Apple iOS vulnerabilities

CVE-2014-4377 [MEDIUM] CWE-189 CVE-2014-4377: Integer overflow in CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers Integer overflow in CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document.

CVE-2014-4353 [MEDIUM] CWE-362 CVE-2014-4353: Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4410 [MEDIUM] CWE-119 CVE-2014-4410: WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbi WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.

CVE-2014-4383 [MEDIUM] CWE-20 CVE-2014-4383: The Assets subsystem in Apple iOS before 8 and Apple TV before 7 allows man-in-the-middle attackers The Assets subsystem in Apple iOS before 8 and Apple TV before 7 allows man-in-the-middle attackers to spoof a device's update status via a crafted Last-Modified HTTP response header.

CVE-2014-4363 [MEDIUM] CWE-255 CVE-2014-4363: Safari in Apple iOS before 8 does not properly restrict the autofilling of passwords in forms, which Safari in Apple iOS before 8 does not properly restrict the autofilling of passwords in forms, which allows remote attackers to obtain sensitive information via (1) an http web site, (2) an https web site with an unacceptable X.509 certificate, or (3) an IFRAME element.

CVE-2014-4408 [MEDIUM] CWE-119 CVE-2014-4408: The rt_setgate function in the kernel in Apple iOS before 8 and Apple TV before 7 allows local users The rt_setgate function in the kernel in Apple iOS before 8 and Apple TV before 7 allows local users to gain privileges or cause a denial of service (out-of-bounds read and device crash) via a crafted call.

CVE-2014-4352 [LOW] CWE-310 CVE-2014-4352: Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4419 [LOW] CVE-2014-4419: The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4420, and CVE-2014-4421.

CVE-2014-4420 [LOW] CVE-2014-4420: The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4419, and CVE-2014-4421.

CVE-2014-4367 [LOW] CWE-264 CVE-2014-4367: Apple iOS before 8 enables Voice Dial during all upgrade actions, which makes it easier for physical Apple iOS before 8 enables Voice Dial during all upgrade actions, which makes it easier for physically proximate attackers to launch unintended calls by speaking a telephone number.

CVE-2014-4407 [LOW] CWE-200 CVE-2014-4407: IOKit in Apple iOS before 8 and Apple TV before 7 does not properly initialize kernel memory, which IOKit in Apple iOS before 8 and Apple TV before 7 does not properly initialize kernel memory, which allows attackers to obtain sensitive memory-content information via an application that makes crafted IOKit function calls.

CVE-2014-4386 [LOW] CWE-362 CVE-2014-4386: Race condition in the App Installation feature in Apple iOS before 8 allows local users to gain priv Race condition in the App Installation feature in Apple iOS before 8 allows local users to gain privileges and install unverified apps by leveraging /tmp write access.

CVE-2014-4421 [LOW] CVE-2014-4421: The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4419, and CVE-2014-4420.

CVE-2014-4356 [LOW] CWE-200 CVE-2014-4356: Apple iOS before 8 does not follow the intended configuration setting for text-message preview on th Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

CVE-2014-4371 [LOW] CWE-665 CVE-2014-4371: The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4419, CVE-2014-4420, and CVE-2014-4421.

CVE-2014-4384 [LOW] CWE-22 CVE-2014-4384: Directory traversal vulnerability in the App Installation feature in Apple iOS before 8 allows local Directory traversal vulnerability in the App Installation feature in Apple iOS before 8 allows local users to install unverified apps by triggering code-signature validation of an unintended bundle.

CVE-2014-4372 [LOW] CWE-59 CVE-2014-4372: syslogd in the syslog subsystem in Apple iOS before 8 and Apple TV before 7 allows local users to ch syslogd in the syslog subsystem in Apple iOS before 8 and Apple TV before 7 allows local users to change the permissions of arbitrary files via a symlink attack on an unspecified file.

CVE-2014-4357 [LOW] CWE-200 CVE-2014-4357: Accounts Framework in Apple iOS before 8 and Apple TV before 7 allows attackers to obtain sensitive Accounts Framework in Apple iOS before 8 and Apple TV before 7 allows attackers to obtain sensitive information by reading log data that was not intended to be present in a log.

CVE-2014-1357 [CRITICAL] CWE-119 CVE-2014-1357: Heap-based buffer overflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple Heap-based buffer overflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application that generates log messages.

CVE-2014-1358 [CRITICAL] CWE-189 CVE-2014-1358: Integer overflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before Integer overflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application.