what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Apple Security Advisory 2013-06-04-1

Apple Security Advisory 2013-06-04-1
Posted Jun 6, 2013
Authored by Apple | Site apple.com

Apple Security Advisory 2013-06-04-1 - OS X Mountain Lion version 10.8.4 and Security Update 2013-002 is now available and addresses over 30 security issues.

tags | advisory
systems | apple, osx
advisories | CVE-2012-2131, CVE-2012-2333, CVE-2012-4929, CVE-2012-5519, CVE-2013-0155, CVE-2013-0276, CVE-2013-0277, CVE-2013-0333, CVE-2013-0975, CVE-2013-0982, CVE-2013-0983, CVE-2013-0984, CVE-2013-0985, CVE-2013-0986, CVE-2013-0987, CVE-2013-0988, CVE-2013-0989, CVE-2013-0990, CVE-2013-1024, CVE-2013-1854, CVE-2013-1855, CVE-2013-1856, CVE-2013-1857
SHA-256 | 29c85f7c4991f40f099be32dac2f2a9438a7fc5388a3ae3de429d2a6ba9bb431

Apple Security Advisory 2013-06-04-1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2013-06-04-1 OS X Mountain Lion v10.8.4 and Security Update
2013-002

OS X Mountain Lion v10.8.4 and Security Update 2013-002 is now
available and addresses the following:

CFNetwork
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: An attacker with access to a user's session may be able to
log into previously accessed sites, even if Private Browsing was used
Description: Permanent cookies were saved after quitting Safari,
even when Private Browsing was enabled. This issue was addressed by
improved handling of cookies.
CVE-ID
CVE-2013-0982 : Alexander Traud of www.traud.de

CoreAnimation
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: Visiting a maliciously crafted site may lead to an
unexpected application termination or arbitrary code execution
Description: An unbounded stack allocation issue existed in the
handling of text glyphs. This could be triggered by maliciously
crafted URLs in Safari. The issue was addressed through improved
bounds checking.
CVE-ID
CVE-2013-0983 : David Fifield of Stanford University, Ben Syverson

CoreMedia Playback
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of text tracks. This issue was addressed by additional
validation of text tracks.
CVE-ID
CVE-2013-1024 : Richard Kuo and Billy Suguitan of Triemt Corporation

CUPS
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: A local user in the lpadmin group may be able to read or
write arbitrary files with system privileges
Description: A privilege escalation issue existed in the handling of
CUPS configuration via the CUPS web interface. A local user in the
lpadmin group may be able to read or write arbitrary files with
system privileges. This issue was addressed by moving certain
configuration directives to cups-files.conf, which can not be
modified from the CUPS web interface.
CVE-ID
CVE-2012-5519

Directory Service
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: A remote attacker may execute arbitrary code with system
privileges on systems with Directory Service enabled
Description: An issue existed in the directory server's handling of
messages from the network. By sending a maliciously crafted message,
a remote attacker could cause the directory server to terminate or
execute arbitrary code with system privileges. This issue was
addressed through improved bounds checking. This issue does not
affect OS X Lion or OS X Mountain Lion systems.
CVE-ID
CVE-2013-0984 : Nicolas Economou of Core Security

Disk Management
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: A local user may disable FileVault
Description: A local user who is not an administrator may disable
FileVault using the command-line. This issue was addressed by adding
additional authentication.
CVE-ID
CVE-2013-0985

OpenSSL
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: An attacker may be able to decrypt data protected by SSL
Description: There were known attacks on the confidentiality of TLS
1.0 when compression was enabled. This issue was addressed by
disabling compression in OpenSSL.
CVE-ID
CVE-2012-4929 : Juliano Rizzo and Thai Duong

OpenSSL
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Multiple vulnerabilities in OpenSSL
Description: OpenSSL was updated to version 0.9.8x to address
multiple vulnerabilities, which may lead to denial of service or
disclosure of a private key. Further information is available via the
OpenSSL website at http://www.openssl.org/news/
CVE-ID
CVE-2011-1945
CVE-2011-3207
CVE-2011-3210
CVE-2011-4108
CVE-2011-4109
CVE-2011-4576
CVE-2011-4577
CVE-2011-4619
CVE-2012-0050
CVE-2012-2110
CVE-2012-2131
CVE-2012-2333

QuickDraw Manager
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.2
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PICT
images. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0975 : Tobias Klein working with HP's Zero Day Initiative

QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'enof'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0986 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)
working with HP's Zero Day Initiative

QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted QTIF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
QTIF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-0987 : roob working with iDefense VCP

QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted FPX file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of FPX files.
This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0988 : G. Geshev working with HP's Zero Day Initiative

QuickTime
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: Playing a maliciously crafted MP3 file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of MP3 files.
This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0989 : G. Geshev working with HP's Zero Day Initiative

Ruby
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: Multiple vulnerabilities in Ruby on Rails
Description: Multiple vulnerabilities existed in Ruby on Rails, the
most serious of which may lead to arbitrary code execution on systems
running Ruby on Rails applications. These issues were addressed by
updating Ruby on Rails to version 2.3.18. This issue may affect OS X
Lion or OS X Mountain Lion systems that were upgraded from Mac OS X
10.6.8 or earlier. Users can update affected gems on such systems by
using the /usr/bin/gem utility.
CVE-ID
CVE-2013-0155
CVE-2013-0276
CVE-2013-0277
CVE-2013-0333
CVE-2013-1854
CVE-2013-1855
CVE-2013-1856
CVE-2013-1857

SMB
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: An authenticated user may be able to write files outside the
shared directory
Description: If SMB file sharing is enabled, an authenticated user
may be able to write files outside the shared directory. This issue
was addressed through improved access control.
CVE-ID
CVE-2013-0990 : Ward van Wanrooij

Note: Starting with OS X 10.8.4, Java Web Start (i.e. JNLP)
applications downloaded from the Internet need to be signed with
a Developer ID certificate. Gatekeeper will check downloaded
Java Web Start applications for a signature and block such
applications from launching if they are not properly signed.

Note: OS X Mountain Lion v10.8.4 includes the content of
Safari 6.0.5. For further details see "About the security content
of Safari 6.0.5" at http://http//support.apple.com/kb/HT5785

OS X Mountain Lion v10.8.4 and Security Update 2013-002 may be
obtained from the Software Update pane in System Preferences,
or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
OS X Mountain Lion v10.8.4, or Security Update
2013-002.

For OS X Mountain Lion v10.8.3
The download file is named: OSXUpd10.8.4.dmg
Its SHA-1 digest is: 9cf99aa1293cefdac0fb9a24ea133c80f8237b5e

For OS X Mountain Lion v10.8 and v10.8.2
The download file is named: OSXUpdCombo10.8.4.dmg
Its SHA-1 digest is: 3c95d0c8d0c7f43339a5f4e137e386dd5fe409c3

For OS X Lion v10.7.5
The download file is named: SecUpd2013-002.dmg
Its SHA-1 digest is: cfc3bd0941d7c5838aee9e92ee087d78abff3ce7

For OS X Lion Server v10.7.5
The download file is named: SecUpdSrvr2013-002.dmg
Its SHA-1 digest is: 34dff575a145e13404e7a2ee8a390d3e7c56fb5e

For Mac OS X v10.6.8
The download file is named: SecUpd2013-002.dmg
Its SHA-1 digest is: 5da54b38ffb8c147925c3018a8f5bf30ad4ac5b1

For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2013-002.dmg
Its SHA-1 digest is: b20271f019930fe894c2247a6d5e05f00568b583

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJRrjkiAAoJEPefwLHPlZEwW+AP/0x/cHS3VPY0/a98Xpmdfkdb
eo9Ns5FKw6mIkUftrN6qwNAgFXWqQXNIbJ3q8ZnoxcFPakhYyPSp4XowpR79l7kG
B2ZrdTx9aIn2bfHZ+h4cE8XnVL8qUDz2RxFopOGbb+wpJxl8/fehDmWokC5wCeF5
N7mnwW2s37QL73BmAMRdi6CYcJCKwhZWGFWmqiNvpFlUP+kcjU/UM1MAzOu0xsiA
PD6NrWeUOWfFrcQgx/pspWGvrFyV4FLu+0wQBl9f/DiQNrwVXIr85rHtah+b1NCU
pteSxQwb4kRojXdPm4+I3LKoghzGR8xD6+Xl6KdYgReSW89Di4bKM3WpbRLqhRuq
8kv38Gk3/vZDfAnuNQX09dE6EgJ0DVu86SoRQZ1iYRQoLrizVsOvyVQUojZhT47t
6l44L/5cNJd7EcaC8hdmr44cCZdMPDEqoKzn2BavH62WYXbZMPlHBDo/H2ujUUec
i7XU7LA1Upw57X4wmIUU4QrlBhNBh39yRKh3katAklayFBjOMEyyL57gURvd6O77
gFOQpUQ6kgqwgQCrtNT6R96igfyu7cVxYW7XchZDHgA3n/YWOAVvXkVeeQ5OUGzC
O0UYLMBpPka31yfWP23QaXpV+LW462raI6LnMvRP1245RhokTTThZw6/9xochK2V
+VoeoamqaQqZGyOiObbU
=vG2v
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close