API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 10th, 2014
9,647
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.38 KB | None | 0 0
raw download clone embed print report
  1. -----BEGIN PGP SIGNED MESSAGE-----
  2. Hash: SHA1
  3.  
  4. APPLE-SA-2014-03-10-1 iOS 7.1
  5.  
  6. iOS 7.1 is now available and addresses the following:
  7.  
  8. Backup
  9. Available for: iPhone 4 and later,
  10. iPod touch (5th generation) and later, iPad 2 and later
  11. Impact: A maliciously crafted backup can alter the filesystem
  12. Description: A symbolic link in a backup would be restored, allowing
  13. subsequent operations during the restore to write to the rest of the
  14. filesystem. This issue was addressed by checking for symbolic links
  15. during the restore process.
  16. CVE-ID
  17. CVE-2013-5133 : evad3rs
  18.  
  19. Certificate Trust Policy
  20. Available for: iPhone 4 and later,
  21. iPod touch (5th generation) and later, iPad 2 and later
  22. Impact: Root certificates have been updated
  23. Description: Several certificates were added to or removed from the
  24. list of system roots.
  25.  
  26. Configuration Profiles
  27. Available for: iPhone 4 and later,
  28. iPod touch (5th generation) and later, iPad 2 and later
  29. Impact: Profile expiration dates were not honored
  30. Description: Expiration dates of mobile configuration profiles were
  31. not evaluated correctly. The issue was resolved through improved
  32. handling of configuration profiles.
  33. CVE-ID
  34. CVE-2014-1267
  35.  
  36. CoreCapture
  37. Available for: iPhone 4 and later,
  38. iPod touch (5th generation) and later, iPad 2 and later
  39. Impact: A malicious application can cause an unexpected system
  40. termination
  41. Description: A reachable assertion issue existed in CoreCapture's
  42. handling of IOKit API calls. The issue was addressed through
  43. additional validation of input from IOKit.
  44. CVE-ID
  45. CVE-2014-1271 : Filippo Bigarella
  46.  
  47. Crash Reporting
  48. Available for: iPhone 4 and later,
  49. iPod touch (5th generation) and later, iPad 2 and later
  50. Impact: A local user may be able to change permissions on arbitrary
  51. files
  52. Description: CrashHouseKeeping followed symbolic links while
  53. changing permissions on files. This issue was addressed by not
  54. following symbolic links when changing permissions on files.
  55. CVE-ID
  56. CVE-2014-1272 : evad3rs
  57.  
  58. dyld
  59. Available for: iPhone 4 and later,
  60. iPod touch (5th generation) and later, iPad 2 and later
  61. Impact: Code signing requirements may be bypassed
  62. Description: Text relocation instructions in dynamic libraries may
  63. be loaded by dyld without code signature validation. This issue was
  64. addressed by ignoring text relocation instructions.
  65. CVE-ID
  66. CVE-2014-1273 : evad3rs
  67.  
  68. FaceTime
  69. Available for: iPhone 4 and later,
  70. iPod touch (5th generation) and later, iPad 2 and later
  71. Impact: A person with physical access to the device may be able to
  72. access FaceTime contacts from the lock screen
  73. Description: FaceTime contacts on a locked device could be exposed
  74. by making a failed FaceTime call from the lock screen. This issue was
  75. addressed through improved handling of FaceTime calls.
  76. CVE-ID
  77. CVE-2014-1274
  78.  
  79. ImageIO
  80. Available for: iPhone 4 and later,
  81. iPod touch (5th generation) and later, iPad 2 and later
  82. Impact: Viewing a maliciously crafted PDF file may lead to an
  83. unexpected application termination or arbitrary code execution
  84. Description: A buffer overflow existed in the handling of JPEG2000
  85. images in PDF files. This issue was addressed through improved bounds
  86. checking.
  87. CVE-ID
  88. CVE-2014-1275 : Felix Groebert of the Google Security Team
  89.  
  90. ImageIO
  91. Available for: iPhone 4 and later,
  92. iPod touch (5th generation) and later, iPad 2 and later
  93. Impact: Viewing a maliciously crafted TIFF file may lead to an
  94. unexpected application termination or arbitrary code execution
  95. Description: A buffer overflow existed in libtiff's handling of TIFF
  96. images. This issue was addressed through additional validation of
  97. TIFF images.
  98. CVE-ID
  99. CVE-2012-2088
  100.  
  101. ImageIO
  102. Available for: iPhone 4 and later,
  103. iPod touch (5th generation) and later, iPad 2 and later
  104. Impact: Viewing a maliciously crafted JPEG file may lead to the
  105. disclosure of memory contents
  106. Description: An uninitialized memory access issue existed in
  107. libjpeg's handling of JPEG markers, resulting in the disclosure of
  108. memory contents. This issue was addressed through additional
  109. validation of JPEG files.
  110. CVE-ID
  111. CVE-2013-6629 : Michal Zalewski
  112.  
  113. IOKit HID Event
  114. Available for: iPhone 4 and later,
  115. iPod touch (5th generation) and later, iPad 2 and later
  116. Impact: A malicious application may monitor on user actions in other
  117. apps
  118. Description: An interface in IOKit framework allowed malicious apps
  119. to monitor on user actions in other apps. This issue was addressed
  120. through improved access control policies in the framework.
  121. CVE-ID
  122. CVE-2014-1276 : Min Zheng, Hui Xue, and Dr. Tao (Lenx) Wei of FireEye
  123.  
  124. iTunes Store
  125. Available for: iPhone 4 and later,
  126. iPod touch (5th generation) and later, iPad 2 and later
  127. Impact: A man-in-the-middle attacker may entice a user into
  128. downloading a malicious app via Enterprise App Download
  129. Description: An attacker with a privileged network position could
  130. spoof network communications to entice a user into downloading a
  131. malicious app. This issue was mitigated by using SSL and prompting
  132. the user during URL redirects.
  133. CVE-ID
  134. CVE-2014-1277 : Stefan Esser
  135.  
  136. Kernel
  137. Available for: iPhone 4 and later,
  138. iPod touch (5th generation) and later, iPad 2 and later
  139. Impact: A local user may be able to cause an unexpected system
  140. termination or arbitrary code execution in the kernel
  141. Description: An out of bounds memory access issue existed in the ARM
  142. ptmx_get_ioctl function. This issue was addressed through improved
  143. bounds checking.
  144. CVE-ID
  145. CVE-2014-1278 : evad3rs
  146.  
  147. Office Viewer
  148. Available for: iPhone 4 and later,
  149. iPod touch (5th generation) and later, iPad 2 and later
  150. Impact: Opening a maliciously crafted Microsoft Word document may
  151. lead to an unexpected application termination or arbitrary code
  152. execution
  153. Description: A double free issue existed in the handling of
  154. Microsoft Word documents. This issue was addressed through improved
  155. memory management.
  156. CVE-ID
  157. CVE-2014-1252 : Felix Groebert of the Google Security Team
  158.  
  159. Photos Backend
  160. Available for: iPhone 4 and later,
  161. iPod touch (5th generation) and later, iPad 2 and later
  162. Impact: Deleted images may still appear in the Photos app underneath
  163. transparent images
  164. Description: Deleting an image from the asset library did not delete
  165. cached versions of the image. This issue was addressed through
  166. improved cache management.
  167. CVE-ID
  168. CVE-2014-1281 : Walter Hoelblinger of Hoelblinger.com, Morgan Adams,
  169. Tom Pennington
  170.  
  171. Profiles
  172. Available for: iPhone 4 and later,
  173. iPod touch (5th generation) and later, iPad 2 and later
  174. Impact: A configuration profile may be hidden from the user
  175. Description: A configuration profile with a long name could be
  176. loaded onto the device but was not displayed in the profile UI. The
  177. issue was addressed through improved handling of profile names.
  178. CVE-ID
  179. CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure
  180.  
  181. Safari
  182. Available for: iPhone 4 and later,
  183. iPod touch (5th generation) and later, iPad 2 and later
  184. Impact: User credentials may be disclosed to an unexpected site via
  185. autofill
  186. Description: Safari may have autofilled user names and passwords
  187. into a subframe from a different domain than the main frame. This
  188. issue was addressed through improved origin tracking.
  189. CVE-ID
  190. CVE-2013-5227 : Niklas Malmgren of Klarna AB
  191.  
  192. Settings - Accounts
  193. Available for: iPhone 4 and later,
  194. iPod touch (5th generation) and later, iPad 2 and later
  195. Impact: A person with physical access to the device may be able to
  196. disable Find My iPhone without entering an iCloud password
  197. Description: A state management issue existed in the handling of the
  198. Find My iPhone state. This issue was addressed through improved
  199. handling of Find My iPhone state.
  200. CVE-ID
  201. CVE-2014-1284
  202.  
  203. Springboard
  204. Available for: iPhone 4 and later,
  205. iPod touch (5th generation) and later, iPad 2 and later
  206. Impact: A person with physical access to the device may be able to
  207. see the home screen of the device even if the device has not been
  208. activated
  209. Description: An unexpected application termination during activation
  210. could cause the phone to show the home screen. The issue was
  211. addressed through improved error handling during activation.
  212. CVE-ID
  213. CVE-2014-1285 : Roboboi99
  214.  
  215. SpringBoard Lock Screen
  216. Available for: iPhone 4 and later,
  217. iPod touch (5th generation) and later, iPad 2 and later
  218. Impact: A remote attacker may be able to cause the lock screen to
  219. become unresponsive
  220. Description: A state management issue existed in the lock screen.
  221. This issue was addressed through improved state management.
  222. CVE-ID
  223. CVE-2014-1286 : Bogdan Alecu of M-sec.net
  224.  
  225. TelephonyUI Framework
  226. Available for: iPhone 4 and later,
  227. iPod touch (5th generation) and later, iPad 2 and later
  228. Impact: A webpage could trigger a FaceTime audio call without user
  229. interaction
  230. Description: Safari did not consult the user before launching
  231. facetime-audio:// URLs. This issue was addressed with the addition of
  232. a confirmation prompt.
  233. CVE-ID
  234. CVE-2013-6835 : Guillaume Ross
  235.  
  236. USB Host
  237. Available for: iPhone 4 and later,
  238. iPod touch (5th generation) and later, iPad 2 and later
  239. Impact: A person with physical access to the device may be able to
  240. cause arbitrary code execution in kernel mode
  241. Description: A memory corruption issue existed in the handling of
  242. USB messages. This issue was addressed through additional validation
  243. of USB messages.
  244. CVE-ID
  245. CVE-2014-1287 : Andy Davis of NCC Group
  246.  
  247. Video Driver
  248. Available for: iPhone 4 and later,
  249. iPod touch (5th generation) and later, iPad 2 and later
  250. Impact: Playing a maliciously crafted video could lead to the device
  251. becoming unresponsive
  252. Description: A null dereference issue existed in the handling of
  253. MPEG-4 encoded files. This issue was addressed through improved
  254. memory handling.
  255. CVE-ID
  256. CVE-2014-1280 : rg0rd
  257.  
  258. WebKit
  259. Available for: iPhone 4 and later,
  260. iPod touch (5th generation) and later, iPad 2 and later
  261. Impact: Visiting a maliciously crafted website may lead to an
  262. unexpected application termination or arbitrary code execution
  263. Description: Multiple memory corruption issues existed in WebKit.
  264. These issues were addressed through improved memory handling.
  265. CVE-ID
  266. CVE-2013-2909 : Atte Kettunen of OUSPG
  267. CVE-2013-2926 : cloudfuzzer
  268. CVE-2013-2928 : Google Chrome Security Team
  269. CVE-2013-5196 : Google Chrome Security Team
  270. CVE-2013-5197 : Google Chrome Security Team
  271. CVE-2013-5198 : Apple
  272. CVE-2013-5199 : Apple
  273. CVE-2013-5225 : Google Chrome Security Team
  274. CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
  275. Initiative
  276. CVE-2013-6625 : cloudfuzzer
  277. CVE-2013-6635 : cloudfuzzer
  278. CVE-2014-1269 : Apple
  279. CVE-2014-1270 : Apple
  280. CVE-2014-1289 : Apple
  281. CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
  282. Initiative, Google Chrome Security Team
  283. CVE-2014-1291 : Google Chrome Security Team
  284. CVE-2014-1292 : Google Chrome Security Team
  285. CVE-2014-1293 : Google Chrome Security Team
  286. CVE-2014-1294 : Google Chrome Security Team
  287.  
  288.  
  289. Installation note:
  290.  
  291. This update is available through iTunes and Software Update on your
  292. iOS device, and will not appear in your computer's Software Update
  293. application, or in the Apple Downloads site. Make sure you have an
  294. Internet connection and have installed the latest version of iTunes
  295. from www.apple.com/itunes/
  296.  
  297. iTunes and Software Update on the device will automatically check
  298. Apple's update server on its weekly schedule. When an update is
  299. detected, it is downloaded and the option to be installed is
  300. presented to the user when the iOS device is docked. We recommend
  301. applying the update immediately if possible. Selecting Don't Install
  302. will present the option the next time you connect your iOS device.
  303.  
  304. The automatic update process may take up to a week depending on the
  305. day that iTunes or the device checks for updates. You may manually
  306. obtain the update via the Check for Updates button within iTunes, or
  307. the Software Update on your device.
  308.  
  309. To check that the iPhone, iPod touch, or iPad has been updated:
  310.  
  311. * Navigate to Settings
  312. * Select General
  313. * Select About. The version after applying this update
  314. will be "7.1".
  315.  
  316. Information will also be posted to the Apple Security Updates
  317. web site: http://support.apple.com/kb/HT1222
  318.  
  319. This message is signed with Apple's Product Security PGP key,
  320. and details are available at:
  321. https://www.apple.com/support/security/pgp/
  322.  
  323. -----BEGIN PGP SIGNATURE-----
  324. Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
  325. Comment: GPGTools - http://gpgtools.org
  326.  
  327. iQIcBAEBAgAGBQJTGlvJAAoJEPefwLHPlZEwh2cP/iOvfDbgv78TKX2hsxttcy8l
  328. NTK4EbpYO0rEpqbQukIHwBrb+PtEWK4tdxWPNQV+8GnCPaLqmMXWxHZPkI02qXjI
  329. UxYNgPq+9MPcoFFdbbptz4azcwFa0rdsQtxL0MYRrUqW5ml86zjGsVWUDGMDFu9R
  330. fuujvU/JOGoIYVxFQziEScnMfryw61b/JObcT/mDzXv/IcKhuMzMfp4cbnXq7Mmx
  331. NOpIQ0syx5oH7jadJA72iX7UyUuoydAcD3gaJDbLLfjEM8giDTL/TmH1HpuJjDHq
  332. Zmj0NMlMqAztoFzpHZxlJ6kYjFYs7heyWgm3HQ+dwT0cDajFEZUEJGuBBO+P6dwp
  333. cVlhDJ87crsP2ctUn46EUGFw5fFZRPEUqm4r0M/3o8z2ZPDqFxIBwMHEEV2LJtuN
  334. lKjHYYWTO9BZOg87pm/HLpNqqTEz7J1eDWVJiRh5kZarp8w5KgZhBhYkltlPKwOo
  335. Uh1SvUH+CjgNQTObSLv+e2EJ0So8gi3xBGHOrOdcof33fTsyL4WDvHEIvs4l1jUY
  336. f29uha46K3dVZpJtFV3xTiwm6fodWgTR4xhWSAAVI2V8V4KLQMEHu7+eV+cURmme
  337. JLdVgzxXw0uZHP874Uy60qR+6KBdEkIvgAoDHmd9jLnZMJTQAcn7PjcZz2z/V25u
  338. 3bQ2RrEc85Xqs7adpinL
  339. =W1ik
  340. -----END PGP SIGNATURE-----
  341.  
  342. _______________________________________________
  343. Do not post admin requests to the list. They will be ignored.
  344. Security-announce mailing list (Security-announce@lists.apple.com)
  345. Help/Unsubscribe/Update your Subscription:
  346. https://lists.apple.com/mailman/options/security-announce/musclenerd%40mac.com
  347.  
  348. This email sent to musclenerd@mac.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!