Multiple Vulnerabilities in Apple Mac OS X and Apple Safari Could Allow Remote Code Execution

ITS Advisory Number: 
2014-037
Date(s) Issued: 
Wednesday, April 23, 2014
Subject: 
Multiple Vulnerabilities in Apple Mac OS X and Apple Safari Could Allow Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Apples Mac OS X, Mac OS X Server, and Apple Safari that could allow remote code execution. Mac OS X and Mac OS X Server are operating systems for Apple computers. Apple Safari is a web browser available for Mac OS X and Microsoft Windows.  These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment, using a vulnerable version of OS X or Apple Safari. 

Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

'
Systems Affected: 
  • Apple Mac OS X 10.7.5
  • Apple Mac OS X 10.8.5
  • Apple Mac OS X 10.9.2
  • Apple Mac OS X Server 10.7.5
  • Apple Safari 6.1.2 and Safari 7.0.2 and earlier
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Multiple vulnerabilities have been discovered in Apples Mac OS X, Mac OS X Server, and Apple Safari. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file. Details of these vulnerabilities are as follows:

Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

'
Actions: 
  • Apply appropriate patches provided by Apple to affected systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download or open files from un-trusted websites, unknown users, or suspicious emails.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
References: 
Apple:
http://support.apple.com/kb/HT6207
Security Focus:
http://www.securityfocus.com/bid/63873
http://www.securityfocus.com/bid/66242
http://www.securityfocus.com/bid/67021
http://www.securityfocus.com/bid/67022
http://www.securityfocus.com/bid/67023
http://www.securityfocus.com/bid/67025
http://www.securityfocus.com/bid/67026
http://www.securityfocus.com/bid/67028
http://www.securityfocus.com/bid/67029
http://www.securityfocus.com/bid/67030
http://www.securityfocus.com/bid/66242
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1296
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1315
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5170
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1316
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1319
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1318
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1320
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1322
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1321
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1295
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1314
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2871
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2926
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2928
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6625
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1289
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1290
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1291
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1292
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1293
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1294
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1298
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1299
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1300
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1301
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1302
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1303
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1304
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1305
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1307
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1308
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1309
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1310
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1311
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1312
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1313
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1713