OS X

CVEs (534)

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2014-4439	Apple Inc. Mac Os X	—	0.00	Oct 18, 2014	Mail in Apple OS X before 10.10 does not properly recognize the removal of a recipient address from a message, which makes it easier for remote attackers to obtain sensitive information in opportunistic circumstances by reading a message intended exclusively for other recipients.
CVE-2014-4438	Apple Inc. Mac Os X	—	0.00	Oct 18, 2014	Race condition in LoginWindow in Apple OS X before 10.10 allows physically proximate attackers to obtain access by leveraging an unattended workstation on which screen locking had been attempted.
CVE-2014-4437	Apple Inc. Mac Os X	—	0.00	Oct 18, 2014	LaunchServices in Apple OS X before 10.10 allows attackers to bypass intended sandbox restrictions via an application that specifies a crafted handler for the Content-Type field of an object.
CVE-2014-4436	Apple Inc. Mac Os X	—	0.00	Oct 18, 2014	IOHIDFamily in Apple OS X before 10.10 allows attackers to cause denial of service (out-of-bounds read operation) via a crafted application.
CVE-2014-4435	Apple Inc. Mac Os X	—	0.00	Oct 18, 2014	The "iCloud Find My Mac" feature in Apple OS X before 10.10 does not properly enforce rate limiting of lost-mode PIN entry, which makes it easier for physically proximate attackers to obtain access via a brute-force attack involving a series of reboots.
CVE-2014-4434	Apple Inc. Mac Os X	—	0.00	Oct 18, 2014	The kernel in Apple OS X before 10.10 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted filename on an HFS filesystem.
CVE-2014-4433	Apple Inc. Mac Os X	—	0.00	Oct 18, 2014	Heap-based buffer overflow in the kernel in Apple OS X before 10.10 allows physically proximate attackers to execute arbitrary code via crafted resource forks in an HFS filesystem.
CVE-2014-4432	Apple Inc. Mac Os X	—	0.00	Oct 18, 2014	fdesetup in Apple OS X before 10.10 does not properly display the encryption status in between a setting-update action and a reboot action, which might make it easier for physically proximate attackers to obtain cleartext data by leveraging ignorance of the reboot requirement.
CVE-2014-4431	Apple Inc. Mac Os X	—	0.00	Oct 18, 2014	Dock in Apple OS X before 10.10 does not properly manage the screen-lock state, which allows physically proximate attackers to view windows by leveraging an unattended workstation.
CVE-2014-4430	Apple Inc. Mac Os X	—	0.00	Oct 18, 2014	CoreStorage in Apple OS X before 10.10 retains a volume's encryption keys upon an eject action in the unlocked state, which makes it easier for physically proximate attackers to obtain cleartext data via a remount.
CVE-2014-4428	Apple Inc. Mac Os X	—	0.01	Oct 18, 2014	Bluetooth in Apple OS X before 10.10 does not require encryption for HID Low Energy devices, which allows remote attackers to spoof a device by leveraging previous pairing.
CVE-2014-4427	Apple Inc. Mac Os X	—	0.00	Oct 18, 2014	App Sandbox in Apple OS X before 10.10 allows attackers to bypass a sandbox protection mechanism via the accessibility API.
CVE-2014-4426	Apple Inc. Mac Os X	—	0.01	Oct 18, 2014	AFP File Server in Apple OS X before 10.10 allows remote attackers to discover the network addresses of all interfaces via an unspecified command to one interface.
CVE-2014-4425	Apple Inc. Mac Os X	—	0.00	Oct 18, 2014	CFPreferences in Apple OS X before 10.10 does not properly enforce the "require password after sleep or screen saver begins" setting, which makes it easier for physically proximate attackers to obtain access by leveraging an unattended workstation.
CVE-2014-4391	Apple Inc. Mac Os X	—	0.01	Oct 18, 2014	The Code Signing feature in Apple OS X before 10.10 does not properly handle incomplete resource envelopes in signed bundles, which allows remote attackers to bypass intended app-author restrictions by omitting an execution-related resource.
CVE-2014-4351	Apple Inc. Mac Os X	—	0.03	Oct 18, 2014	Buffer overflow in QuickTime in Apple OS X before 10.10 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted audio samples in an m4a file.
CVE-2014-7861	Apple Inc. Mac Os X	—	0.03	Oct 5, 2014	The IOHIDSecurePromptClient function in Apple OS X does not properly validate pointer values, which allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via a crafted web site.
CVE-2014-4416	Apple Inc. Mac Os X	—	0.00	Sep 19, 2014	An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability…
CVE-2014-4403	Apple Inc. Mac Os X	—	0.00	Sep 19, 2014	The kernel in Apple OS X before 10.9.5 allows local users to obtain sensitive address information and bypass the ASLR protection mechanism by leveraging predictability of the location of the CPU Global Descriptor Table.
CVE-2014-4402	Apple Inc. Mac Os X	—	0.01	Sep 19, 2014	An unspecified IOAcceleratorFamily function in Apple OS X before 10.9.5 lacks proper bounds checking on read operations, which allows attackers to execute arbitrary code in a privileged context via a crafted application.

CVE-2014-4439Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
Mail in Apple OS X before 10.10 does not properly recognize the removal of a recipient address from a message, which makes it easier for remote attackers to obtain sensitive information in opportunistic circumstances by reading a message intended exclusively for other recipients.
CVE-2014-4438Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
Race condition in LoginWindow in Apple OS X before 10.10 allows physically proximate attackers to obtain access by leveraging an unattended workstation on which screen locking had been attempted.
CVE-2014-4437Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
LaunchServices in Apple OS X before 10.10 allows attackers to bypass intended sandbox restrictions via an application that specifies a crafted handler for the Content-Type field of an object.
CVE-2014-4436Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
IOHIDFamily in Apple OS X before 10.10 allows attackers to cause denial of service (out-of-bounds read operation) via a crafted application.
CVE-2014-4435Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
The "iCloud Find My Mac" feature in Apple OS X before 10.10 does not properly enforce rate limiting of lost-mode PIN entry, which makes it easier for physically proximate attackers to obtain access via a brute-force attack involving a series of reboots.
CVE-2014-4434Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
The kernel in Apple OS X before 10.10 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted filename on an HFS filesystem.
CVE-2014-4433Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
Heap-based buffer overflow in the kernel in Apple OS X before 10.10 allows physically proximate attackers to execute arbitrary code via crafted resource forks in an HFS filesystem.
CVE-2014-4432Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
fdesetup in Apple OS X before 10.10 does not properly display the encryption status in between a setting-update action and a reboot action, which might make it easier for physically proximate attackers to obtain cleartext data by leveraging ignorance of the reboot requirement.
CVE-2014-4431Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
Dock in Apple OS X before 10.10 does not properly manage the screen-lock state, which allows physically proximate attackers to view windows by leveraging an unattended workstation.
CVE-2014-4430Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
CoreStorage in Apple OS X before 10.10 retains a volume's encryption keys upon an eject action in the unlocked state, which makes it easier for physically proximate attackers to obtain cleartext data via a remount.
CVE-2014-4428Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.01
Bluetooth in Apple OS X before 10.10 does not require encryption for HID Low Energy devices, which allows remote attackers to spoof a device by leveraging previous pairing.
CVE-2014-4427Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
App Sandbox in Apple OS X before 10.10 allows attackers to bypass a sandbox protection mechanism via the accessibility API.
CVE-2014-4426Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.01
AFP File Server in Apple OS X before 10.10 allows remote attackers to discover the network addresses of all interfaces via an unspecified command to one interface.
CVE-2014-4425Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
CFPreferences in Apple OS X before 10.10 does not properly enforce the "require password after sleep or screen saver begins" setting, which makes it easier for physically proximate attackers to obtain access by leveraging an unattended workstation.
CVE-2014-4391Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.01
The Code Signing feature in Apple OS X before 10.10 does not properly handle incomplete resource envelopes in signed bundles, which allows remote attackers to bypass intended app-author restrictions by omitting an execution-related resource.
CVE-2014-4351Oct 18, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.03
Buffer overflow in QuickTime in Apple OS X before 10.10 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted audio samples in an m4a file.
CVE-2014-7861Oct 5, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.03
The IOHIDSecurePromptClient function in Apple OS X does not properly validate pointer values, which allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via a crafted web site.
CVE-2014-4416Sep 19, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability…
CVE-2014-4403Sep 19, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.00
The kernel in Apple OS X before 10.9.5 allows local users to obtain sensitive address information and bypass the ASLR protection mechanism by leveraging predictability of the location of the CPU Global Descriptor Table.
CVE-2014-4402Sep 19, 2014
Apple Inc.
Mac Os X
risk 0.00cvss —epss 0.01
An unspecified IOAcceleratorFamily function in Apple OS X before 10.9.5 lacks proper bounds checking on read operations, which allows attackers to execute arbitrary code in a privileged context via a crafted application.

Page 25 of 27