----------------------------------------------------------------------


Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/


----------------------------------------------------------------------

TITLE:
Apple Mac OS X Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA45054

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054

RELEASE DATE:
2011-06-25

DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA:
 * Last Update
 * Popularity
 * Comments
 * Criticality Level
 * Impact
 * Where
 * Solution Status
 * Operating System / Software
 * CVE Reference(s)

http://secunia.com/advisories/45054/

ONLY AVAILABLE IN CUSTOMER AREA:
 * Authentication Level
 * Report Reliability
 * Secunia PoC
 * Secunia Analysis
 * Systems Affected
 * Approve Distribution
 * Remediation Status
 * Secunia CVSS Score
 * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=45054

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
 * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.

1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.

NOTE: This vulnerability does not affect Mac OS X 10.6.

2) An error within App Store may lead to a user's AppleID password
being logged to a local file.

3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.

4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.

5) An integer overflow error when processing ColorSync profiles
embedded in images can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code via a specially
crafted image.

6) An off-by-one error within the CoreFoundation framework when
handling CFStrings can be exploited to execute arbitrary code.

7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.

8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.

9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.

10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow. 

11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.

12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.

13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.

14) An error within libxslt can be exploited to disclose certain
addresses from the heap.

For more information see vulnerability #2 in:
SA43832

15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.

16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.

For more information:
SA41048
SA41716

17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.

For more information:
SA37291
SA38807
SA42243
SA42473
SA43227

18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.

For more information:
SA43677

19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.

NOTE: This vulnerability only affects Mac OS X 10.6.

20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.

21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.

22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.

23) An error in QuickTime when handling PICT image files can be
exploited to cause a buffer overflow and execute arbitrary code.

24) An error in QuickTime when handling JPEG image files can be
exploited to cause a buffer overflow and execute arbitrary code.

25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.

For more information:
SA41354
SA43512

26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.

27) A vulnerability is caused due to a vulnerable bundled version of
subversion.

For more information:
SA43603

SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.

Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense

1, 26) Reported by the vendor

ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------