关键漏洞信息 Safari - Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 - Impact: An attacker with a privileged network position may intercept user credentials - Description: Saved passwords were autofilled on http sites, on https sites with broken trust, and in iframes. This was fixed by restricting password autofill to the main frame of https sites with valid certificate chains. - CVE-ID: CVE-2014-4363 - Researchers: David Silver, Suman Jana, Dan Boneh, Eric Chen, Collin Jackson WebKit - Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 - Impact: Visiting a maliciously crafted website may lead to unexpected application termination or arbitrary code execution - Description: Multiple memory corruption issues existed in WebKit, addressed through improved memory handling. - CVE-IDs: - CVE-2013-6663: Atte Kettunen of OUSPG - CVE-2014-4410: Eric Seidel of Google - CVE-2014-4411: Google Chrome Security Team - CVE-2014-4412, CVE-2014-4413, CVE-2014-4414, CVE-2014-4415: Apple WebKit (Private Browsing Issue) - Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 - Impact: A malicious website may be able to track users even when private browsing is enabled - Description: A web application could store HTML5 application cache data during normal browsing and read it during private browsing. This was fixed by disabling access to the application cache in private browsing mode. - CVE-ID: CVE-2014-4409: Yosuke Hasegawa (NetAgent Co., Ltd.)