OS X Lion100 results found
Buy OS X Lion (10.7) - Apple Store (U.S.)
If you need to purchase Mac OS X 10.7 Lion, you may order it from this page.
http://store.apple.com/us/product/D6106Z/A/os-x-lion
Buy OS X Mountain Lion - Apple Store (U.S.)
If you need to purchase Mac OS X 10.8 Mountain Lion, you may order it from this page.
http://store.apple.com/us/product/D6377Z/A/os-x-mountain-lion
About the security content of OS X Lion v10.7.2 and Security Update 2011-006
This document describes the security content of OS X Lion v10.7.2 and Security Update 2011-006, which can be downloaded and installed via Software Update preferences, or from Apple Downloads. For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website. For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key." Where possible, CVE IDs are used to reference the vulnerabilities for further information. To learn about other Security Updates, see "Apple Security Updates". 

https://support.apple.com/en-gb/HT202348
About the security content of OS X Lion v10.7.3 and Security Update 2012-001
This document describes the security content of OS X Lion v10.7.3 and Security Update 2012-001, which can be downloaded and installed via Software Update preferences, or from Apple Downloads. For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website. For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key." Where possible, CVE IDs are used to reference the vulnerabilities for further information. To learn about other Security Updates, see "Apple Security Updates". 

https://support.apple.com/en-gb/HT202397
About the security content of OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update 2012-004
This document describes the security content of OS X Mountain Lion v10.8.2, OS X Lion v10.7.5, and Security Update 2012-004. For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website. For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key." Where possible, CVE IDs are used to reference the vulnerabilities for further information. To learn about other Security Updates, see "Apple Security Updates".
https://support.apple.com/en-gb/HT202604
About the security content of OS X Lion v10.7.4 and Security Update 2012-002
OS X Lion v10.7.4 and Security Update 2012-002 can be downloaded and installed via Software Update preferences, or from Apple Downloads. For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website. For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key." Where possible, CVE IDs are used to reference the vulnerabilities for further information. To learn about other Security Updates, see "Apple Security Updates". 

https://support.apple.com/en-gb/HT202473
About the security content of OS X Mavericks v10.9.2 and Security Update 2014-001

 
 Apache 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 
 Impact: Multiple vulnerabilities in Apache 
 Description: Multiple vulnerabilities existed in Apache, the most serious of which may lead to cross-site scripting. These issues were addressed by updating Apache to version 2.2.26. 
 CVE-ID 
 CVE-2013-1862 
 CVE-2013-1896 
 
 
 
 App Sandbox 
 Available for: OS X Mountain Lion v10.8.5 
 Impact: The App Sandbox may be bypassed 
 Description: The LaunchServices interface for launching an application allowed sandboxed apps to specify the list of arguments passed to the new process. A compromised sandboxed application could abuse this to bypass the sandbox. This issue was addressed by preventing sandboxed applications from specifying arguments. This issue does not affect systems running OS X Mavericks 10.9 or later. 
 CVE-ID 
 CVE-2013-5179 : Friedrich Graeter of The Soulmen GbR 
 
 
 
 ATS 
 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 
 Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution 
 Description: A memory corruption issue existed in the handling of handling of Type 1 fonts. This issue was addressed through improved bounds checking. 
 CVE-ID 
 CVE-2014-1254 : Felix Groebert of the Google Security Team 
 
 
 
 ATS 
 Available for: OS X Mavericks 10.9 and 10.9.1 
 Impact: The App Sandbox may be bypassed 
 Description: A memory corruption issue existed in the handling of Mach messages passed to ATS. This issue was addressed through improved bounds checking. 
 CVE-ID 
 CVE-2014-1262 : Meder Kydyraliev of the Google Security Team 
 
 
 
 ATS 
 Available for: OS X Mavericks 10.9 and 10.9.1 
 Impact: The App Sandbox may be bypassed 
 Description: An arbitrary free issue existed in the handling of Mach messages passed to ATS. This issue was addressed through additional validation of Mach messages. 
 CVE-ID 
 CVE-2014-1255 : Meder Kydyraliev of the Google Security Team 
 
 
 
 ATS 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 
 Impact: The App Sandbox may be bypassed 
 Description: A buffer overflow issue existed in the handling of Mach messages passed to ATS. This issue was addressed by additional bounds checking. 
 CVE-ID 
 CVE-2014-1256 : Meder Kydyraliev of the Google Security Team 
 
 
 
 Certificate Trust Policy 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 
 Impact: Root certificates have been updated 
 Description: The set of system root certificates has been updated. The complete list of recognized system roots may be viewed via the Keychain Access application. 
 
 
 
 CFNetwork Cookies 
 Available for: OS X Mountain Lion v10.8.5 
 Impact: Session cookies may persist even after resetting Safari 
 Description: Resetting Safari did not always delete session cookies until Safari was closed. This issue was addressed through improved handling of session cookies. This issue does not affect systems running OS X Mavericks 10.9 or later. 
 CVE-ID 
 CVE-2014-1257 : Rob Ansaldo of Amherst College, Graham Bennett 
 
 
 
 CoreAnimation 
 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 
 Impact: Visiting a maliciously crafted site may lead to an unexpected application termination or arbitrary code execution 
 Description: A heap buffer overflow existed in CoreAnimation's handling of images. This issue was addressed through improved bounds checking. 
 CVE-ID 
 CVE-2014-1258 : Karl Smith of NCC Group 
 
 
 
 CoreText 
 Available for: OS X Mavericks 10.9 and 10.9.1 
 Impact: Applications that use CoreText may be vulnerable to an unexpected application termination or arbitrary code execution 
 Description: A signedness issue existed in CoreText in the handling of Unicode fonts. This issue is addressed through improved bounds checking. 
 CVE-ID 
 CVE-2014-1261 : Lucas Apa and Carlos Mario Penagos of IOActive Labs 
 
 
 
 curl 
 Available for: OS X Mavericks 10.9 and 10.9.1 
 Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information 
 Description: When using curl to connect to an HTTPS URL containing an IP address, the IP address was not validated against the certificate. This issue does not affect systems prior to OS X Mavericks v10.9. 
 CVE-ID 
 CVE-2014-1263 : Roland Moriz of Moriz GmbH 
 
 
 
 Data Security 
 Available for: OS X Mavericks 10.9 and 10.9.1 
 Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS 
 Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps. 
 CVE-ID 
 CVE-2014-1266 
 
 
 
 Date and Time 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 
 Impact: An unprivileged user may change the system clock 
 Description: This update changes the behavior of the systemsetup command to require administrator privileges to change the system clock. 
 CVE-ID 
 CVE-2014-1265 
 
 
 
 File Bookmark 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 
 Impact: Viewing a file with a maliciously crafted name may lead to an unexpected application termination or arbitrary code execution 
 Description: A buffer overflow existed in the handling of file names. This issue was addressed through improved bounds checking. 
 CVE-ID 
 CVE-2014-1259 
 
 
 
 Finder 
 Available for: OS X Mavericks 10.9 and 10.9.1 
 Impact: Accessing a file's ACL via Finder may lead to other users gaining unauthorized access to files 
 Description: Accessing a file's ACL via Finder may corrupt the ACLs on the file. This issue was addressed through improved handling of ACLs. 
 CVE-ID 
 CVE-2014-1264 
 
 
 
 ImageIO 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 
 Impact: Viewing a maliciously crafted JPEG file may lead to the disclosure of memory contents 
 Description: An uninitialized memory access issue existed in libjpeg's handling of JPEG markers, resulting in the disclosure of memory contents. This issue was addressed by better JPEG handling. 
 CVE-ID 
 CVE-2013-6629 : Michal Zalewski 
 
 
 
 IOSerialFamily 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5 
 Impact: Executing a malicious application may result in arbitrary code execution within the kernel 
 Description: An out of bounds array access existed in the IOSerialFamily driver. This issue was addressed through additional bounds checking. This issue does not affect systems running OS X Mavericks v10.9 or later. 
 CVE-ID 
 CVE-2013-5139 : @dent1zt 
 
 
 
 LaunchServices 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5 
 Impact: A file could show the wrong extension 
 Description: An issue existed in the handling of certain unicode characters that could allow filenames to show incorrect extensions. The issue was addressed by filtering unsafe unicode characters from display in filenames. This issue does not affect systems running OS X Mavericks v10.9 or later. 
 CVE-ID 
 CVE-2013-5178 : Jesse Ruderman of Mozilla Corporation, Stephane Sudre of Intego 
 
 
 
 NVIDIA Drivers 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 
 Impact: Executing a malicious application could result in arbitrary code execution within the graphics card &NewLine
https://support.apple.com/en-gb/HT202932
About the security content of OS X Mountain Lion v10.8.5 and Security Update 2013-004

 
 Apache 
 Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 
 Impact: Multiple vulnerabilities in Apache 
 Description: Multiple vulnerabilities existed in Apache, the most serious of which may lead to cross-site scripting. These issues were addressed by updating Apache to version 2.2.24. 
 CVE-ID 
 CVE-2012-0883 
 CVE-2012-2687 
 CVE-2012-3499 
 CVE-2012-4558 
 
 
 
 Bind 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 
 Impact: Multiple vulnerabilities in BIND 
 Description: Multiple vulnerabilities existed in BIND, the most serious of which may lead to a denial of service. These issues were addressed by updating BIND to version 9.8.5-P1. CVE-2012-5688 did not affect Mac OS X v10.7 systems. 
 CVE-ID 
 CVE-2012-3817 
 CVE-2012-4244 
 CVE-2012-5166 
 CVE-2012-5688 
 CVE-2013-2266 
 
 
 
 Certificate Trust Policy 
 Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 
 Impact: Root certificates have been updated 
 Description: Several certificates were added to or removed from the list of system roots. The complete list of recognized system roots may be viewed via the Keychain Access application. 
 
 
 
 ClamAV 
 Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5 
 Impact: Multiple vulnerabilities in ClamAV 
 Description: Multiple vulnerabilities exist in ClamAV, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating ClamAV to version 0.97.8. 
 CVE-ID 
 CVE-2013-2020 
 CVE-2013-2021 
 
 
 
 CoreGraphics 
 Available for: OS X Mountain Lion v10.8 to v10.8.4 
 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution 
 Description: A buffer overflow existed in the handling of JBIG2 encoded data in PDF files. This issue was addressed through additional bounds checking. 
 CVE-ID 
 CVE-2013-1025 : Felix Groebert of the Google Security Team 
 
 
 
 ImageIO 
 Available for: OS X Mountain Lion v10.8 to v10.8.4 
 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution 
 Description: A buffer overflow existed in the handling of JPEG2000 encoded data in PDF files. This issue was addressed through additional bounds checking. 
 CVE-ID 
 CVE-2013-1026 : Felix Groebert of the Google Security Team 
 
 
 
 Installer 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 
 Impact: Packages could be opened after certificate revocation 
 Description: When Installer encountered a revoked certificate, it would present a dialog with an option to continue. The issue was addressed by removing the dialog and refusing any revoked package. 
 CVE-ID 
 CVE-2013-1027 
 
 
 
 IPSec 
 Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 
 Impact: An attacker may intercept data protected with IPSec Hybrid Auth 
 Description: The DNS name of an IPSec Hybrid Auth server was not being matched against the certificate, allowing an attacker with a certificate for any server to impersonate any other. This issue was addressed by properly checking the certificate. 
 CVE-ID 
 CVE-2013-1028 : Alexander Traud of www.traud.de 
 
 
 
 Kernel 
 Available for: OS X Mountain Lion v10.8 to v10.8.4 
 Impact: A local network user may cause a denial of service 
 Description: An incorrect check in the IGMP packet parsing code in the kernel allowed a user who could send IGMP packets to the system to cause a kernel panic. The issue was addressed by removing the check. 
 CVE-ID 
 CVE-2013-1029 : Christopher Bohn of PROTECTSTAR INC. 
 
 
 
 Mobile Device Management 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 
 Impact: Passwords may be disclosed to other local users 
 Description: A password was passed on the command-line to mdmclient, which made it visible to other users on the same system. The issue was addressed by communicating the password through a pipe. 
 CVE-ID 
 CVE-2013-1030 : Per Olofsson at the University of Gothenburg 
 
 
 
 OpenSSL 
 Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 
 Impact: Multiple vulnerabilities in OpenSSL 
 Description: Multiple vulnerabilities existed in OpenSSL, the most serious of which may lead to disclosure of user data. These issues were addressed by updating OpenSSL to version 0.9.8y. 
 CVE-ID 
 CVE-2012-2686 
 CVE-2013-0166 
 CVE-2013-0169 
 
 
 
 PHP 
 Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 
 Impact: Multiple vulnerabilities in PHP 
 Description: Multiple vulnerabilities existed in PHP, the most serious of which may lead to arbitrary code execution. These issues were addressed by updating PHP to version 5.3.26. 
 CVE-ID 
 CVE-2013-1635 
 CVE-2013-1643 
 CVE-2013-1824 
 CVE-2013-2110 
 
 
 
 PostgreSQL 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 
 Impact: Multiple vulnerabilities in PostgreSQL 
 Description: Multiple vulnerabilities exist in PostgreSQL, the most serious of which may lead to data corruption or privilege escalation. CVE-2013-1901 does not affect OS X Lion systems. This update addresses the issues by updating PostgreSQL to version 9.1.9 on OS X Mountain Lion systems, and 9.0.4 on OS X Lion systems. 
 CVE-ID 
 CVE-2013-1899 
 CVE-2013-1900 
 CVE-2013-1901 
 
 
 
 Power Management 
 Available for: OS X Mountain Lion v10.8 to v10.8.4 
 Impact: The screen saver may not start after the specified time period 
 Description: A power assertion lock issue existed. This issue was addressed through improved lock handling. 
 CVE-ID 
 CVE-2013-1031 
 
 
 
 QuickTime 
 Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 
 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution 
 Description: A memory corruption issue existed in the handling of 'idsc' atoms in QuickTime movie files. This issue was addressed through additional bounds checking. 
 CVE-ID 
 CVE-2013-1032 : Jason Kratzer working with iDefense VCP 
 
 
 
 Screen Lock 
 Available for: OS X Mountain Lion v10.8 to v10.8.4 
 Impact: A user with screen sharing access may be able to bypass the screen lock when another user is logged in 
 Description: A session management issue existed in the screen lock's handling of screen sharing sessions. This issue was addressed through improved session tracking. 
 CVE-ID 
 CVE-2013-1033 : Jeff Grisso of Atos IT Solutions, Sébastien Stormacq 
 
 
 
 sudo 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 
 Impact: An attacker with control of an admin user's account may be able to gain root privileges without knowing the user's password 
 Description: By setting the system clock, an attacker may be able to use sudo to gain root privileges on systems where sudo has been used before. On OS X, only admin users can change the system clock. This issue was addressed by checking for an invalid timestamp. 
 CVE-ID 
 CVE-2013-1775 
 
 
 
 Note: OS X Mountain Lion v10.8.5 also addresses an issue in which certain Unicode strings could cause applications to unexpectedly quit. 
 

https://support.apple.com/en-gb/HT202785
About the security content of OS X Mountain Lion v10.8.3 and Security Update 2013-001
OS X Mountain Lion v10.8.3 and Security Update 2013-001 can be downloaded and installed via Software Update preferences, or from Apple Downloads.
https://support.apple.com/en-gb/HT202694
About the security content of Safari 6

 
 Safari 
 Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4 
 Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack 
 Description: A cross-site scripting issue existed in the handling of feed:// URLs. This update removes handling of feed:// URLs. 
 CVE-ID 
 CVE-2012-0678 : Masato Kinugawa 
 
 
 
 Safari 
 Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4 
 Impact: Visiting a maliciously crafted website may cause files from the user's system to be sent to a remote server 
 Description: An access control issue existed in the handling of feed:// URLs. This update removes handling of feed:// URLs. 
 CVE-ID 
 CVE-2012-0679 : Aaron Sigel of vtty.com 
 
 
 
 Safari 
 Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4 
 Impact: Passwords may autocomplete even when the site specifies that autocomplete should be disabled 
 Description: Password input elements with the autocomplete attribute set to "off" were being autocompleted. This update addresses the issue by improved handling of the autocomplete attribute. 
 CVE-ID 
 CVE-2012-0680 : Dan Poltawski of Moodle 
 
 
 
 Safari Downloads 
 Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4 
 Impact: Opening maliciously crafted files on certain websites may lead to a cross-site scripting attack 
 Description: An issue existed in Safari's support for the 'attachment' value for the HTTP Content-Disposition header. This header is used by many websites to serve files that were uploaded to the site by a third-party, such as attachments in web-based e-mail applications. Any script in files served with this header value would run as if the file had been served inline, with full access to other resources on the origin server. This issue is addressed by downloading resources served with this header, rather than displaying them inline. 
 CVE-ID 
 CVE-2011-3426 : Mickey Shkatov of laplinker.com, Kyle Osborn, Hidetake Jo at Microsoft and Microsoft Vulnerability Research (MSVR) 
 
 
 
 WebKit 
 Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4 
 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution 
 Description: Multiple memory corruption issues existed in WebKit. These issues are addressed through improved memory handling. 
 CVE-ID 
 CVE-2011-3016 : miaubiz 
 CVE-2011-3021 : Arthur Gerkis 
 CVE-2011-3027 : miaubiz 
 CVE-2011-3032 : Arthur Gerkis 
 CVE-2011-3034 : Arthur Gerkis 
 CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur Gerkis 
 CVE-2011-3036 : miaubiz 
 CVE-2011-3037 : miaubiz 
 CVE-2011-3038 : miaubiz 
 CVE-2011-3039 : miaubiz 
 CVE-2011-3040 : miaubiz 
 CVE-2011-3041 : miaubiz 
 CVE-2011-3042 : miaubiz 
 CVE-2011-3043 : miaubiz 
 CVE-2011-3044 : Arthur Gerkis 
 CVE-2011-3050 : miaubiz 
 CVE-2011-3053 : miaubiz 
 CVE-2011-3059 : Arthur Gerkis 
 CVE-2011-3060 : miaubiz 
 CVE-2011-3064 : Atte Kettunen of OUSPG 
 CVE-2011-3068 : miaubiz 
 CVE-2011-3069 : miaubiz 
 CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative 
 CVE-2011-3073 : Arthur Gerkis 
 CVE-2011-3074 : Slawomir Blazek 
 CVE-2011-3075 : miaubiz 
 CVE-2011-3076 : miaubiz 
 CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team 
 CVE-2011-3081 : miaubiz 
 CVE-2011-3086 : Arthur Gerkis 
 CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz 
 CVE-2011-3090 : Arthur Gerkis 
 CVE-2011-3913 : Arthur Gerkis 
 CVE-2011-3924 : Arthur Gerkis 
 CVE-2011-3926 : Arthur Gerkis 
 CVE-2011-3958 : miaubiz 
 CVE-2011-3966 : Aki Helin of OUSPG 
 CVE-2011-3968 : Arthur Gerkis 
 CVE-2011-3969 : Arthur Gerkis 
 CVE-2011-3971 : Arthur Gerkis 
 CVE-2012-0682 : Apple Product Security 
 CVE-2012-0683 : Dave Mandelin of Mozilla 
 CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team using AddressSanitizer, Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP 
 CVE-2012-1521 : Skylined of the Google Chrome Security Team, Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP 
 CVE-2012-3589 : Dave Mandelin of Mozilla 
 CVE-2012-3590 : Apple Product Security 
 CVE-2012-3591 : Apple Product Security 
 CVE-2012-3592 : Apple Product Security 
 CVE-2012-3593 : Apple Product Security 
 CVE-2012-3594 : miaubiz 
 CVE-2012-3595 : Martin Barbella of Google Chrome Security 
 CVE-2012-3596 : Skylined of the Google Chrome Security Team 
 CVE-2012-3597 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3599 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3600 : David Levin of the Chromium development community 
 CVE-2012-3603 : Apple Product Security 
 CVE-2012-3604 : Skylined of the Google Chrome Security Team 
 CVE-2012-3605 : Cris Neckar of the Google Chrome Security team 
 CVE-2012-3608 : Skylined of the Google Chrome Security Team 
 CVE-2012-3609 : Skylined of the Google Chrome Security Team 
 CVE-2012-3610 : Skylined of the Google Chrome Security Team 
 CVE-2012-3611 : Apple Product Security 
 CVE-2012-3615 : Stephen Chenney of the Chromium development community 
 CVE-2012-3618 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3620 : Abhishek Arya of Google Chrome Security Team 
 CVE-2012-3625 : Skylined of Google Chrome Security Team 
 CVE-2012-3626 : Apple Product Security 
 CVE-2012-3627 : Skylined and Abhishek Arya of Google Chrome Security team 
 CVE-2012-3628 : Apple Product Security 
 CVE-2012-3629 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3630 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3631 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3633 : Martin Barbella of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3634 : Martin Barbella of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3635 : Martin Barbella of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3636 : Martin Barbella of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3637 : Martin Barbella of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3638 : Martin Barbella of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3639 : Martin Barbella of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3640 : miaubiz 
 CVE-2012-3641 : Slawomir Blazek 
 CVE-2012-3642 : miaubiz 
 CVE-2012-3644 : miaubiz 
 CVE-2012-3645 : Martin Barbella of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3646 : Julien Chaffraix of the Chromium development community, Martin Barbella of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3653 : Martin Barbella of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3655 : Skylined of the Google Chrome Security Team 
 CVE-2012-3656 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3661 : Apple Product Security 
 CVE-2012-3663 : Skylined of Google Chrome Security Team 
 CVE-2012-3664 : Thomas Sepez of the Chromium development community 
 CVE-2012-3665 : Martin Barbella of Google Chrome Security Team using AddressSanitizer 
 CVE-2012-3666 : Apple 
 CVE-2012-3667 : Trevor Squires of propaneapp.com 
 CVE-2012-3668 : Apple Product Security 
 CVE-2012-3669 : Apple Product Security 
 CVE-2012-3670 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer, Arthur Gerkis 
 CVE-2012-3674 : Skylined of Google Chrome Security Team 
 CVE-2012-3678 : Apple Product Security 
 CVE-2012-3679 : Chris Leary of Mozilla 
 CVE-2012-3680 : Skylined of Google Chrome Security Team 
 CVE-2012-3681 : Apple 
 CVE-2012-3682 : Adam Barth of the Google Chrome Security Team 
 CVE-2012-3683 : wushi of team509 working with iDefense VCP 
 CVE-2012-3686 : Robin Cao of Torch Mobile (Beijing) 
 
 
 
 WebKit 
 Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4 
 Impact: Dragging and dropping selected text on a web page may lead to a cross-site information disclosure 
 Description: A cross-origin issue existed in the handling of drag and drop events. This issue is addressed through improved origin tracking. 
 CVE-ID 
 CVE-2012-3689 : David Bloom of Cue 
 
 
 
 WebKit 
 Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4 
 Impact: Dragging and dropping selected text on a web page may cause files from the user's system to be sent to a remote server 
 Description: An access control issue existed in the handling of drag and drop events. This issue is addressed through improved origin tracking. 
 CVE-ID 
 CVE-2012-3690 : David Bloom of Cue 
 
 
 &NewLine
https://support.apple.com/en-gb/HT202561
About the security content of OS X Mountain Lion v10.8.4 and Security Update 2013-002
Note: OS X Mountain Lion v10.8.4 includes the content of Safari 6.0.5. For further details see About the security content of Safari 6.0.5. CFNetwork Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: An attacker with access to a user's session may be able to log into previously accessed sites, even if Private Browsing was used Description: Permanent cookies were saved after quitting Safari, even when Private Browsing was enabled. This issue was addressed by improved handling of cookies. CVE-ID CVE-2013-0982 : Alexander Traud of www.traud.de CoreAnimation Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: Visiting a maliciously crafted site may lead to an unexpected application termination or arbitrary code execution Description: An unbounded stack allocation issue existed in the handling of text glyphs. This could be triggered by maliciously crafted URLs in Safari. The issue was addressed through improved bounds checking. CVE-ID CVE-2013-0983 : David Fifield of Stanford University, Ben Syverson CoreMedia Playback Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue existed in the handling of text tracks. This issue was addressed by additional validation of text tracks. CVE-ID CVE-2013-1024 : Richard Kuo and Billy Suguitan of Triemt Corporation CUPS Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: A local user in the lpadmin group may be able to read or write arbitrary files with system privileges Description: A privilege escalation issue existed in the handling of CUPS configuration via the CUPS web interface. A local user in the lpadmin group may be able to read or write arbitrary files with system privileges. This issue was addressed by moving certain configuration directives to cups-files.conf, which can not be modified from the CUPS web interface. CVE-ID CVE-2012-5519 Directory Service Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: A remote attacker may execute arbitrary code with system privileges on systems with Directory Service enabled Description: An issue existed in the directory server's handling of messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges. This issue was addressed through improved bounds checking. This issue does not affect OS X Lion or OS X Mountain Lion systems. CVE-ID CVE-2013-0984 : Nicolas Economou of Core Security Disk Management Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: A local user may disable FileVault Description: A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication. CVE-ID CVE-2013-0985 OpenSSL Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: An attacker may be able to decrypt data protected by SSL Description: There were known attacks on the confidentiality of TLS 1.0 when compression was enabled. This issue was addressed by disabling compression in OpenSSL. CVE-ID CVE-2012-4929 : Juliano Rizzo and Thai Duong OpenSSL Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Multiple vulnerabilities in OpenSSL Description: OpenSSL was updated to version 0.9.8x to address multiple vulnerabilities, which may lead to denial of service or disclosure of a private key. Further information is available via the OpenSSL website at http://www.openssl.org/news/ CVE-ID CVE-2011-1945 CVE-2011-3207 CVE-2011-3210 CVE-2011-4108 CVE-2011-4109 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 CVE-2012-0050 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333 QuickDraw Manager Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of PICT images. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0975 : Tobias Klein working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'enof' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0986 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft) working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted QTIF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of QTIF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0987 : roob working with iDefense VCP QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted FPX file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of FPX files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0988 : G. Geshev working with HP's Zero Day Initiative QuickTime Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: Playing a maliciously crafted MP3 file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of MP3 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0989 : G. Geshev working with HP's Zero Day Initiative Ruby Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: Multiple vulnerabilities in Ruby on Rails Description: Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18. This issue may affect OS X Lion or OS X Mountain Lion systems that were upgraded from Mac OS X 10.6.8 or earlier. Users can update affected gems on such systems by using the /usr/bin/gem utility. CVE-ID CVE-2013-0155 CVE-2013-0276 CVE-2013-0277 CVE-2013-0333 CVE-2013-1854 CVE-2013-1855 CVE-2013-1856 CVE-2013-1857 SMB Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: An authenticated user may be able to write files outside the shared directory Description: If SMB file sharing is enabled, an authenticated user may be able to write files outside the shared directory. This issue was addressed through improved access control. CVE-ID CVE-2013-0990 : Ward van Wanrooij Note: Starting with OS X v10.8.4, Java Web Start (i.e., JNLP) applications downloaded from the Internet need to be signed with a Developer ID certificate. Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed. You can use the codesign utility to sign the JNLP file, which will attach the code signature to the JNLP file as extended attributes. To preserve these attributes, package the JNLP file in a ZIP, XIP, or DMG file. Be careful using the ZIP format, as some third-party tools might not capture the required extended attributes correctly. Learn more at Technical Note TN2206: OS X Code Signing In Depth.
https://support.apple.com/en-gb/HT202746
About the security content of OS X Yosemite v10.10.2 and Security Update 2015-001
AFP Server Available for: OS X Mavericks v10.9.5 Impact: A remote attacker may be able to determine all the network addresses of the system Description: The AFP file server supported a command which returned all the network addresses of the system. This issue was addressed by removing the addresses from the result. CVE-ID CVE-2014-4426 : Craig Young of Tripwire VERT bash Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Multiple vulnerabilities in bash, including one that may allow local attackers to execute arbitrary code Description: Multiple vulnerabilities existed in bash. These issues were addressed by updating bash to patch level 57. CVE-ID CVE-2014-6277 CVE-2014-7186 CVE-2014-7187 Bluetooth Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer signedness error existed in IOBluetoothFamily which allowed manipulation of kernel memory. This issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems. CVE-ID CVE-2014-4497 Bluetooth Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An error existed in the Bluetooth driver that allowed a malicious application to control the size of a write to kernel memory. The issue was addressed through additional input validation. CVE-ID CVE-2014-8836 : Ian Beer of Google Project Zero Bluetooth Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple security issues existed in the Bluetooth driver, allowing a malicious application to execute arbitrary code with system privilege. The issues were addressed through additional input validation. CVE-ID CVE-2014-8837 : Roberto Paleari and Aristide Fattori of Emaze Networks CFNetwork Cache Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Website cache may not be fully cleared after leaving private browsing Description: A privacy issue existed where browsing data could remain in the cache after leaving private browsing. This issue was addressed through a change in caching behavior. CVE-ID CVE-2014-4460 CoreGraphics Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4481 : Felipe Andres Manzano of the Binamuse VRT, via the iSIGHT Partners GVP Program CPU Software Available for: OS X Yosemite v10.10 and v10.10.1, for: MacBook Pro Retina, MacBook Air (Mid 2013 and later), iMac (Late 2013 and later), Mac Pro (Late 2013) Impact: A malicious Thunderbolt device may be able to affect firmware flashing Description: Thunderbolt devices could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates. CVE-ID CVE-2014-4498 : Trammell Hudson of Two Sigma Investments CommerceKit Framework Available for: OS X Yosemite v10.10 and v10.10.1 Impact: An attacker with access to a system may be able to recover Apple ID credentials Description: An issue existed in the handling of App Store logs. The App Store process could log Apple ID credentials in the log when additional logging was enabled. This issue was addressed by disallowing logging of credentials. CVE-ID CVE-2014-4499 : Sten Petersen CoreGraphics Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Some third-party applications with non-secure text entry and mouse events may log those events Description: Due to the combination of an uninitialized variable and an application's custom allocator, non-secure text entry and mouse events may have been logged. This issue was addressed by ensuring that logging is off by default. This issue did not affect systems prior to OS X Yosemite. CVE-ID CVE-2014-1595 : Steven Michaud of Mozilla working with Kent Howard CoreGraphics Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of PDF files. The issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems. CVE-ID CVE-2014-8816 : Mike Myers, of Digital Operatives LLC CoreSymbolication Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple type confusion issues existed in coresymbolicationd's handling of XPC messages. These issues were addressed through improved type checking. CVE-ID CVE-2014-8817 : Ian Beer of Google Project Zero FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Processing a maliciously crafted .dfont file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of .dfont files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4484 : Gaurav Baruah working with HP's Zero Day Initiative FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4483 : Apple Foundation Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Viewing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the XML parser. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4485 : Apple Intel Graphics Driver Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Multiple vulnerabilities in Intel graphics driver Description: Multiple vulnerabilities existed in the Intel graphics driver, the most serious of which may have led to arbitrary code execution with system privileges. This update addresses the issues through additional bounds checks. CVE-ID CVE-2014-8819 : Ian Beer of Google Project Zero CVE-2014-8820 : Ian Beer of Google Project Zero CVE-2014-8821 : Ian Beer of Google Project Zero IOAcceleratorFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOAcceleratorFamily's handling of certain IOService userclient types. This issue was addressed through improved validation of IOAcceleratorFamily contexts. CVE-ID CVE-2014-4486 : Ian Beer of Google Project Zero IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A buffer overflow existed in IOHIDFamily. This issue was addressed with improved bounds checking. CVE-ID CVE-2014-4487 : TaiG Jailbreak Team IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in IOHIDFamily's handling of resource queue metadata. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4488 : Apple IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of event queues. This issue was addressed through improved validation of IOHIDFamily event queue initialization. CVE-ID
https://support.apple.com/en-gb/HT204244
About the security content of OS X Mavericks v10.9.5 and Security Update 2014-004
apache_mod_php Available for: OS X Mavericks v10.9 to v10.9.4 Impact: Multiple vulnerabilities in PHP 5.4.24 Description: Multiple vulnerabilities existed in PHP 5.4.24, the most serious of which may have led to arbitrary code execution. This update addresses the issues by updating PHP to version 5.4.30 CVE-ID CVE-2013-7345 CVE-2014-0185 CVE-2014-0207 CVE-2014-0237 CVE-2014-0238 CVE-2014-1943 CVE-2014-2270 CVE-2014-3478 CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3515 CVE-2014-3981 CVE-2014-4049 Bluetooth Available for: OS X Mavericks v10.9 to v10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of a Bluetooth API call. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4390 : Ian Beer of Google Project Zero CoreGraphics Available for: OS X Mavericks v10.9 to v10.9.4 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or an information disclosure Description: An out of bounds memory read existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program CoreGraphics Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Foundation Available for: OS X Mavericks v10.9 to v10.9.4 Impact: An application using NSXMLParser may be misused to disclose information Description: An XML External Entity issue existed in NSXMLParser's handling of XML. This issue was addressed by not loading external entities across origins. CVE-ID CVE-2014-4374 : George Gal of VSR (http://www.vsecurity.com/) Intel Graphics Driver Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4 Impact: Compiling untrusted GLSL shaders may lead to an unexpected application termination or arbitrary code execution Description: A user-space buffer overflow existed in the shader compiler. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4393 : Apple Intel Graphics Driver Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple validation issues existed in some integrated graphics driver routines. These issues were addressed through improved bounds checking. CVE-ID CVE-2014-4394 : Ian Beer of Google Project Zero CVE-2014-4395 : Ian Beer of Google Project Zero CVE-2014-4396 : Ian Beer of Google Project Zero CVE-2014-4397 : Ian Beer of Google Project Zero CVE-2014-4398 : Ian Beer of Google Project Zero CVE-2014-4399 : Ian Beer of Google Project Zero CVE-2014-4400 : Ian Beer of Google Project Zero CVE-2014-4401 : Ian Beer of Google Project Zero CVE-2014-4416 : Ian Beer of Google Project Zero IOAcceleratorFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in the handling of IOKit API arguments. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2014-4376 : Ian Beer of Google Project Zero IOAcceleratorFamily Available for: OS X Mavericks v10.9 to v10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An out-of-bounds read issue existed in the handling of an IOAcceleratorFamily function. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4402 : Ian Beer of Google Project Zero IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4 Impact: A local user can read kernel pointers, which can be used to bypass kernel address space layout randomization Description: An out-of-bounds read issue existed in the handling of an IOHIDFamily function. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4379 : Ian Beer of Google Project Zero IOKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4388 : @PanguTeam IOKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4389 : Ian Beer of Google Project Zero Kernel Available for: OS X Mavericks v10.9 to v10.9.4 Impact: A local user can infer kernel addresses and bypass kernel address space layout randomization Description: In some cases, the CPU Global Descriptor Table was allocated at a predictable address. This issue was addressed through always allocating the Global Descriptor Table at random addresses. CVE-ID CVE-2014-4403 : Ian Beer of Google Project Zero Libnotify Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4 Impact: A malicious application may be able to execute arbitrary code with root privileges Description: An out-of-bounds write issue existed in Libnotify. This issue was addressed through improved bounds checking CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero OpenSSL Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4 Impact: Multiple vulnerabilities in OpenSSL 0.9.8y, including one that may lead to arbitrary code execution Description: Multiple vulnerabilities existed in OpenSSL 0.9.8y. This update was addressed by updating OpenSSL to version 0.9.8za. CVE-ID CVE-2014-0076 CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 QT Media Foundation Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4 Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of RLE encoded movie files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1391 : Fernando Munoz working with iDefense VCP, Tom Gallagher & Paul Bates working with HP's Zero Day Initiative QT Media Foundation Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4 Impact: Playing a maliciously crafted MIDI file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of MIDI files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4350 : s3tm3m working with HP's Zero Day Initiative QT Media Foundation Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4 Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of the 'mvhd' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4979 : Andrea Micalizzi aka rgod working with HP's Zero Day Initiative ruby Available for: OS X Mavericks v10.9 to v10.9.4 Impact: A remote attacker may be able to cause arbitrary code execution Description: A heap buffer overflow existed in LibYAML's handling of percent-encoded characters in a URI. This issue was addressed through improved bounds checking. This update addresses the issues by updating LibYAML to version 0.1.6 CVE-ID CVE-2014-2525
https://support.apple.com/en-gb/HT204532
OS X Lion - Technical Specifications
General requirements Mac computer with an Intel Core 2 Duo, Core i3, Core i5, Core i7, or Xeon processor 2GB of memory OS X v10.6.6 or later (v10.6.8 recommended) 7GB of available space Some features require an Apple ID; terms apply. Some features require a compatible Internet service provider; fees may apply. Feature-specific requirements Time Machine requires an additional hard drive or Time Capsule (sold separately). Photo Booth requires a FaceTime or iSight camera (built in or external), USB video class (UVC) camera, or FireWire DV camcorder. Backdrop effects when using a DV camcorder require fixed focus, exposure, and white balance. FaceTime Video calls require a built-in FaceTime camera, an iSight camera (built in or external), a USB video class (UVC) camera, or a FireWire DV camcorder; and a 128-Kbps upstream and downstream Internet connection. Making HD video calls requires a built-in FaceTime HD camera and a 1-Mbps upstream and downstream Internet connection. Receiving HD video calls requires a supported Intel-based Mac. Screen sharing in iChat and the Finder requires a 128-Kbps Internet connection (300 Kbps recommended). iChat Audio chats require a microphone and a 56-Kbps Internet connection. Video chats require a FaceTime or iSight camera (built in or external), USB video class (UVC) camera, or FireWire DV camcorder; and a 128-Kbps upstream and downstream Internet connection. Backdrop effects when using a DV camcorder require fixed focus, exposure, and white balance. Some iChat features offer better performance and quality with higher system capabilities. More details AirDrop supports the following Mac models: MacBook Pro (Late 2008 or newer) MacBook Air (Late 2010 or newer) MacBook (Late 2008 or newer) iMac (Early 2009 or newer) Mac mini (Mid 2010 or newer) Mac Pro (Early 2009 with AirPort Extreme card, or Mid 2010) Boot Camp supports existing Boot Camp installations with Windows XP Service Pack 2, Windows Vista, or Windows 7. New Boot Camp installations require Windows 7 (sold separately). Exchange support requires Microsoft Exchange Server 2007 Service Pack 1 Update Rollup 4 or Exchange Server 2010. Auto-setup requires enabling the Autodiscovery feature of Microsoft Exchange Server. QuickTime X movie capture requires a FaceTime or iSight camera (built in or external), USB video class (UVC) camera, or FireWire DV camcorder. OpenCL requires one of the following graphics cards or graphics processors: NVIDIA GeForce 320M, GeForce GT 330M, GeForce 9400M, GeForce 9600M GT, GeForce 8600M GT, GeForce GT 120, GeForce GT 130, GeForce GTX 285, GeForce 8800 GT, GeForce 8800 GS, Quadro FX 4800, Quadro FX5600 ATI Radeon HD 4670, ATI Radeon HD 4850, Radeon HD 4870, ATI Radeon HD 5670, ATI Radeon HD 5750, ATI Radeon HD 5770, ATI Radeon HD 5870 AMD Radeon HD 6630M, AMD Radeon HD 6750M, AMD Radeon HD 6770M, AMD Radeon HD 6970M Gestures requires a Multi-Touch trackpad, Magic Trackpad, or Magic Mouse. VoiceOver gestures require a Multi-Touch trackpad or Magic Trackpad. Mac App Store is available only to persons age 13 or older in the U.S. and many other countries. Requires compatible hardware and software and Internet access; broadband recommended (fees may apply). Terms apply. How to Get OS X Lion With every new Mac. Beginning when OS X Lion is released in July, every new Mac computer will come with OS X Lion . Upgrading from OS X v10.6 Snow Leopard. Use Software Update to update to OS X v10.6.8, then purchase OS X Lion from the Mac App Store. The OS X Lion installer will download to the Dock and automatically launch. Follow the onscreen instructions to complete your installation. OS X Lion Volume Licensing Digitally download, install, and deploy OS X Lion to every Mac in your business or educational institution. Learn more. What’s Included in OS X Lion Applications Address Book Automator Calculator Chess Dashboard Dictionary DVD Player FaceTime Font Book iCal iChat Image Capture iTunes Launchpad Mail Mission Control Photo Booth Preview QuickTime Player Safari Stickies System Preferences TextEdit Time Machine Utilities Activity Monitor AirPort Utility Audio MIDI Setup Bluetooth File Exchange Boot Camp Assistant ColorSync Utility Console DigitalColor Meter Disk Utility Grab Grapher Keychain Access Migration Assistant Network Utility Podcast Capture Podcast Publisher RAID Utility AppleScript Editor System Information Terminal VoiceOver Utility X11 Languages English Japanese French German Spanish Italian Dutch Swedish Danish Norwegian Finnish Traditional Chinese Simplified Chinese Korean Brazilian Portuguese Portuguese (Portugal) Russian Polish Czech Turkish Hungarian Arabic Learn more about all applications and utilities Recovery partition OS X Lion includes a built-in set of tools for repairing your Mac in the Recovery HD, a new feature that lets you repair disks or reinstall OS X Lion without a physical disc. Hold down Command-R during startup to boot into the Recovery HD, or hold down the Option key during startup and select Recovery HD. You can restore from a Time Machine backup, reinstall OS X Lion over the Internet from Apple's servers, or use Disk Utility to repair or erase a disk. Learn more
https://support.apple.com/kb/SP629?locale=en_GB
OS X: Changing the language shown in menus and dialogs
The Finder and applications included with Mac OS X v10.1 or later can display menus and dialog text in any of these languages: 
 English 
 Japanese 
 French 
 German 
 Spanish 
 Italian 
 Portuguese 
 Portuguese (Portugal) -- Mac OS X v10.5 or later only 
 Dutch 
 Swedish 
 Norwegian Bokmål 
 Danish 
 Finnish 
 Russian -- Mac OS X v10.5 or later only 
 Polish -- Mac OS X v10.5 or later only 
 Chinese (Simplified) 
 Chinese (Traditional) 
 Korean 
 Arabic -- OS X Lion v10.7 or later only 
 Czech -- OS X Lion v10.7 or later only 
 Hungarian -- OS X Lion v10.7 or later only 
 Turkish -- OS X Lion v10.7 or later only 
 Thai -- OS X Lion v10.7.3 or later only 
 Catalan -- OS X Lion v10.7.3 or later only 
 Croatian -- OS X Lion v10.7.3 or later only 
 Greek -- OS X Lion v10.7.3 or later only 
 Hebrew -- OS X Lion v10.7.3 or later only 
 Romanian -- OS X Lion v10.7.3 or later only 
 Slovak -- OS X Lion v10.7.3 or later only 
 Ukrainian -- OS X Lion v10.7.3 or later only 
 The order of languages used by an application is set in Language & Text preferences (or International preferences in Mac OS X v10.5.8 or earlier). If an application is not localized (translated) for the first language in the list, it will use the next available language in the list. You can add languages to the Language & Text preferences list by clicking the Edit List button that appears below to the list. If you drag a language to the top of the list that is not one of the languages listed above, the Finder and applications included with Mac OS X will not display text in that language, but any other software you might have installed that has been localized for that language should be able to.
https://support.apple.com/en-gb/HT201841
OS X Lion: About Auto Save and Versions
Auto Save–Auto Save in OS X Lion saves during pauses in your work and, if you work continuously, it will save after 5 minutes. It saves in the background, so you can work without the distraction of having to remember to save, or being interrupted by progress bars. Versions–Versions automatically records the history of a document as you create and make changes to it. OS X Lion automatically creates a new version of a document each time you open it and every hour while you’re working on it. You can also create snapshots of a document whenever you like. With an interface similar to that of Time Machine, Versions shows you the current document next to a cascade of previous versions, allowing you to do side-by-side comparisons of your working document with past versions. You can restore entire past versions, or bring elements from past versions such as pictures or text into your working document. Auto Save Apps developed with Auto Save such as Preview, iWork, and TextEdit can automatically save changes to your document as you work. Because Auto Save saves all changes in the background, you can work without the distraction of pauses or progress bars. Auto Save in OS X Lion adds the changes directly into the file so there’s only one copy of the document on your Mac. This Auto Save in OS X Lion saves during pauses in your work and, if you work continuously, it will save after 5 minutes. Clicking the title bar displays its menu. Lock–You can lock a document at any time to prevent inadvertent changes. Two weeks after the last edit, OS X Lion automatically locks the document for you. Tip: You can set the interval for OS X Lion to automatically lock your documents by clicking the "Options…" button in the Time Machine System Preferences then choose what interval you want from the "Lock documents" pop-up menu. When you try to make a change on a Locked file, OS X Lion asks if you want to unlock or duplicate the file. When a document is locked you will see a dimmed message of "– Locked" just to the right of your window title. A lock icon appears in the bottom left of the proxy icon and also on the document icon in Finder. To unlock your document, click "– Locked" in the title bar and select "Unlock". Duplicate–The Duplicate feature creates a copy of your document and places it next to the original. So you can start a fresh version using the original as a template. Revert to Last Saved / Opened Versions–You can easily undo recent changes. If you’re not happy with the changes you made, choose "Revert to Last…", then click the confirmation sheet and your document reverts to its state when you last saved or opened it. So you can experiment freely, knowing you can always start again from the top. Browse All Versions–When selected your document will enter the Versions browser. See the "Versions" section below for details. Versions Each time you open a document, OS X Lion automatically saves the current version. It also saves a new version every hour while you work, building a history of the document as you go. You can manually create a version of your saved document at any time by choosing File > Save a Version or press Command-S (⌘-S). OS X Lion saves only the information that has changed since the last version, making efficient use of space on your hard drive. OS X Lion manages the version history of a document, keeping hourly versions for a day, daily versions for a month, and weekly versions for all previous months. When you share a document–for example through email, iChat, or AirDrop–only the current version is sent; all other versions remain on your Mac. Elements of the Versions browser 
	 Current version–The current version of your document. 
	 History–A cascade of past of versions for your document. Tip: You can copy and paste elements of past versions, like graphics and text, into your current version. 
	 Restore button–Click it to restore, replacing your current document with the version at the forefront of your history (item 2). 
	 Timeline–The timeline of past versions of your document. Click a date to see how your document looked on any given day. 

https://support.apple.com/en-gb/HT202255
About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004
Admin Framework Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A process may gain admin privileges without properly authenticating Description: An issue existed when checking XPC entitlements. This issue was addressed with improved entitlement checking. CVE-ID CVE-2015-1130 : Emil Kvarnhammar at TrueSec apache Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: Multiple vulnerabilities in Apache Description: Multiple vulnerabilities existed in Apache versions prior to 2.4.10 and 2.2.29, including one that may allow a remote attacker to execute arbitrary code. These issues were addressed by updating Apache to versions 2.4.10 and 2.2.29 CVE-ID CVE-2013-5704 CVE-2013-6438 CVE-2014-0098 CVE-2014-0117 CVE-2014-0118 CVE-2014-0226 CVE-2014-0231 ATS Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to execute arbitrary code with system privileges Description: Multiple input validation issues existed in fontd. These issues were addressed through improved input validation. CVE-ID CVE-2015-1131 : Ian Beer of Google Project Zero CVE-2015-1132 : Ian Beer of Google Project Zero CVE-2015-1133 : Ian Beer of Google Project Zero CVE-2015-1134 : Ian Beer of Google Project Zero CVE-2015-1135 : Ian Beer of Google Project Zero Certificate Trust Policy Impact: Update to the certificate trust policy Description: The certificate trust policy was updated. View the complete list of certificates. CFNetwork HTTPProtocol Available for: OS X Yosemite v10.10 to v10.10.2 Impact: Cookies belonging to one origin may be sent to another origin Description: A cross-domain cookie issue existed in redirect handling. Cookies set in a redirect response could be passed on to a redirect target belonging to another origin. The issue was address through improved handling of redirects. CVE-ID CVE-2015-1089 : Niklas Keller (http://kelunik.com) CFNetwork Session Available for: OS X Yosemite v10.10 to v10.10.2 Impact: Authentication credentials may be sent to a server on another origin Description: A cross-domain HTTP request headers issue existed in redirect handling. HTTP request headers sent in a redirect response could be passed on to another origin. The issue was addressed through improved handling of redirects. CVE-ID CVE-2015-1091 : Diego Torres (http://dtorres.me) CFURL Available for: OS X Yosemite v10.10 to v10.10.2 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: An input validation issue existed within URL processing. This issue was addressed through improved URL validation. CVE-ID CVE-2015-1088 : Luigi Galli CoreAnimation Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A use-after-free issue existed in CoreAnimation. This issue was addressed through improved mutex management. CVE-ID CVE-2015-1136 : Apple CUPS Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to execute arbitrary code with root privileges Description: A use after free issue existed in how CUPS handled IPP messages. This issue was addressed through improved reference counting. CVE-ID CVE-2015-1158 : Neel Mehta of Google CUPS Available for: OS X Yosemite v10.10 to v10.10.2 Impact: In certain configurations, a remote attacker may be able to submit arbitrary print jobs Description: A cross-site scripting issue existed in the CUPS web interface. This issue was addressed through improved output sanitization. CVE-ID CVE-2015-1159 : Neel Mehta of Google FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the processing of font files. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-1093 : Marc Schoenefeld Graphics Driver Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to execute arbitrary code with system privileges Description: A NULL pointer dereference existed in NVIDIA graphics driver's handling of certain IOService userclient types. This issue was addressed through additional context validation. CVE-ID CVE-2015-1137 : Frank Graziano and John Villamil of the Yahoo Pentest Team Hypervisor Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A local application may be able to cause a denial of service Description: An input validation issue existed in the hypervisor framework. This issue was addressed through improved input validation. CVE-ID CVE-2015-1138 : Izik Eidus and Alex Fishman ImageIO Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: Processing a maliciously crafted .sgi file may lead to arbitrary code execution Description: A memory corruption issue existed in the handling of .sgi files. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-1139 : Apple IOHIDFamily Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A malicious HID device may be able to cause arbitrary code execution Description: A memory corruption issue existed in an IOHIDFamily API. This issue was addressed through improved memory handling. CVE-ID CVE-2015-1095 : Andrew Church IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to execute arbitrary code with system privileges Description: A buffer overflow issue existed in IOHIDFamily. This issue was addressed through improved memory handling. CVE-ID CVE-2015-1140 : lokihardt@ASRT working with HP's Zero Day Initiative, Luca Todesco, Vitaliy Toropov working with HP's Zero Day Initiative (ZDI) IOHIDFamily Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to determine kernel memory layout Description: An issue existed in IOHIDFamily that led to the disclosure of kernel memory content. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-1096 : Ilja van Sprundel of IOActive IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A heap buffer overflow existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4404 : Ian Beer of Google Project Zero IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties. CVE-ID CVE-2014-4405 : Ian Beer of Google Project Zero IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A user may be able to execute arbitrary code with system privileges Description: An out-of-bounds write issue exited in the IOHIDFamily driver. The issue was addressed through improved input validation. CVE-ID CVE-2014-4380 : cunzhang from Adlab of Venustech Kernel Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to cause unexpected system shutdown Description: An issue existed in the handling of virtual memory operations within the kernel. The issue is fixed through improved handling of the mach_vm_read operation. CVE-ID CVE-2015-1141 : Ole Andre Vadla Ravnas of www.frida.re Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to cause a system denial of service Description: A race condition existed in the kernel's setreuid system call. This issue was addressed through improved state management. CVE-ID CVE-2015-1099 : Mark Mentovai of Google Inc. Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local application may escalate privileges using a compromised service intended to run with reduced privileges Description: setreuid and setregid system calls failed to drop privileges permanently. This issue
https://support.apple.com/en-gb/HT204659
About the security content of Safari 6.1

 
 Safari 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5 
 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution 
 Description: A memory corruption issue existed in the handling of XML files. This issue was addressed through additional bounds checking. 
 
 CVE-ID 
 CVE-2013-1036 : Kai Lu of Fortinet's FortiGuard Labs 
 
 
 
 WebKit 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.3 
 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution 
 Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. 
 CVE-ID 
 CVE-2013-1037 : Google Chrome Security Team 
 CVE-2013-1038 : Google Chrome Security Team 
 CVE-2013-1039 : own-hero Research working with iDefense VCP 
 CVE-2013-1040 : Google Chrome Security Team 
 CVE-2013-1041 : Google Chrome Security Team 
 CVE-2013-1042 : Google Chrome Security Team 
 CVE-2013-1043 : Google Chrome Security Team 
 CVE-2013-1044 : Apple 
 CVE-2013-1045 : Google Chrome Security Team 
 CVE-2013-1046 : Google Chrome Security Team 
 CVE-2013-1047 : miaubiz 
 CVE-2013-2842 : Cyril Cattiaux 
 CVE-2013-5125 : Google Chrome Security Team 
 CVE-2013-5126 : Apple 
 CVE-2013-5127 : Google Chrome Security Team 
 CVE-2013-5128 : Apple 
 
 
 
 WebKit 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5 
 Impact: Visiting a maliciously crafted website may lead to an information disclosure 
 Description: An information disclosure issue existed in XSSAuditor. This issue was addressed through improved handling of URLs. 
 CVE-ID 
 CVE-2013-2848 : Egor Homakov 
 
 
 
 WebKit 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5 
 Impact: Dragging or pasting a selection may lead to a cross-site scripting attack 
 Description: Dragging or pasting a selection from one site to another may allow scripts contained in the selection to be executed in the context of the new site. This issue is addressed through additional validation of content before a paste or a drag and drop operation. 
 CVE-ID 
 CVE-2013-5129 : Mario Heiderich 
 
 
 
 WebKit 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5 
 Impact: Using the Web Inspector disabled Private Browsing 
 Description: Using the Web Inspector disabled Private Browsing without warning. This issue was addressed by improved state management. 
 CVE-ID 
 CVE-2013-5130 : László Várady of Eötvös Loránd University 
 
 
 
 WebKit 
 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5 
 Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack 
 Description: A cross-site scripting issue existed in the handling of URLs. This issue was addressed through improved origin tracking. 
 CVE-ID 
 CVE-2013-5131 : Erling A Ellingsen 
 
 
 Note: OS X Mavericks includes these fixes with Safari 7.0.
https://support.apple.com/en-gb/HT202844
About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005
Admin Framework Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Impact: A process may gain admin privileges without proper authentication Description: An issue existed when checking XPC entitlements. This issue was addressed through improved entitlement checking. CVE-ID CVE-2015-3671 : Emil Kvarnhammar at TrueSec Admin Framework Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Impact: A non-admin user may obtain admin rights Description: An issue existed in the handling of user authentication. This issue was addressed through improved error checking. CVE-ID CVE-2015-3672 : Emil Kvarnhammar at TrueSec Admin Framework Available for: OS X Yosemite v10.10 to v10.10.3 Impact: An attacker may abuse Directory Utility to gain root privileges Description: Directory Utility was able to be moved and modified to achieve code execution within an entitled process. This issue was addressed by limiting the disk location that writeconfig clients may be executed from. CVE-ID CVE-2015-3673 : Patrick Wardle of Synack, Emil Kvarnhammar at TrueSec afpserver Available for: OS X Yosemite v10.10 to v10.10.3 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the AFP server. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3674 : Dean Jerkovich of NCC Group apache Available for: OS X Yosemite v10.10 to v10.10.3 Impact: An attacker may be able to access directories that are protected with HTTP authentication without knowing the correct credentials Description: The default Apache configuration did not include mod_hfs_apple. If Apache was manually enabled and the configuration was not changed, some files that should not be accessible might have been accessible using a specially crafted URL. This issue was addressed by enabling mod_hfs_apple. CVE-ID CVE-2015-3675 : Apple apache Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Impact: Multiple vulnerabilities exist in PHP, the most serious of which may lead to arbitrary code execution Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.24 and 5.4.40. These were addressed by updating PHP to versions 5.5.24 and 5.4.40. CVE-ID CVE-2015-0235 CVE-2015-0273 AppleGraphicsControl Available for: OS X Yosemite v10.10 to v10.10.3 Impact: A malicious application may be able to determine kernel memory layout Description: An issue existed in AppleGraphicsControl which could have led to the disclosure of kernel memory layout. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-3676 : Chen Liang of KEEN Team AppleFSCompression Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Impact: A malicious application may be able to determine kernel memory layout Description: An issue existed in LZVN compression that could have led to the disclosure of kernel memory content. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3677 : an anonymous researcher working with HP's Zero Day Initiative AppleThunderboltEDMService Available for: OS X Yosemite v10.10 to v10.10.3 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in the handling of certain Thunderbolt commands from local processes. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3678 : Apple ATS Available for: OS X Yosemite v10.10 to v10.10.3 Impact: Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in handling of certain fonts. These issues were addressed through improved memory handling. CVE-ID CVE-2015-3679 : Pawel Wylecial working with HP's Zero Day Initiative CVE-2015-3680 : Pawel Wylecial working with HP's Zero Day Initiative CVE-2015-3681 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-3682 : 魏诺德 Bluetooth Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in the Bluetooth HCI interface. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3683 : Roberto Paleari and Aristide Fattori of Emaze Networks Certificate Trust Policy Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Impact: An attacker with a privileged network position may be able to intercept network traffic Description: An intermediate certificate was incorrectly issued by the certificate authority CNNIC. This issue was addressed through the addition of a mechanism to trust only a subset of certificates issued prior to the mis-issuance of the intermediate. You can learn more about the security partial trust allow list. Certificate Trust Policy Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Description: The certificate trust policy was updated. The complete list of certificates may be viewed at the OS X Trust Store. CFNetwork HTTPAuthentication Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Impact: Following a maliciously crafted URL may lead to arbitrary code execution Description: A memory corruption issue existed in handling of certain URL credentials. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3684 : Apple CoreText Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Impact: Processing a maliciously crafted text file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in the processing of text files. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-1157 CVE-2015-3685 : Apple CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-3689 : Apple coreTLS Available for: OS X Yosemite v10.10 to v10.10.3 Impact: An attacker with a privileged network position may intercept SSL/TLS connections Description: coreTLS accepted short ephemeral Diffie-Hellman (DH) keys, as used in export-strength ephemeral DH cipher suites. This issue, also known as Logjam, allowed an attacker with a privileged network position to downgrade security to 512-bit DH if the server supported an export-strength ephemeral DH cipher suite. The issue was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits. CVE-ID CVE-2015-4000 : The weakdh team at weakdh.org, Hanno Boeck DiskImages Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Impact: A malicious application may be able to determine kernel memory layout Description: An information disclosure issue existed in the processing of disk images. This issue was addressed through improved memory management. CVE-ID CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative Display Drivers Available for: OS X Yosemite v10.10 to v10.10.3 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An issue existed in the Monitor Control Command Set kernel extension by which a userland process could control the value of a function pointer within the kernel. The issue was addressed by removing the affected interface. CVE-ID CVE-2015-3691 : Roberto Paleari and Aristide Fattori of Emaze Networks EFI Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Impact: A malicious application with root privileges may be able to modify EFI flash memory Description: An insufficient locking issue existed with EFI flash when resuming from sleep states. This issue was addressed through improved locking. CVE-ID CVE-2015-3692 : Trammell Hudson of Two Sigma
https://support.apple.com/en-gb/HT204942
About the security content of OS X Mavericks v10.9.4 and Security Update 2014-003

	 
	 Certificate Trust Policy 

	 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3 

	 Impact: Update to the certificate trust policy 

	 Description: The certificate trust policy was updated. The complete list of certificates may be viewed at http://support.apple.com/kb/HT6005. 
	 
 
	 
	 copyfile 

	 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3 

	 Impact: Opening a maliciously crafted zip file may lead to an unexpected application termination or arbitrary code execution 
	

	 Description: An out of bounds byte swapping issue existed in the handling of AppleDouble files in zip archives. This issue was addressed through improved bounds checking. 

	 CVE-ID 

	 CVE-2014-1370 : Chaitanya (SegFault) working with iDefense VCP 
	 
 
	 
	 curl 

	 Available for: OS X Mavericks 10.9 to 10.9.3 

	 Impact: A remote attacker may be able to gain access to another user's session 
	

	 Description: cURL re-used NTLM connections when more than one authentication method was enabled, which allowed an attacker to gain access to another user's session. 

	 CVE-ID 

	 CVE-2014-0015 
	 
 
	 
	 Dock 

	 Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3 

	 Impact: A sandboxed application may be able to circumvent sandbox restrictions 
	

	 Description: An unvalidated array index issue existed in the Dock’s handling of messages from applications. A maliciously crafted message could cause an invalid function pointer to be dereferenced, which could lead to an unexpected application termination or arbitrary code execution. 

	 CVE-ID 

	 CVE-2014-1371 : an anonymous researcher working with HP's Zero Day Initiative 
	 
 
	 
	 Graphics Driver 

	 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3 

	 Impact: A local user can read kernel memory, which can be used to bypass kernel address space layout randomization 
	

	 Description: An out-of-bounds read issue existed in the handling of a system call. This issue was addressed through improved bounds checking. 

	 CVE-ID 

	 CVE-2014-1372 : Ian Beer of Google Project Zero 
	 
 
	 
	 iBooks Commerce 

	 Available for: OS X Mavericks 10.9 to 10.9.3 

	 Impact: An attacker with access to a system may be able to recover Apple ID credentials 
	

	 Description: An issue existed in the handling of iBooks logs. The iBooks process could log Apple ID credentials in the iBooks log where other users of the system could read it. This issue was addressed by disallowing logging of credentials. 

	 CVE-ID 

	 CVE-2014-1317 : Steve Dunham 
	 
 
	 
	 Intel Graphics Driver 

	 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3 

	 Impact: A malicious application may be able to execute arbitrary code with system privileges 
	

	 Description: A validation issue existed in the handling of an OpenGL API call. This issue was addressed through improved bounds checking. 

	 CVE-ID 

	 CVE-2014-1373 : Ian Beer of Google Project Zero 
	 
 
	 
	 Intel Graphics Driver 

	 Available for: OS X Mavericks 10.9 to 10.9.3 

	 Impact: A local user can read a kernel pointer, which can be used to bypass kernel address space layout randomization 
	

	 Description: A kernel pointer stored in an IOKit object could be retrieved from userland. This issue was addressed by removing the pointer from the object. 

	 CVE-ID 

	 CVE-2014-1375 
	 
 
	 
	 Intel Compute 

	 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3 

	 Impact: A malicious application may be able to execute arbitrary code with system privileges 
	

	 Description: A validation issue existed in the handling of an OpenCL API call. This issue was addressed through improved bounds checking. 

	 CVE-ID 

	 CVE-2014-1376 : Ian Beer of Google Project Zero 
	 
 
	 
	 IOAcceleratorFamily 

	 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3 

	 Impact: A malicious application may be able to execute arbitrary code with system privileges 
	

	 Description: An array indexing issue existed in IOAcceleratorFamily. This issue was addressed through improved bounds checking. 

	 CVE-ID 

	 CVE-2014-1377 : Ian Beer of Google Project Zero 
	 
 
	 
	 IOGraphicsFamily 

	 Available for: OS X Mavericks 10.9 to 10.9.3 

	 Impact: A local user can read a kernel pointer, which can be used to bypass kernel address space layout randomization 
	

	 Description: A kernel pointer stored in an IOKit object could be retrieved from userland. This issue was addressed by using a unique ID instead of a pointer. 

	 CVE-ID 

	 CVE-2014-1378 
	 
 
	 
	 IOReporting 

	 Available for: OS X Mavericks 10.9 to 10.9.3 

	 Impact: A local user could cause an unexpected system restart 

	 Description: A null pointer dereference existed in the handling of IOKit API arguments. This issue was addressed through additional validation of IOKit API arguments. 

	 CVE-ID 

	 CVE-2014-1355 : cunzhang from Adlab of Venustech 
	 
 
	 
	 launchd 

	 Available for: OS X Mavericks 10.9 to 10.9.3 

	 Impact: A malicious application may be able to execute arbitrary code with system privileges 
	

	 Description: An integer underflow existed in launchd. This issue was addressed through improved bounds checking. 

	 CVE-ID 

	 CVE-2014-1359 : Ian Beer of Google Project Zero 
	 
 
	 
	 launchd 

	 Available for: OS X Mavericks 10.9 to 10.9.3 

	 Impact: A malicious application may be able to execute arbitrary code with system privileges 

	 Description: A heap buffer overflow existed in launchd's handling of IPC messages. This issue was addressed through improved bounds checking. 

	 CVE-ID 

	 CVE-2014-1356 : Ian Beer of Google Project Zero 
	 
 
	 
	 launchd 

	 Available for: OS X Mavericks 10.9 to 10.9.3 

	 Impact: A malicious application may be able to execute arbitrary code with system privileges 

	 Description: A heap buffer overflow existed in launchd's handling of log messages. This issue was addressed through improved bounds checking. 

	 CVE-ID 

	 CVE-2014-1357 : Ian Beer of Google Project Zero 
	 
 
	 
	 launchd 

	 Available for: OS X Mavericks 10.9 to 10.9.3 

	 Impact: A malicious application may be able to execute arbitrary code with system privileges 
	

	 Description: An integer overflow existed in launchd. This issue was addressed through improved bounds checking. 

	 CVE-ID 

	 CVE-2014-1358 : Ian Beer of Google Project Zero 
	 
 
	 
	 Graphics Drivers 

	 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3 

	 Impact: A malicious application may be able to execute arbitrary code with system privileges 
	

	 Description: Multiple null dereference issues existed in kernel graphics drivers. A maliciously crafted 32-bit executable may have been able to obtain elevated privileges. 

	 CVE-ID 

	 CVE-2014-1379 : Ian Beer of Google Project Zero 
	 
 
	 
	 Security - Keychain 

	 Available for: OS X Mavericks 10.9 to 10.9.3 

	 Impact: An attacker may be able to type into windows under the screen lock 

	 Description: Under rare circumstances, the screen lock did not intercept keystrokes. This could have allowed an attacker to type into windows under the screen lock. This issue was addressed