ID

VAR-201501-0263


CVE

CVE-2014-8826


TITLE

Apple OS X of LaunchServices In Gatekeeper Vulnerabilities that circumvent protection mechanisms

Trust: 0.8

sources: JVNDB: JVNDB-2015-001302

DESCRIPTION

LaunchServices in Apple OS X before 10.10.2 does not properly handle file-type metadata, which allows attackers to bypass the Gatekeeper protection mechanism via a crafted JAR archive. Supplementary information : CWE Vulnerability type by CWE-19: Data Handling ( Data processing ) Has been identified. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X prior to 10.10.2. LaunchServices is one of the components that uses a running application to open other applications or documents

Trust: 2.25

sources: NVD: CVE-2014-8826 // JVNDB: JVNDB-2015-001302 // BID: 72341 // BID: 72328 // VULHUB: VHN-76771

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.10.1

Trust: 1.4

vendor:applemodel:mac os xscope:lteversion:10.10.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.10

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.8.5

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.9.5

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.10

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.8.5

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.10.1

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.9.5

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.8.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.7.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.2

Trust: 0.3

sources: BID: 72341 // BID: 72328 // JVNDB: JVNDB-2015-001302 // CNNVD: CNNVD-201501-681 // NVD: CVE-2014-8826

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8826
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-8826
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201501-681
value: MEDIUM

Trust: 0.6

VULHUB: VHN-76771
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-8826
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-76771
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-76771 // JVNDB: JVNDB-2015-001302 // CNNVD: CNNVD-201501-681 // NVD: CVE-2014-8826

PROBLEMTYPE DATA

problemtype:CWE-19

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-76771 // JVNDB: JVNDB-2015-001302 // NVD: CVE-2014-8826

THREAT TYPE

network

Trust: 0.6

sources: BID: 72341 // BID: 72328

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201501-681

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-001302

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-76771

PATCH

title:APPLE-SA-2015-01-27-4url:http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html

Trust: 0.8

title:HT204244url:http://support.apple.com/en-us/HT204244

Trust: 0.8

title:HT204244url:http://support.apple.com/ja-jp/HT204244

Trust: 0.8

title:osxupd10.10.2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53587

Trust: 0.6

title:iPhone7,1_8.1.3_12B466_Restoreurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53586

Trust: 0.6

sources: JVNDB: JVNDB-2015-001302 // CNNVD: CNNVD-201501-681

EXTERNAL IDS

db:NVDid:CVE-2014-8826

Trust: 3.1

db:BIDid:72341

Trust: 2.0

db:EXPLOIT-DBid:35934

Trust: 1.7

db:OSVDBid:117659

Trust: 1.7

db:SECTRACKid:1031650

Trust: 1.7

db:PACKETSTORMid:130147

Trust: 1.7

db:BIDid:72328

Trust: 0.9

db:JVNid:JVNVU96447236

Trust: 0.8

db:JVNDBid:JVNDB-2015-001302

Trust: 0.8

db:CNNVDid:CNNVD-201501-681

Trust: 0.7

db:SEEBUGid:SSVID-89438

Trust: 0.1

db:VULHUBid:VHN-76771

Trust: 0.1

sources: VULHUB: VHN-76771 // BID: 72341 // BID: 72328 // JVNDB: JVNDB-2015-001302 // CNNVD: CNNVD-201501-681 // NVD: CVE-2014-8826

REFERENCES

url:https://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html

Trust: 2.0

url:http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html

Trust: 1.7

url:http://www.securityfocus.com/bid/72341

Trust: 1.7

url:http://www.securityfocus.com/archive/1/534567/100/0/threaded

Trust: 1.7

url:http://support.apple.com/ht204244

Trust: 1.7

url:http://www.exploit-db.com/exploits/35934

Trust: 1.7

url:http://seclists.org/fulldisclosure/2015/jan/109

Trust: 1.7

url:http://packetstormsecurity.com/files/130147/os-x-gatekeeper-bypass.html

Trust: 1.7

url:http://www.osvdb.org/117659

Trust: 1.7

url:http://www.securitytracker.com/id/1031650

Trust: 1.7

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100519

Trust: 1.7

url:http://www.apple.com/macosx/

Trust: 1.2

url:https://support.apple.com/en-us/ht204659

Trust: 0.9

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8826

Trust: 0.8

url:https://jvn.jp/vu/jvnvu96447236/

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8826

Trust: 0.8

url:https://www.securityfocus.com/bid/72328

Trust: 0.6

sources: VULHUB: VHN-76771 // BID: 72341 // BID: 72328 // JVNDB: JVNDB-2015-001302 // CNNVD: CNNVD-201501-681 // NVD: CVE-2014-8826

CREDITS

Vitaliy Toropov working with HP's Zero Day Initiative, Roberto Paleari and Aristide Fattori of Emaze Networks, Sten Petersen, Mike Myers,Ian Beer of Google Project Zero, Ale,Hernan Ochoa from Amplia Security, @PanguTeam, Trammell Hudson of Two Sigma Investments, Alex, of Digital Operatives LLC

Trust: 0.6

sources: CNNVD: CNNVD-201501-681

SOURCES

db:VULHUBid:VHN-76771
db:BIDid:72341
db:BIDid:72328
db:JVNDBid:JVNDB-2015-001302
db:CNNVDid:CNNVD-201501-681
db:NVDid:CVE-2014-8826

LAST UPDATE DATE

2024-11-23T19:39:39.799000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-76771date:2020-07-17T00:00:00
db:BIDid:72341date:2015-01-27T00:00:00
db:BIDid:72328date:2019-04-12T18:00:00
db:JVNDBid:JVNDB-2015-001302date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-681date:2020-07-20T00:00:00
db:NVDid:CVE-2014-8826date:2024-11-21T02:19:48.733

SOURCES RELEASE DATE

db:VULHUBid:VHN-76771date:2015-01-30T00:00:00
db:BIDid:72341date:2015-01-27T00:00:00
db:BIDid:72328date:2015-01-27T00:00:00
db:JVNDBid:JVNDB-2015-001302date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-681date:2015-01-29T00:00:00
db:NVDid:CVE-2014-8826date:2015-01-30T11:59:36.313