VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 1, 2014· Updated May 6, 2026

CVE-2014-1380

CVE-2014-1380

Description

The Security - Keychain component in Apple OS X before 10.9.4 does not properly implement keystroke observers, which allows physically proximate attackers to bypass the screen-lock protection mechanism, and enter characters into an arbitrary window under the lock window, via keyboard input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A keystroke observer implementation flaw in Apple OS X before 10.9.4 allows physically proximate attackers to bypass the screen lock and type into locked windows.

Vulnerability

The vulnerability resides in the Security - Keychain component of Apple OS X Mavericks, specifically in the handling of keystroke observers. Affected versions are OS X Mavericks 10.9 through 10.9.3. The system fails to properly restrict keystroke observers when the screen is locked, allowing keyboard input to be sent to windows that are behind the lock screen [1].

Exploitation

An attacker must have physical proximity to the target system (i.e., access to the keyboard). No authentication or user interaction is required. While the screen is locked, the attacker can type on the keyboard, and the keystrokes are captured by an observer and directed to an arbitrary window beneath the lock window, effectively bypassing the screen-lock protection [1].

Impact

A successful attacker can enter characters into any window that is behind the lock screen, potentially performing actions as the logged-in user without unlocking the system. This could lead to unauthorized data access, system configuration changes, or other actions depending on the context of the targeted window [1].

Mitigation

Apple addressed this issue in OS X Mavericks 10.9.4, released on July 1, 2014. Users should update via Software Update or download the update from the Apple Support website. No workarounds are documented, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].

References
  1. About the security content of OS X Mavericks v10.9.4 and Security Update 2014-003 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

5
  • Apple Inc./Mac Os X4 versions
    cpe:2.3:o:apple:mac_os_x:10.9:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:o:apple:mac_os_x:10.9:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.9.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.9.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.9.3:*:*:*:*:*:*:*
  • Apple Inc./OS Xllm-fuzzy
    Range: <10.9.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.