CVE-2014-8826

Vulnerability

LaunchServices in Apple OS X before 10.10.2 mishandles file-type metadata, allowing a crafted JAR archive to bypass the Gatekeeper protection mechanism. The vulnerability exists in OS X Yosemite v10.10, v10.10.1, and earlier versions that support Gatekeeper (OS X Lion v10.7.5 and later). To be exploitable, Java must be installed on the victim's machine. [1][2]

Exploitation

An attacker crafts a malicious JAR archive that includes unsigned, untrusted code. When the user downloads and opens the file, LaunchServices incorrectly classifies it, causing Gatekeeper to fail to check the code's signature or origin. The attacker needs no special network position beyond standard web delivery (e.g., hosting the file on a website or sending it via email). The user must have Java installed and must interact with the file (e.g., double-clicking). No authentication is required. [2][3]

Impact

Successful exploitation allows the attacker to execute arbitrary unsigned code on the victim's machine, bypassing Gatekeeper's default "Mac App Store and identified developers" restriction. The code runs with the privileges of the user, potentially leading to full system compromise depending on the user's permissions. This results in a breach of confidentiality, integrity, and availability. [2][3]

Mitigation

Apple addressed this issue in OS X Yosemite v10.10.2 and Security Update 2015-001, released on January 27, 2015. Users should update to OS X 10.10.2 or later. No workarounds are provided in the references. The vulnerability is listed on the Apple security content page for that update. [1]