The Mac Security Blog

Apple + Security News

Apple Delivers OS X Mavericks 10.9.5, Security Update 2014-004

Posted on by

OS X Mavericks 10.9.5 and Security Update 2014-004 are now available and include a long list of security fixes. Apple delivered these updates in conjunction with iOS 8, Safari 6.2 and Safari 7.1, Apple TV 7, Xcode 6.0.1, OS X Server 3.2.1 and OS X Server 2.2.3.

This update is available for: OS X Lion 10.7.5, OS X Mountain Lion 10.8.5, and OS X Mavericks 10.9 to 10.9.4.

OS X Mavericks 10.9.5 Security Update 2014-004

Altogether, Security Update 2014-004 patches 44 vulnerabilities (CVEs) for everything from PHP scripting language to Bluetooth, the operating system graphics drivers, and security flaws in several OS X components. A good number of these vulnerabilities can be exploited to execute malicious code with system privileges; according to Apple’s security advisory, such vulnerabilities are commonly used in zero-day exploits.

Security Update 2014-004 addresses the following vulnerabilities:

  • CVE-2013-7345, CVE-2014-0185, CVE-2014-0207, CVE-2014-0237, CVE-2014-0238, CVE-2014-1943, CVE-2014-2270, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3515, CVE-2014-3981, CVE-2014-4049 : Multiple vulnerabilities in PHP 5.4.24. Multiple vulnerabilities existed in PHP 5.4.24, the most serious of which may have led to arbitrary code execution. This update addresses the issues by updating PHP to version 5.4.30.
  • CVE-2014-4390 : A malicious application may be able to execute arbitrary code with system privileges. A validation issue existed in the handling of a Bluetooth API call. This issue was addressed through improved bounds checking.
  • CVE-2014-4378 : Opening a maliciously crafted PDF file may lead to an unexpected application termination or an information disclosure. An out of bounds memory read existed in the handling of PDF files. This issue was addressed through improved bounds checking.
  • CVE-2014-4377 : Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking.
  • CVE-2014-4374 : An application using NSXMLParser may be misused to disclose information. An XML External Entity issue existed in NSXMLParser’s handling of XML. This issue was addressed by not loading external entities across origins.
  • CVE-2014-4393 : Compiling untrusted GLSL shaders may lead to an unexpected application termination or arbitrary code execution. A user-space buffer overflow existed in the shader compiler. This issue was addressed through improved bounds checking.
  • CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, CVE-2014-4416 : A malicious application may be able to execute arbitrary code with system privileges. Multiple validation issues existed in some integrated graphics driver routines. These issues were addressed through improved bounds checking.
  • CVE-2014-4376 : A malicious application may be able to execute arbitrary code with system privileges. A null pointer dereference existed in the handling of IOKit API arguments. This issue was addressed through improved validation of IOKit API arguments.
  • CVE-2014-4402 : A malicious application may be able to execute arbitrary code with system privileges. An out-of-bounds read issue existed in the handling of an IOAcceleratorFamily function. This issue was addressed through improved bounds checking.
  • CVE-2014-4379 : A local user can read kernel pointers, which can be used to bypass kernel address space layout randomization. An out-of-bounds read issue existed in the handling of an IOHIDFamily function. This issue was addressed through improved bounds checking.
  • CVE-2014-4388 : A malicious application may be able to execute arbitrary code with system privileges. A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata.
  • CVE-2014-4389 : A malicious application may be able to execute arbitrary code with system privileges. An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved bounds checking.
  • CVE-2014-4403 : A local user can infer kernel addresses and bypass kernel address space layout randomization. In some cases, the CPU Global Descriptor Table was allocated at a predictable address. This issue was addressed through always allocating the Global Descriptor Table at random addresses.
  • CVE-2014-4381 : A malicious application may be able to execute arbitrary code with root privileges. An out-of-bounds write issue existed in Libnotify. This issue was addressed through improved bounds checking
  • CVE-2014-0076, CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470 : Multiple vulnerabilities in OpenSSL 0.9.8y, including one that may lead to arbitrary code execution. Multiple vulnerabilities existed in OpenSSL 0.9.8y. This update was addressed by updating OpenSSL to version 0.9.8za.
  • CVE-2014-1391 : Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in the handling of RLE encoded movie files. This issue was addressed through improved bounds checking.
  • CVE-2014-4350 : Playing a maliciously crafted MIDI file may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of MIDI files. This issue was addressed through improved bounds checking.
  • CVE-2014-4979 : Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in the handling of the ‘mvhd’ atoms. This issue was addressed through improved bounds checking.
  • CVE-2014-2525 : A remote attacker may be able to cause arbitrary code execution. A heap buffer overflow existed in LibYAML’s handling of percent-encoded characters in a URI. This issue was addressed through improved bounds checking. This update addresses the issues by updating LibYAML to version 0.1.6

Intego encourages all Mac users to download and install all security updates as soon as possible—keeping your software up-to-date is an essential layer of security that keeps your digital life secure and away from the bad guys.

You can update through Apple’s Software Update tool by choosing Apple menu > Software Update when you’re ready to install, or you can go directly to Apple’s support page to download the updates from there.

OS X Lion Server users can go here to download Security Update 2014-004 (194.8 MB).

OS X Lion users can go here to download Security Update 2014-004 (144.5 MB).

OS X Mountain Lion users go here to download Security Update 2014-004 (139.3 MB).

OS X Mavericks users go here to download OS X Mavericks 10.9.5 Update (275.5 MB), or here to get the 982.3 MB Combo update; these update includes Safari 7.0.6.