----------------------------------------------------------------------

Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.

Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/ 

----------------------------------------------------------------------

TITLE:
Apple Mac OS X Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA46417

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46417/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46417

RELEASE DATE:
2011-10-14

DISCUSS ADVISORY:
http://secunia.com/advisories/46417/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA:
 * Last Update
 * Popularity
 * Comments
 * Criticality Level
 * Impact
 * Where
 * Solution Status
 * Operating System / Software
 * CVE Reference(s)

http://secunia.com/advisories/46417/

ONLY AVAILABLE IN CUSTOMER AREA:
 * Authentication Level
 * Report Reliability
 * Secunia PoC
 * Secunia Analysis
 * Systems Affected
 * Approve Distribution
 * Remediation Status
 * Secunia CVSS Score
 * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=46417

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
 * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.

1) Some vulnerabilities exist in Apache, BIND, CoreFoundation,
CoreMedia, iChat Server, Mailman, Postfix, PHP, Python, QuickTime,
Tomcat, and X11:

For more information:
SA37426
SA38219
SA39574
SA39937
SA40148
SA41724
SA42337
SA42374
SA42435
SA43194
SA43198
SA43389
SA43646
SA43814
SA44490
SA44719
SA44787
SA45046
SA45082
SA45167
SA45516
SA45606
SA46339

2) A format string error in the Application Firewall's debug logging
can be exploited via a specially crafted name.

3) A signedness error in the ATS component when handling Type 1 fonts
can be exploited via a specially crafted font embedded in a document.

4) An error in the ATS component when handling Type 1 fonts can be
exploited to access an out of bounds memory location via a specially
crafted font embedded in a document.

5) An error in the ATSFontDeactivate API can be exploited to cause a
buffer overflow.

6) A synchronization error in the CFNetwork component when handling
cookie policies can be exploited to bypass Safari's cookie
preferences and store a cookie that would otherwise be blocked.

7) An error in the CFNetwork component when handling HTTP cookies can
be exploited to send a cookie for a domain to a server outside of that
domain.

8) Some errors in the CoreMedia component when handling QuickTime
movie files can be exploited to corrupt memory.

9) An error in the CoreProcesses component when handling system
windows (e.g. VPN password prompt) while the screen is locked can be
exploited to partially bypass the screen lock.

10) An error in the CoreStorage component when enabling FileVault did
not encrypt some data at the start of a volume.

11) An error when handling HTTPS connections to WebDAV volumes did
not properly verify certificate information and can be exploited via
a Man-in-the-Middle (MitM) attack.

12) An error in the IOGraphics component within the screen lock
functionality when used with Apple Cinema displays can be exploited
to access the system without entering a password.

13) A logic error in the kernel's DMA protection can be exploited to
access a user's password via firewire DMA access at loginwindow,
boot, or shutdown processing.

14) A logic error in the kernel's handling of file deletions in
directories when the sticky bit was set can be exploited to delete
another user's files within a shared directory.

15) An error exists in the libsecurity module when handling errors
during the parsing of a nonstandard certificate revocation list
extension.

16) Some errors in the MediaKit component when handling disk images
can be exploited to corrupt memory.

17) An error in the Open Directory component within the access
control mechanism can be exploited to access another local user's
password data.

18) An error in the Open Directory component within the access
control mechanism can be exploited to change another user's
password.

19) An error in the Open Directory component when bound to a LDAPv3
server and no AuthenticationAuthority attribute for a user exists can
be exploited by an LDAP user to login without a password.

20) Some errors in QuickTime when handling movie files can be
exploited to corrupt memory via a specially crafted file.

21) An error in QuickTime within the "Save for Web" export feature
due to storing certain JavaScript code from the vendor's website
using HTTP can be exploited to inject arbitrary code via a
Man-in-the-Middle (MitM) attack, which will be executed when saved
content is viewed locally.

22) An error in QuickTime when processing URL data handlers within
movie files can be exploited to reference uninitialized memory via a
specially crafted file.

23) An error in QuickTime when handling the atom hierarchy within
movie files can be exploited via a specially crafted file.

24) An error in QuickTime when handling FlashPix files can be
exploited to cause a buffer overflow via a specially crafted file.

25) An error in QuickTime when handling FLIC files can be exploited
to cause a buffer overflow via a specially crafted file.

26) An error in the SMB File Server when guest access is disabled for
a share point record for a folder can be exploited to access the share
point using a guest user "nobody".

27) An error in the User Documentation due to App Store help content
being updated over HTTP can be exploited to inject arbitrary
AppleScript and Python code into the update via a Man-in-the-Middle
(MitM) attack.

Successful exploitation of vulnerabilities #3 - #5, #8, #20, #22 -
#25, and #27 may allow execution of arbitrary code.

SOLUTION:
Update to version 10.7.2 or apply Security Update 2011-006.

Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

PROVIDED AND/OR DISCOVERED BY:
3, 8, 11, 12, 16, 20, 26) Reported by the vendor.
21, 27) Aaron Sigel, vtty.com
27) Brian Mastenbrook, vtty.com

The vendor also credits the following people:
2) An anonymous person
4) Will Dormann, the CERT/CC
5) Steven Michaud, Mozilla
6) Martin Tessarek, Steve Riggins, Geeks R Us, Justin C. Walker, and
Stephen Creswell
7) Erling Ellingsen, Facebook
9) Clint Tseng, University, Washington, Michael Kobb, and Adam Kemp
10) Judson Powers, ATC-NY
13) Passware, Inc.
14) Gordon Davisson, Crywolf, Linc Davis, R. Dormer, and Allan Schmid
and Oliver Jeckel, brainworks Training
15) Richard Godbee, Virginia Tech
17) Arek Dreyer, Dreyer Network Consultants, Inc,
17, 18) Patrick Dunstan, defenceindepth.net
19) Jeffry Strunk, The University, Texas at Austin, Steven Eppler,
Colorado Mesa University, Hugh Cole-Baker, and Frederic Metoz,
Institut de Biologie Structurale
22) Luigi Auriemma via ZDI
23) An anonymous person via ZDI
24) Damian Put via ZDI
25) Matt 'j00ru' Jurczyk via ZDI

ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT5002

vtty.com:
http://vttynotes.blogspot.com/2011/10/summary-of-vulnerability-write-ups-on.html
http://vttynotes.blogspot.com/2011/10/cve-2011-3224-mitm-to-rce-with-mac-app.html

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------