks.

    CVE-ID

    CVE-2014-1321 : Paul Kleeberg of Stratis Health Bloomington MN, Julian Sincu at the Baden-Wuerttemberg Cooperative State University (DHBW Stuttgart), Gerben Wierda of R&A, Daniel Luz

  • Ruby

    Available for: OS X Mavericks 10.9.2

    Impact: Running a Ruby script that handles untrusted YAML tags may lead to an unexpected application termination or arbitrary code execution

    Description: An integer overflow issue existed in LibYAML's handling of YAML tags. This issue was addressed through additional validation of YAML tags. This issue does not affect systems prior to OS X Mavericks.

    CVE-ID

    CVE-2013-6393

  • Ruby

    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X Mavericks 10.9.2

    Impact: Running a Ruby script that uses untrusted input to create a Float object may lead to an unexpected application termination or arbitrary code execution

    Description: A heap-based buffer overflow issue existed in Ruby when converting a string to a floating point value. This issue was addressed through additional validation of floating point values.

    CVE-ID

    CVE-2013-4164

  • Security - Secure Transport

    Available for: OS X Mountain Lion v10.8.5 and OS X Mavericks 10.9.2

    Impact: An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL

    Description: In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other. To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection. This issue does not affect Mac OS X 10.7 systems and earlier.

    CVE-ID

    CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and Alfredo Pironti of Prosecco at Inria Paris

  • WindowServer

    Available for: OS X Mountain Lion v10.8.5 and OS X Mavericks 10.9.2

    Impact: Maliciously crafted applications can execute arbitrary code outside the sandbox

    Description: WindowServer sessions could be created by sandboxed applications. This issue was addressed by disallowing sandboxed applications from creating WindowServer sessions.

    CVE-ID

    CVE-2014-1314 : KeenTeam working with HP's Zero Day Initiative

About Safari 7.0.3

The Safari 7.0.3 update is recommended for all OS X Mavericks users and contains improvements to compatibility, stability, and security.

This update:

  • Fixes an issue that could cause the search and address field to load a webpage or send a search term before the return key is pressed
  • Improves credit card autofill compatibility with websites
  • Fixes an issue that could block receipt of push notifications from websites
  • Adds a preference to turn off push notification prompts from websites
  • Adds support for webpages with generic top-level domains
  • Strengthens Safari sandboxing
  • Fixes security issues, including several identified in recent security competitions
進藤ヒカル 04/26/2014 0 3029
Comments
Order by: 
Per page:
 
  • There are no comments yet
Rate
0 votes
Post info
進藤ヒカル
写真を撮りまくる
04/26/2014 (1489 days ago)
Actions