Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Apple OS X Lets Remote Users Execute Arbitrary Code and Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1027551 |
|
SecurityTracker URL: http://securitytracker.com/id/1027551
|
|
CVE Reference:
CVE-2012-0650, CVE-2012-3716, CVE-2012-3718, CVE-2012-3719, CVE-2012-3720, CVE-2012-3721, CVE-2012-3722, CVE-2012-3723
(Links to External Site)
|
Date: Sep 20 2012
|
Impact:
Denial of service via network, Disclosure of authentication information, Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
Several vulnerabilities were reported in Apple OS X. A remote user can execute arbitrary code on the target system. A remote user can obtain a password hash in certain cases. A local user can obtain elevated privileges on the target system. A local user can obtain password keystrokes.
If the DirectoryService Proxy is used, a remote user can trigger a buffer overflow in the DirectoryService Proxy to execute arbitrary code [CVE-2012-0650]. OS X Lion and Mountain Lion systems are not affected. aazubel reported this vulnerabilities (via HP's Zero Day Initiative).
A remote user can create a specially crafted file that, when loaded by the target user via an application that uses CoreText, will trigger an out-of-bounds memory access error and execute arbitrary code [CVE-2012-3716]. Mac OS X v10.6 and OS X Mountain Lion systems are not affected. Jesse Ruderman of Mozilla Corporation reported this vulnerability.
A local user can exploit a flaw in LoginWindow to capture password keystrokes from Login Window and Screen Saver Unlock [CVE-2012-3718]. Only OS X Mountain Lion is affected. An anonymous researcher reported this vulnerability.
A remote user can send a specially crafted e-mail that, when viewed by the target user, will launch an embedded web plugin [CVE-2012-3719]. OS X Mountain Lion is not affected. Will Dormann of the CERT/CC reported this vulnerability.
A user with access to the contents of a mobile account can obtain the account user's password hash [CVE-2012-3720]. OS X Mountain Lion is affected. Harald Wagener of Google, Inc. reported this vulnerability.
A remote user can exploit a flaw in the Device Management private interface to identify managed devices [CVE-2012-3721]. OS X Mountain Lion is not affected. Derick Cassidy of XEquals Corporation reported this vulnerability.
A remote user can create a specially crafted Sorenson encoded movie file that, when loaded by the target user, will trigger a memory access error and execute arbitrary code on the target system [CVE-2012-3722]. The code will run with the privileges of the target user. OS X Mountain Lion systems are not affected. Will Dormann of the CERT/CC reported this vulnerability.
A physically local user can attach a USB device with a specially crafted bNbrPorts descriptor field to trigger a memory corruption error and execute arbitrary code [CVE-2012-3723]. OS X Mountain Lion systems are not affected. Andy Davis of NGS Secure reported this vulnerability.
|
Impact:
A remote user can execute arbitrary code on the target system.
A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can obtain elevated privileges on the target system.
A remote user can obtain a password hash in certain cases.
A local user can obtain password keystrokes.
|
Solution:
The vendor has issued a fix.
OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update 2012-004 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 or Security Update 2012-004.
For OS X Mountain Lion v10.8.1
The download file is named: OSXUpd10.8.2.dmg
Its SHA-1 digest is: d6779e1cc748b78af0207499383b1859ffbebe33
For OS X Mountain Lion v10.8
The download file is named: OSXUpdCombo10.8.2.dmg
Its SHA-1 digest is: b08f10233d362e39f20b69f91d1d73f5e7b68a2c
For OS X Lion v10.7.4
The download file is named: MacOSXUpd10.7.5.dmg
Its SHA-1 digest is: e0a9582cce9896938a7a541bd431862d93893532
For OS X Lion v10.7 and v10.7.3
The download file is named: MacOSXUpdCombo10.7.5.dmg
Its SHA-1 digest is: f7a26b164fa10dae4fe646e57b01c34a619c8d9b
For OS X Lion Server v10.7.4
The download file is named: MacOSXServerUpd10.7.5.dmg
Its SHA-1 digest is: a891b03bfb4eecb745c0c39a32f39960fdb6796a
For OS X Lion Server v10.7 and v10.7.3
The download file is named: MacOSXServerUpdCombo10.7.5.dmg
Its SHA-1 digest is: df6e1748ab0a3c9e05c890be49d514673efd965e
For Mac OS X v10.6.8
The download file is named: SecUpd2012-004.dmg
Its SHA-1 digest is: 5b136e29a871d41012f0c6ea1362d6210c8b4fb7
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-004.dmg
Its SHA-1 digest is: 9b24496be15078e58a88537700f2f39c112e3b28
The vendor's advisory is available at:
http://support.apple.com/kb/HT5501
|
Vendor URL: support.apple.com/kb/HT5501 (Links to External Site)
|
Cause:
Access control error, Boundary error, Input validation error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 20 Sep 2012 04:30:35 +0000
Subject: Apple Mac OS X
|
http://support.apple.com/kb/HT5501
Excerpt from APPLE-SA-2012-09-19-2 OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and
Security Update 2012-004
DirectoryService
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: If the DirectoryService Proxy is used, a remote attacker may
cause a denial of service or arbitrary code execution
Description: A buffer overflow existed in the DirectoryService
Proxy. This issue was addressed through improved bounds checking.
This issue does not affect OS X Lion and Mountain Lion systems.
CVE-ID
CVE-2012-0650 : aazubel working with HP's Zero Day Initiative
CoreText
Available for: OS X Lion v10.7 to v10.7.4,
OS X Lion Server v10.7 to v10.7.4
Impact: Applications that use CoreText may be vulnerable to an
unexpected application termination or arbitrary code execution
Description: A bounds checking issue existed in the handling of text
glyphs, which may lead to out of bounds memory reads or writes. This
issue was addressed through improved bounds checking. This issue does
not affect Mac OS X v10.6 or OS X Mountain Lion systems.
CVE-ID
CVE-2012-3716 : Jesse Ruderman of Mozilla Corporation
LoginWindow
Available for: OS X Mountain Lion v10.8 and v10.8.1
Impact: A local user may be able to obtain other user's login
passwords
Description: A user-installed input method could intercept password
keystrokes from Login Window or Screen Saver Unlock. This issue was
addressed by preventing user-installed methods from being used when
the system is handling login information.
CVE-ID
CVE-2012-3718 : An anonymous researcher
Mail
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
Impact: Viewing an e-mail message may lead to execution of web
plugins
Description: An input validation issue existed in Mail's handling of
embedded web plugins. This issue was addressed by disabling third-
party plug-ins in Mail. This issue does not affect OS X Mountain Lion
systems.
CVE-ID
CVE-2012-3719 : Will Dormann of the CERT/CC
Mobile Accounts
Available for: OS X Mountain Lion v10.8 and v10.8.1
Impact: A user with access to the contents of a mobile account may
obtain the account password
Description: Creating a mobile account saved a hash of the password
in the account, which was used to login when the mobile account was
used as an external account. The password hash could be used to
determine the user's password. This issue was addressed by creating
the password hash only if external accounts are enabled on the system
where the mobile account is created.
CVE-ID
CVE-2012-3720 : Harald Wagener of Google, Inc.
Profile Manager
Available for: OS X Lion Server v10.7 to v10.7.4
Impact: An unauthenticated user could enumerate managed devices
Description: An authentication issue existed in the Device
Management private interface. This issue was addressed by removing
the interface. This issue does not affect OS X Mountain Lion
systems.
CVE-ID
CVE-2012-3721 : Derick Cassidy of XEquals Corporation
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization. This issue does not affect OS X
Mountain Lion systems.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
USB
Available for: OS X Lion v10.7 to v10.7.4,
OS X Lion Server v10.7 to v10.7.4
Impact: Attaching a USB device may lead to an unexpected system
termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
USB hub descriptors. This issue was addressed through improved
handling of the bNbrPorts descriptor field. This issue does not
affect OS X Mountain Lion systems.
CVE-ID
CVE-2012-3723 : Andy Davis of NGS Secure
|
|
Go to the Top of This SecurityTracker Archive Page
|
