SB2015041004 - Multiple vulnerabilities in Apple MAC OS X
Published: April 10, 2015 Updated: August 9, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2015-1143)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
LaunchServices in Apple OS X before 10.10.3 allows local users to gain privileges via a crafted localized string, related to a "type confusion" issue. <a href="http://cwe.mitre.org/data/definitions/843.html" rel="nofollow">CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')</a>
2) Input validation error (CVE-ID: CVE-2015-1136)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Use-after-free vulnerability in CoreAnimation in Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code by leveraging improper use of a mutex. <a href="http://cwe.mitre.org/data/definitions/416.html" rel="nofollow">CWE-416: Use After Free</a>
3) Input validation error (CVE-ID: CVE-2015-1093)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
FontParser in Apple iOS before 8.3 and Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font file.
Remediation
Install update from vendor's website.
References
- http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
- http://www.securityfocus.com/bid/73982
- http://www.securitytracker.com/id/1032048
- https://support.apple.com/HT204659
- http://lists.apple.com/archives/security-announce/2015/Apr/msg00002.html
- http://www.securityfocus.com/bid/73984
- https://support.apple.com/HT204661
- https://support.apple.com/kb/HT204870