----------------------------------------------------------------------

SC Magazine awards the Secunia CSI a 5-Star rating
Top-level rating for ease of use, performance, documentation, support, and value for money. Read more and get a free trial here: http://secunia.com/blog/296 

----------------------------------------------------------------------

TITLE:
Apple Mac OS X Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA47843

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47843/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47843

RELEASE DATE:
2012-02-03

DISCUSS ADVISORY:
http://secunia.com/advisories/47843/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA:
 * Last Update
 * Popularity
 * Comments
 * Criticality Level
 * Impact
 * Where
 * Solution Status
 * Operating System / Software
 * CVE Reference(s)

http://secunia.com/advisories/47843/

ONLY AVAILABLE IN CUSTOMER AREA:
 * Authentication Level
 * Report Reliability
 * Secunia PoC
 * Secunia Analysis
 * Systems Affected
 * Approve Distribution
 * Remediation Status
 * Secunia CVSS Score
 * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=47843

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
 * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.

1) The Address Book component downgrades to an unencrypted connection
when an encrypted connection fails. This can be exploited to intercept
CardDAV data.

2) An error in the bundled version of Apache can be exploited to
cause a temporary DoS (Denial of Service).

For more information:
SA46013

3) A design error in Apache within the Secure Sockets Layer 3.0 (SSL)
and Transport Layer Security 1.0 (TLS) protocols when using a block
cipher in CBC mode can be exploited to decrypt data protected by
SSL.

4) An error in ATS when handling data-font files can be exploited to
corrupt memory via a specially crafted font opened by Font Book.

5) An error in CFNetwork when handling URLs can be exploited to
disclose sensitive information via a specially crafted web page as a
request could be sent to an incorrect origin server.

6) An error in CFNetwork when handling URLs can be exploited to
disclose sensitive information via a specially crafted web page as
unexpected request headers could be sent.

7) An integer overflow error in ColorSync when handling images with
embedded ColorSync profiles can be exploited to cause a heap-based
buffer overflow via a specially crafted image.

8) An error in CoreAudio when handling AAC encoded audio streams can
be exploited to cause a buffer overflow when playing specially
crafted audio content.

9) An error in CoreMedia when handling H.264 encoded movies can be
exploited to cause a heap-based buffer overflow.

10) A use-after-free error in CoreText when handling documents
containing fonts can be exploited to dereference already freed memory
via a specially crafted font.

11) An error exists in CoreUI when handling long URLs and can be
exploited via a specially crafted website.

12) An error in curl can be exploited by remote servers to
impersonate clients via GSSAPI requests.

For more information:
SA45067

13) Two of the certificate authorities in the list of trusted root
certificates have issued intermediate certificates to DigiCert
Malaysia, who has issued certificates with weak keys that cannot be
revoked.

14) A design error in dovecot within the Secure Sockets Layer 3.0
(SSL) and Transport Layer Security 1.0 (TLS) protocols when using a
block cipher in CBC mode can be exploited to decrypt data protected
by SSL.

15) An error in the uncompress command line tool when decompressing
compressed files can be exploited to cause a buffer overflow.

For more information:
SA45544

16) An error in ImageIO when parsing TIFF images can be exploited to
cause a buffer overflow.

For more information see vulnerability #9:
SA45325

17) An error in ImageIO when handling ThunderScan encoded TIFF images
can be exploited to cause a buffer overflow.

For more information see vulnerability #2:
SA43593:

18) An error exists in the bundled version of libpng.

For more information:
SA46148

19) An error in Internet Sharing may cause the used Wi-Fi
configuration to revert to factory defaults (e.g. disabling the WEP
password) after a system update.

20) An error in Libinfo can be exploited to disclose sensitive
information via a specially crafted website.

For more information see vulnerability #4:
SA46747

21) An integer overflow error in libresolv when parsing DNS resource
records can be exploited to cause a heap-based buffer overflow.

22) An error in libsecurity may cause some EV certificates to be
trusted even when the corresponding root is marked untrusted.

23) Multiple errors in OpenGL when handling GLSL compilation can be
exploited to corrupt memory.

24) Multiple errors exist in the bundled version of PHP.

For more information:
SA44874
SA45678

25) Various errors in FreeType when handling Type 1 fonts can be
exploited to corrupt memory.

For more information:
SA46575

26) An error in QuickTime when parsing MP4 encoded files can be
exploited to access uninitialised memory.

27) A signedness error in QuickTime when handling font tables
embedded in movie files can be exploited to corrupt memory.

28) An off-by-one error in QuickTime when handling rdrf atoms in
movie files can be exploited to cause a single byte buffer overflow.

29) An error in QuickTime when parsing JPEG2000 images can be
exploited to cause a buffer overflow.

30) An error in QuickTime when parsing PNG images can be exploited to
cause a buffer overflow.

31) An error in QuickTime when handling FLC encoded movie files can
be exploited to cause a buffer overflow.

32) Multiple errors exists in the bundled version of SquirrelMail.

For more information:
SA40307
SA45197

33) Various errors exist in the bundled version of Subversion.

For more information:
SA44681

34) Time Machine does not verify that a designated remote AFP volume
or Time Capsule is used for subsequent backups. This can be exploited
to access backups by spoofing the remote volume.

35) Errors exist in the bundled version of Tomcat.

For more information:
SA44981

36) An error in WebDAV Sharing when handling user authentication can
be exploited by local users to gain escalated privileges.

37) An error exists in the bundled version of Webmail.

For more information:
SA45605

SOLUTION:
Update to OS X Lion version 10.7.3 or apply Security Update 2012-001.

PROVIDED AND/OR DISCOVERED BY:
4, 10) Will Dormann, CERT/CC

The vendor also credits:
1) Bernard Desruisseaux, Oracle Corporation
5, 6) Erling Ellingsen, Facebook
7) binaryproof via ZDI
8, 27, 28, 29, 30) Luigi Auriemma via ZDI
9) Scott Stender, iSEC Partners
11) Ben Syverson
19) An anonymous person
21) Ilja van Sprundel, IOActive
22) Alastair Houghton
23) Chris Evans, Google Chrome Security Team and Marc Schoenefeld,
Red Hat Security Response Team
26) Luigi Auriemma via ZDI and pa_kt via ZDI
31) Matt "j00ru" Jurczyk via ZDI
34) Michael Roitzsch, Technische Universität Dresden
36) Gordon Davisson, Crywolf

ORIGINAL ADVISORY:
Apple Security Update 2012-001:
http://support.apple.com/kb/HT5130

US-CERT:
http://www.kb.cert.org/vuls/id/403593
http://www.kb.cert.org/vuls/id/410281

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------