CVE-2014-4417

Vulnerability

Safari in Apple OS X versions prior to 10.10 (Yosemite) contains a vulnerability where visiting a malicious website that delivers a crafted Push Notification can trigger an uncaught exception in the SafariNotificationAgent process. The flaw lies in how Safari handles incoming Push Notification payloads — if a specially crafted notification is received, the agent crashes without recovery [1].

Exploitation

An attacker only needs to host a website that the victim visits; no special network position or authentication is required. The site delivers a crafted Push Notification payload that triggers an unhandled exception in SafariNotificationAgent. The crash occurs immediately upon notification delivery, with no user interaction needed beyond visiting the malicious page [1].

Impact

Successful exploitation causes the SafariNotificationAgent service to terminate. Since this agent is responsible for processing all Push Notifications, the result is a denial of service affecting the entire Push Notification subsystem. The user loses all such notifications until the agent is manually restarted or the system is rebooted. The attack does not lead to code execution or data theft, but it disables a core Safari feature [1].

Mitigation

The vulnerability is addressed in OS X Yosemite v10.10, which was released on October 16, 2014 [1]. Users of earlier OS X versions (10.9.x and below) should update to 10.10 to protect against this issue. No workaround is documented; preventing users from visiting untrusted websites is the only partial mitigation if an upgrade cannot be applied.