SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   Mac OS X Vendors:   Apple Computer
Apple Mac OS X Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Information, and Conduct Cross-Site Scripting Attacks and Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1026627
SecurityTracker URL:  http://securitytracker.com/id/1026627
CVE Reference:   CVE-2011-2937, CVE-2011-3328, CVE-2011-3444, CVE-2011-3447, CVE-2011-3448, CVE-2011-3449, CVE-2011-3450, CVE-2011-3452, CVE-2011-3453, CVE-2011-3457, CVE-2011-3458, CVE-2011-3459, CVE-2011-3460, CVE-2011-3462, CVE-2011-3463   (Links to External Site)
Updated:  Feb 4 2012
Original Entry Date:  Feb 2 2012
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of user information, Root access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 10.7.3
Description:   Multiple vulnerabilities were reported in Apple Mac OS X. A remote user can cause arbitrary code to be executed on the target user's system. A local user can obtain elevated privileges on the target system. A remote user can conduct cross-site scripting attacks. A remote user can obtain potentially sensitive information.

A remote user can create a specially crafted email message that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser [CVE-2011-2937]. The code will originate from the Roundcube Webmail interface and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. Systems prior to OS X Lion are not affected.

A remote user can create a specially crafted file that, when loaded by the target user, will trigger an error in libpng and execute arbitrary code on the target system [CVE-2011-3328].

A remote user in a privileged network position can obtain CardDAV Address Book data by causing the connection to downgrade to an unencrypted connection [CVE-2011-3444]. Bernard Desruisseaux of Oracle Corporation reported this vulnerability.

A remote user can create a specially crafted URL that, when loaded by the target user, will cause CFNetwork to send unexpected headers containing potentially sensitive information [CVE-2011-3447]. Systems prior to OS X Lion are not affected. Erling Ellingsen of Facebook reported this vulnerability.

A remote user can create a specially crafted movie file that, when loaded by the target user, will trigger a heap overflow in CoreMedia's handling of H.264 encoded movie files and execute arbitrary code on the target system [CVE-2011-3448]. Scott Stender of iSEC Partners reported this vulnerability.

A remote user can create a specially crafted document that, when viewed or downloaded by the target user, will trigger a use-after-free memory error in CoreText and execute arbitrary code on the target system [CVE-2011-3449]. The code will run with the privileges of the target user. Will Dormann of the CERT/CC reported this vulnerability.

A remote user can create a specially crafted URL that, when loaded by the target user, will trigger a stack allocation error and execute arbitrary code on the target system [CVE-2011-3450]. Systems prior to OS X Lion are not affected. Ben Syverson reported this vulnerability.

After a system update, the system may revert the Wi-Fi configuration used by Internet Sharing to the factory default (with WEP disabled) [CVE-2011-3452]. Only systems with Internet Sharing enabled and sharing the connection to Wi-Fi are affected. An anonymous researcher reported this vulnerability.

A remote user may be able to trigger an integer overflow in the parsing of DNS resource records in applications that use the OS X libresolv library and execute arbitrary code [CVE-2011-3453]. Ilja van Sprundel of IOActive reported this vulnerability.

A remote user can trigger a memory corruption error in the OpenGL GLSL compilation [CVE-2011-3457]. Applications that use the OS X OpenGL implementation may be affected. Chris Evans of the Google Chrome Security Team and Marc Schoenefeld of the Red Hat Security Response Team reported this vulnerability.

A remote user can create a specially crafted MP4 encoded file that, when loaded by the target user, will trigger an uninitialized memory access error and execute arbitrary code on the target system [CVE-2011-3458]. Luigi Auriemma and pa_kt reported this vulnerability via TippingPoint's Zero Day Initiative.

A remote user can create a specially crafted PNG image that, when loaded by the target user, will trigger an off-by-one buffer overflow in the processing of rdrf atoms in QuickTime movie files and execute arbitrary code on the target system [CVE-2011-3459]. Luigi Auriemma reported this vulnerability via TippingPoint's Zero Day Initiative.

A remote user can create a specially crafted PNG image that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target system [CVE-2011-3460]. Luigi Auriemma reported this vulnerability via TippingPoint's Zero Day Initiative.

A remote user that can spoof a remote AFP volume or Time Capsule can gain access to backups created by the target user's system [CVE-2011-3462]. Michael Roitzsch of the Technische Universitat Dresden reported this vulnerability.

A local user can exploit a flaw in WebDAV sharing in the handling of user authentication to execute arbitrary commands on the target system with system privileges [CVE-2011-3463]. Systems prior to OS X Lion are not affected. Gordon Davisson of Crywolf reported this vulnerability.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A local user can obtain system privileges on the target system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Roundcube Webmail interface, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can obtain potentially sensitive information.

Solution:   The vendor has issued a fix as part of OS X Lion v10.7.3 and Security Update 2012-001, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2021-001 or OS X v10.7.3.

For OS X Lion v10.7.2
The download file is named: MacOSXUpd10.7.3.dmg
Its SHA-1 digest is: 7102fe8f9f47286c45dfa35f6e84e7f730493a7c

For OS X Lion v10.7 and v10.7.1
The download file is named: MacOSXUpdCombo10.7.3.dmg
Its SHA-1 digest is: 07dfce300f6801eb63d9ac13e0bec84e1862a16c

For OS X Lion Server v10.7.2
The download file is named: MacOSXServerUpd10.7.3.dmg
Its SHA-1 digest is: 55a9571635d4ec088c142d68132d0d69fcb8867d

For OS X Lion Server v10.7 and v10.7.1
The download file is named: MacOSXServerUpdCombo10.7.3.dmg
Its SHA-1 digest is: 2c87824f09734499ea166ea0617a3ac21ecf832b

For Mac OS X v10.6.8
The download file is named: SecUpd2012-001Snow.dmg
Its SHA-1 digest is: 40875ee8cb609bbaefc8f421a9c34cc353db42b8

For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-001.dmg
Its SHA-1 digest is: 53b3ca5548001a9920aeabed4a034c6e4657fe20

[Editor's note: On February 3, 2012, the vendor issued a modified fix (Security Update 2012-001 v1.1) for Mac OS X v10.6.8 that removes the ImageIO patches (CVE-2011-3328) that were causing a compatibility issue.]

The modified 10.6.8 updates are:

For Mac OS X v10.6.8
The download file is named: SecUpd2012-001Snow.dmg
Its SHA-1 digest is: 29218a1a28efecd15b3033922d71f0441390490a

For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-001.dmg
Its SHA-1 digest is: 105bdebf2e07fc5c0127f482276ccb7b6b631199

The vendor's advisory is be available at:

http://support.apple.com/kb/HT5130

Vendor URL:  support.apple.com/kb/HT5130 (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 9 2012 (Apple Issues Fix for Apple TV) Apple Mac OS X Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Information, and Conduct Cross-Site Scripting Attacks and Local Users Gain Elevated Privileges   (Apple Product Security <product-security-noreply@lists.apple.com>)
Apple has issued a fix for Apple TV.



 Source Message Contents

Date:  Wed, 01 Feb 2012 13:56:14 -0800
Subject:  APPLE-SA-2012-02-01-1 OS X Lion v10.7.3 and Security Update 2012-001

Excerpts from:

APPLE-SA-2012-02-01-1 OS X Lion v10.7.3 and Security Update 2012-001

Webmail
Available for:  OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact:  Viewing a maliciously crafted e-mail message may lead to the
disclosure of message content
Description:  A cross-site scripting vulnerability existed in the
handling of mail messages. This issue is addressed by updating
Roundcube Webmail to version 0.6. This issue does not affect systems
prior to OS X Lion. Further information is available via the
Roundcube site at http://trac.roundcube.net/
CVE-ID
CVE-2011-2937

ImageIO
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact:  Multiple vulnerabilities in libpng 1.5.4
Description:  libpng is updated to version 1.5.5 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-3328

Address Book
Available for:  OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact:  An attacker in a privileged network position may intercept
CardDAV data
Description:  Address Book supports Secure Sockets Layer (SSL) for
accessing CardDAV. A downgrade issue caused Address Book to attempt
an unencrypted connection if an encrypted connection failed. An
attacker in a privileged network position could abuse this behavior
to intercept CardDAV data. This issue is addressed by not downgrading
to an unencrypted connection without user approval.
CVE-ID
CVE-2011-3444 : Bernard Desruisseaux of Oracle Corporation

CFNetwork
Available for:  OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact:  Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description:  An issue existed in CFNetwork's handling of malformed
URLs. When accessing a maliciously crafted URL, CFNetwork could send
unexpected request headers. This issue does not affect systems prior
to OS X Lion.
CVE-ID
CVE-2011-3447 : Erling Ellingsen of Facebook

CoreMedia
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow existed in CoreMedia's handling
of H.264 encoded movie files.
CVE-ID
CVE-2011-3448 : Scott Stender of iSEC Partners

CoreText
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact:  Viewing or downloading a document containing a maliciously
crafted embedded font may lead to an unexpected application
termination or arbitrary code execution
Description:  A use after free issue existed in the handling of font
files.
CVE-ID
CVE-2011-3449 : Will Dormann of the CERT/CC

CoreUI
Available for:  OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact:  Visiting a malicious website may lead to an unexpected
application termination or arbitrary code execution
Description:  An unbounded stack allocation issue existed in the
handling of long URLs. This issue does not affect systems prior to OS
X Lion.
CVE-ID
CVE-2011-3450 : Ben Syverson

Internet Sharing
Available for:  OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact:  A Wi-Fi network created by Internet Sharing may lose
security settings after a system update
Description:  After updating to a version of OS X Lion prior to
10.7.3, the Wi-Fi configuration used by Internet Sharing may revert
to factory defaults, which disables the WEP password. This issue only
affects systems with Internet Sharing enabled and sharing the
connection to Wi-Fi. This issue is addressed by preserving the Wi-Fi
configuration during a system update.
CVE-ID
CVE-2011-3452 : an anonymous researcher

libresolv
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact:  Applications that use OS X's libresolv library may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description:  An integer overflow existed in the parsing of DNS
resource records, which may lead to heap memory corruption.
CVE-ID
CVE-2011-3453 : Ilja van Sprundel of IOActive

OpenGL
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact:  Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description:  Multiple memory corruption issues existed in the
handling of GLSL compilation.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team

QuickTime
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact:  Opening a maliciously crafted MP4 encoded file may lead to
an unexpected application termination or arbitrary code execution
Description:  An uninitialized memory access issue existed in the
handling of MP4 encoded files.
CVE-ID
CVE-2011-3458 : Luigi Auriemma and pa_kt both working with
TippingPoint's Zero Day Initiative

QuickTime
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  An off by one buffer overflow existed in the handling
of rdrf atoms in QuickTime movie files.
CVE-ID
CVE-2011-3459 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative

QuickTime
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact:  Processing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of PNG files.
CVE-ID
CVE-2011-3460 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative

Time Machine
Available for:  OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact:  A remote attacker may access new backups created by the
user's system
Description:  The user may designate a remote AFP volume or Time
Capsule to be used for Time Machine backups. Time Machine did not
verify that the same device was being used for subsequent backup
operations. An attacker who is able to spoof the remote volume could
gain access to new backups created by the user's system. This issue
is addressed by verifying the unique identifier associated with a
disk for backup operations.
CVE-ID
CVE-2011-3462 : Michael Roitzsch of the Technische Universitat
Dresden

WebDAV Sharing
Available for:  OS X Lion Server v10.7 to v10.7.2
Impact:  Local users may obtain system privileges
Description:  An issue existed in WebDAV Sharing's handling of user
authentication. A user with a valid account on the server or one of
its bound directories could cause the execution of arbitrary code
with system privileges. This issue does not affect systems prior to
OS X Lion.
CVE-ID
CVE-2011-3463 : Gordon Davisson of Crywolf



OS X Lion v10.7.3 and Security Update 2012-001 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Security Update 2021-001 or OS X v10.7.3.

For OS X Lion v10.7.2
The download file is named: MacOSXUpd10.7.3.dmg
Its SHA-1 digest is: 7102fe8f9f47286c45dfa35f6e84e7f730493a7c

For OS X Lion v10.7 and v10.7.1
The download file is named: MacOSXUpdCombo10.7.3.dmg
Its SHA-1 digest is: 07dfce300f6801eb63d9ac13e0bec84e1862a16c

For OS X Lion Server v10.7.2
The download file is named: MacOSXServerUpd10.7.3.dmg
Its SHA-1 digest is: 55a9571635d4ec088c142d68132d0d69fcb8867d

For OS X Lion Server v10.7 and v10.7.1
The download file is named: MacOSXServerUpdCombo10.7.3.dmg
Its SHA-1 digest is: 2c87824f09734499ea166ea0617a3ac21ecf832b

For Mac OS X v10.6.8
The download file is named: SecUpd2012-001Snow.dmg
Its SHA-1 digest is: 40875ee8cb609bbaefc8f421a9c34cc353db42b8

For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-001.dmg
Its SHA-1 digest is: 53b3ca5548001a9920aeabed4a034c6e4657fe20

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC