---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA46417 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46417/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46417 RELEASE DATE: 2011-10-14 DISCUSS ADVISORY: http://secunia.com/advisories/46417/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46417/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46417 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Some vulnerabilities exist in Apache, BIND, CoreFoundation, CoreMedia, iChat Server, Mailman, Postfix, PHP, Python, QuickTime, Tomcat, and X11: For more information: SA37426 SA38219 SA39574 SA39937 SA40148 SA41724 SA42337 SA42374 SA42435 SA43194 SA43198 SA43389 SA43646 SA43814 SA44490 SA44719 SA44787 SA45046 SA45082 SA45167 SA45516 SA45606 SA46339 2) A format string error in the Application Firewall's debug logging can be exploited via a specially crafted name. 3) A signedness error in the ATS component when handling Type 1 fonts can be exploited via a specially crafted font embedded in a document. 4) An error in the ATS component when handling Type 1 fonts can be exploited to access an out of bounds memory location via a specially crafted font embedded in a document. 5) An error in the ATSFontDeactivate API can be exploited to cause a buffer overflow. 6) A synchronization error in the CFNetwork component when handling cookie policies can be exploited to bypass Safari's cookie preferences and store a cookie that would otherwise be blocked. 7) An error in the CFNetwork component when handling HTTP cookies can be exploited to send a cookie for a domain to a server outside of that domain. 8) Some errors in the CoreMedia component when handling QuickTime movie files can be exploited to corrupt memory. 9) An error in the CoreProcesses component when handling system windows (e.g. VPN password prompt) while the screen is locked can be exploited to partially bypass the screen lock. 10) An error in the CoreStorage component when enabling FileVault did not encrypt some data at the start of a volume. 11) An error when handling HTTPS connections to WebDAV volumes did not properly verify certificate information and can be exploited via a Man-in-the-Middle (MitM) attack. 12) An error in the IOGraphics component within the screen lock functionality when used with Apple Cinema displays can be exploited to access the system without entering a password. 13) A logic error in the kernel's DMA protection can be exploited to access a user's password via firewire DMA access at loginwindow, boot, or shutdown processing. 14) A logic error in the kernel's handling of file deletions in directories when the sticky bit was set can be exploited to delete another user's files within a shared directory. 15) An error exists in the libsecurity module when handling errors during the parsing of a nonstandard certificate revocation list extension. 16) Some errors in the MediaKit component when handling disk images can be exploited to corrupt memory. 17) An error in the Open Directory component within the access control mechanism can be exploited to access another local user's password data. 18) An error in the Open Directory component within the access control mechanism can be exploited to change another user's password. 19) An error in the Open Directory component when bound to a LDAPv3 server and no AuthenticationAuthority attribute for a user exists can be exploited by an LDAP user to login without a password. 20) Some errors in QuickTime when handling movie files can be exploited to corrupt memory via a specially crafted file. 21) An error in QuickTime within the "Save for Web" export feature due to storing certain JavaScript code from the vendor's website using HTTP can be exploited to inject arbitrary code via a Man-in-the-Middle (MitM) attack, which will be executed when saved content is viewed locally. 22) An error in QuickTime when processing URL data handlers within movie files can be exploited to reference uninitialized memory via a specially crafted file. 23) An error in QuickTime when handling the atom hierarchy within movie files can be exploited via a specially crafted file. 24) An error in QuickTime when handling FlashPix files can be exploited to cause a buffer overflow via a specially crafted file. 25) An error in QuickTime when handling FLIC files can be exploited to cause a buffer overflow via a specially crafted file. 26) An error in the SMB File Server when guest access is disabled for a share point record for a folder can be exploited to access the share point using a guest user "nobody". 27) An error in the User Documentation due to App Store help content being updated over HTTP can be exploited to inject arbitrary AppleScript and Python code into the update via a Man-in-the-Middle (MitM) attack. Successful exploitation of vulnerabilities #3 - #5, #8, #20, #22 - #25, and #27 may allow execution of arbitrary code. SOLUTION: Update to version 10.7.2 or apply Security Update 2011-006. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: 3, 8, 11, 12, 16, 20, 26) Reported by the vendor. 21, 27) Aaron Sigel, vtty.com 27) Brian Mastenbrook, vtty.com The vendor also credits the following people: 2) An anonymous person 4) Will Dormann, the CERT/CC 5) Steven Michaud, Mozilla 6) Martin Tessarek, Steve Riggins, Geeks R Us, Justin C. Walker, and Stephen Creswell 7) Erling Ellingsen, Facebook 9) Clint Tseng, University, Washington, Michael Kobb, and Adam Kemp 10) Judson Powers, ATC-NY 13) Passware, Inc. 14) Gordon Davisson, Crywolf, Linc Davis, R. Dormer, and Allan Schmid and Oliver Jeckel, brainworks Training 15) Richard Godbee, Virginia Tech 17) Arek Dreyer, Dreyer Network Consultants, Inc, 17, 18) Patrick Dunstan, defenceindepth.net 19) Jeffry Strunk, The University, Texas at Austin, Steven Eppler, Colorado Mesa University, Hugh Cole-Baker, and Frederic Metoz, Institut de Biologie Structurale 22) Luigi Auriemma via ZDI 23) An anonymous person via ZDI 24) Damian Put via ZDI 25) Matt 'j00ru' Jurczyk via ZDI ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5002 vtty.com: http://vttynotes.blogspot.com/2011/10/summary-of-vulnerability-write-ups-on.html http://vttynotes.blogspot.com/2011/10/cve-2011-3224-mitm-to-rce-with-mac-app.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------