Vulnerability identifier: #VU41513

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2014-1372

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
macOS
Operating systems & Components / Operating system

Vendor: Apple Inc.

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Graphics Driver in Apple OS X before 10.9.4 does not properly restrict read operations during processing of an unspecified system call, which allows local users to obtain sensitive information from kernel memory and bypass the ASLR protection mechanism via a crafted call.

Mitigation
Install update from vendor's website.

Vulnerable software versions

macOS: 10.8.0 - 10.8.5, 10.9 - 10.9.2

---

External links
http://archives.neohapsis.com/archives/bugtraq/2014-06/0172.html
http://secunia.com/advisories/59475
http://support.apple.com/kb/HT6296
http://www.securitytracker.com/id/1030505
http://code.google.com/p/google-security-research/issues/detail?id=18

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.