VARIoT IoT vulnerabilities database

The DNAv4 protocol implementation in the DHCP component in Apple iOS before 6 sends Wi-Fi packets containing a MAC address of a host on a previously used network, which might allow remote attackers to obtain sensitive information about previous device locations by sniffing an unencrypted Wi-Fi network for these packets. Apple iOS of DHCP In the component DNAv4 The protocol is implemented by the host on the network used immediately before. Successfully exploiting this issue will allow attackers to determine networks a device has previously accessed. Note: This issue was previously discussed in BID 55612 (Apple iPhone/iPad/iPod touch Prior to iOS 6 Multiple Vulnerabilities) but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-09-24-1 Apple TV 5.1 Apple TV 5.1 is now available and addresses the following: Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access existed in the handling of Sorenson encoded movie files. This issue was addressed through improved memory initialization. This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi networks CVE-ID CVE-2012-3725 : Mark Wuergler of Immunity, Inc. Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of ThunderScan encoded TIFF images. This issue was addressed by updating libtiff to version 3.9.5. CVE-ID CVE-2011-1167 Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in libpng's handling of PNG images. These issues were addressed through improved validation of PNG images. CVE-ID CVE-2011-3026 : Juri Aedla CVE-2011-3048 CVE-2011-3328 Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution Description: A double free issue existed in ImageIO's handling of JPEG images. This issue was addressed through improved memory management. CVE-ID CVE-2012-3726 : Phil of PKJE Consulting Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in libTIFF's handling of TIFF images. This issue was addressed through improved validation of TIFF images. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-1173 Apple TV Available for: Apple TV 2nd generation and later Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in the handling of ICU locale IDs. This issue was addressed through improved bounds checking. CVE-ID CVE-2011-4599 Apple TV Available for: Apple TV 2nd generation and later Impact: An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description: Multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution. These issues were addressed by applying the relevant upstream patches. CVE-ID CVE-2011-1944 : Chris Evans of Google Chrome Security Team CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-3919 : Juri Aedla Apple TV Available for: Apple TV 2nd generation and later Impact: An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in JavaScriptCore. These issues were addressed through improved memory handling. CVE-ID CVE-2012-0682 : Apple Product Security CVE-2012-0683 : Dave Mandelin of Mozilla CVE-2012-3589 : Dave Mandelin of Mozilla CVE-2012-3590 : Apple Product Security CVE-2012-3591 : Apple Product Security CVE-2012-3592 : Apple Product Security CVE-2012-3678 : Apple Product Security CVE-2012-3679 : Chris Leary of Mozilla Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> General -> Update Software". To check the current version of software, select "Settings -> General -> About". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQXO50AAoJEPefwLHPlZEwc40P/AmBKys+PAsdT8gGrSpOY1B9 8h+Y0xdE+Hmesq9D4p6wvdY/lR+zMqtSwT6amNImYCIaRmm1P8+r8n31be52TYlg 7GqEAZbDtFztHwIISC8Khf8dMvWSrLhzRa7X/cxlIgRKmoXFnqJZzYcUov/M9Uw8 KwejQnztmAx7srHnZCNI+dxFqAC7hPoegnDnlVPx1DkwKDjt8q9xD3PGQyiGWWkI wqUEWvMGWr65CFyA7R0hDqKuNCowWn2cKP1UhIoEur5yRmc4aQVtOnHhJ8k9mdoO +58JC/y8lCtqGUyEL2Ar0FmIcRX/GJf+/isKOtmHx0JuEhH5beQ6s9FxU5eNR9DH EVPmVXowY9wMvKxwHFU3jwq8kQ3+IYC+7KA6lScb5mXO5mC5dbJPLp7uJto7+VtI atgQmvzdB8G562wpwTPuA4UQWWr0i6WWl8zkfgkRHO+cXyN683rkBP/vVEo9FipR YkQ10RsXqYDRXBcRywmTZZwQy6txMtV9D2bnk1uukQHBsZh30/mEpcmZbo6CO3s3 mnOtu5D2OQsNt4MqbviUkEgdc9JIJnqAOo+9YguDCEu6Rd7unbKB3RpmD+A3OJnR GhEa2Gqyvm/ozfb2D4L01y4UQo7dMLw+t/FOZXkrpdLlWn2LANWvXDCPSzIFCKoN cXF+ij425pfY+d7Iekz3 =PSL+ -----END PGP SIGNATURE-----

Double free vulnerability in ImageIO in Apple iOS before 6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG image. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to remote code-execution vulnerability. Successfully exploiting this issue will allow the attacker to execute arbitrary code in the context of the affected application. Failed exploit attempts may result in a denial-of-service condition. Note: This issue was previously discussed in BID 55612 (Apple iPhone/iPad/iPod touch Prior to iOS 6 Multiple Vulnerabilities) but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. A double free vulnerability exists in ImageIO in versions prior to Apple iOS 6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-09-24-1 Apple TV 5.1 Apple TV 5.1 is now available and addresses the following: Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access existed in the handling of Sorenson encoded movie files. This issue was addressed through improved memory initialization. CVE-ID CVE-2012-3722 : Will Dormann of the CERT/CC Apple TV Available for: Apple TV 2nd generation and later Impact: A malicious Wi-Fi network may be able to determine networks a device has previously accessed Description: Upon connecting to a Wi-Fi network, iOS may broadcast MAC addresses of previously accessed networks per the DNAv4 protocol. This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi networks CVE-ID CVE-2012-3725 : Mark Wuergler of Immunity, Inc. Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of ThunderScan encoded TIFF images. This issue was addressed by updating libtiff to version 3.9.5. CVE-ID CVE-2011-1167 Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in libpng's handling of PNG images. These issues were addressed through improved validation of PNG images. This issue was addressed through improved memory management. CVE-ID CVE-2012-3726 : Phil of PKJE Consulting Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in libTIFF's handling of TIFF images. This issue was addressed through improved validation of TIFF images. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-1173 Apple TV Available for: Apple TV 2nd generation and later Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in the handling of ICU locale IDs. This issue was addressed through improved bounds checking. These issues were addressed by applying the relevant upstream patches. CVE-ID CVE-2011-1944 : Chris Evans of Google Chrome Security Team CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-3919 : Juri Aedla Apple TV Available for: Apple TV 2nd generation and later Impact: An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in JavaScriptCore. These issues were addressed through improved memory handling. CVE-ID CVE-2012-0682 : Apple Product Security CVE-2012-0683 : Dave Mandelin of Mozilla CVE-2012-3589 : Dave Mandelin of Mozilla CVE-2012-3590 : Apple Product Security CVE-2012-3591 : Apple Product Security CVE-2012-3592 : Apple Product Security CVE-2012-3678 : Apple Product Security CVE-2012-3679 : Chris Leary of Mozilla Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> General -> Update Software". To check the current version of software, select "Settings -> General -> About". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQXO50AAoJEPefwLHPlZEwc40P/AmBKys+PAsdT8gGrSpOY1B9 8h+Y0xdE+Hmesq9D4p6wvdY/lR+zMqtSwT6amNImYCIaRmm1P8+r8n31be52TYlg 7GqEAZbDtFztHwIISC8Khf8dMvWSrLhzRa7X/cxlIgRKmoXFnqJZzYcUov/M9Uw8 KwejQnztmAx7srHnZCNI+dxFqAC7hPoegnDnlVPx1DkwKDjt8q9xD3PGQyiGWWkI wqUEWvMGWr65CFyA7R0hDqKuNCowWn2cKP1UhIoEur5yRmc4aQVtOnHhJ8k9mdoO +58JC/y8lCtqGUyEL2Ar0FmIcRX/GJf+/isKOtmHx0JuEhH5beQ6s9FxU5eNR9DH EVPmVXowY9wMvKxwHFU3jwq8kQ3+IYC+7KA6lScb5mXO5mC5dbJPLp7uJto7+VtI atgQmvzdB8G562wpwTPuA4UQWWr0i6WWl8zkfgkRHO+cXyN683rkBP/vVEo9FipR YkQ10RsXqYDRXBcRywmTZZwQy6txMtV9D2bnk1uukQHBsZh30/mEpcmZbo6CO3s3 mnOtu5D2OQsNt4MqbviUkEgdc9JIJnqAOo+9YguDCEu6Rd7unbKB3RpmD+A3OJnR GhEa2Gqyvm/ozfb2D4L01y4UQo7dMLw+t/FOZXkrpdLlWn2LANWvXDCPSzIFCKoN cXF+ij425pfY+d7Iekz3 =PSL+ -----END PGP SIGNATURE-----

Apple Mac OS X before 10.7.5 does not properly handle the bNbrPorts field of a USB hub descriptor, which allows physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) by attaching a USB device. Apple Mac OS X is prone to a local memory-corruption vulnerability. Successful exploits may allow attackers to execute arbitrary code within the context of the affected application. Failed attacks may cause a denial-of-service condition. NOTE: This issue was previously discussed in BID 55623 (Apple Mac OS X Security Update 2012-004 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50628 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50628/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 RELEASE DATE: 2012-09-20 DISCUSS ADVISORY: http://secunia.com/advisories/50628/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50628/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Various vulnerabilities exist in the bundled version of Apache. For more information: SA46288 SA45793 SA46987 SA47779 SA47410 2) An assertion error in BIND when handling DNS records can be exploited to cause a DoS (Denial of Service). For more information: SA46887 3) An error in BIND can be exploited to disclose potentially sensitive information or cause a DoS. For more information: SA49338 4) An error in the CoreText component when handling text glyphs can be exploited to cause a buffer overflow and potentially compromise an application using the component. 5) An error in the DirectoryService Proxy can be exploited to cause a buffer overflow. 6) Errors in the ImageIO component when parsing PNG images can be exploited to corrupt memory. For more information: SA48026 SA48587 7) An integer overflow error in the ImageIO component when parsing TIFF images can be exploited to cause a buffer overflow. For more information: SA48684#1 8) A previous fix did not properly address an error in the Installer component that allowed users to obtain account information. The original fix ensured that passwords were not recorded to the system log, but did not remove the old system log entries containing passwords. This is related to: SA49039#1 9) An error in International Components for Unicode (ICU) when handling ICU locale IDs can be exploited to cause a stack-based buffer overflow. For more information: SA47146 10) A logic error in the kernel when handling debug system calls can be exploited by a malicious program to bypass sandbox restrictions. For more information: SA48288#3 11) An error in the LoginWindow component can be exploited by local users to obtain other users' login passwords. 12) An input validation error in Mail can be exploited to execute web plugins when viewing an e-mail message. 13) An error in Mobile Accounts can be exploited by a user with access to the contents of a mobile account to obtain the account password. 14) Multiple errors exist in the bundled version of PHP. For more information: SA49014 SA44335 15) An authentication error in Profile Manager Device Management private interface can be exploited to enumerate managed devices. 16) Various errors exist in the bundled versions of QuickLook and QuickTime. For more information: SA47447 17) An uninitialised memory access error exists in QuickTime when viewing Sorenson-encoded movie files. 18) An error in Ruby may allow decryption of SSL-protected data when a cipher suite uses a block cipher in CBC mode. 19) An error in the USB component can be exploited to corrupt memory by attaching a malicious USB device. SOLUTION: Update to version 10.8.2 or 10.7.5 or apply Security Update 2012-004. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 4) Jesse Ruderman, Mozilla Corporation 5) aazubel via ZDI 11) An anonymous person 12, 17) Will Dormann, CERT/CC 13) Harald Wagener, Google 15) Derick Cassidy, XEquals Corporation 19) Andy Davis, NGS Secure ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5501 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Profile Manager in Apple Mac OS X before 10.7.5 does not properly perform authentication for the Device Management private interface, which allows attackers to enumerate managed devices via unspecified vectors. Attackers can exploit this issue to harvest valid device names, which may aid in further attacks. NOTE: This issue was previously discussed in BID 55623 (Apple Mac OS X Security Update 2012-004 Multiple Security Vulnerabilities) but has been given its own record to better document it. This issue is fixed in the following versions: Mac OS X 10.7.5 Mac OS X 10.8.2. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50628 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50628/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 RELEASE DATE: 2012-09-20 DISCUSS ADVISORY: http://secunia.com/advisories/50628/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50628/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Various vulnerabilities exist in the bundled version of Apache. For more information: SA46288 SA45793 SA46987 SA47779 SA47410 2) An assertion error in BIND when handling DNS records can be exploited to cause a DoS (Denial of Service). For more information: SA46887 3) An error in BIND can be exploited to disclose potentially sensitive information or cause a DoS. For more information: SA49338 4) An error in the CoreText component when handling text glyphs can be exploited to cause a buffer overflow and potentially compromise an application using the component. 5) An error in the DirectoryService Proxy can be exploited to cause a buffer overflow. 6) Errors in the ImageIO component when parsing PNG images can be exploited to corrupt memory. For more information: SA48026 SA48587 7) An integer overflow error in the ImageIO component when parsing TIFF images can be exploited to cause a buffer overflow. For more information: SA48684#1 8) A previous fix did not properly address an error in the Installer component that allowed users to obtain account information. The original fix ensured that passwords were not recorded to the system log, but did not remove the old system log entries containing passwords. This is related to: SA49039#1 9) An error in International Components for Unicode (ICU) when handling ICU locale IDs can be exploited to cause a stack-based buffer overflow. For more information: SA47146 10) A logic error in the kernel when handling debug system calls can be exploited by a malicious program to bypass sandbox restrictions. For more information: SA48288#3 11) An error in the LoginWindow component can be exploited by local users to obtain other users' login passwords. 12) An input validation error in Mail can be exploited to execute web plugins when viewing an e-mail message. 13) An error in Mobile Accounts can be exploited by a user with access to the contents of a mobile account to obtain the account password. 14) Multiple errors exist in the bundled version of PHP. 16) Various errors exist in the bundled versions of QuickLook and QuickTime. For more information: SA47447 17) An uninitialised memory access error exists in QuickTime when viewing Sorenson-encoded movie files. 18) An error in Ruby may allow decryption of SSL-protected data when a cipher suite uses a block cipher in CBC mode. 19) An error in the USB component can be exploited to corrupt memory by attaching a malicious USB device. SOLUTION: Update to version 10.8.2 or 10.7.5 or apply Security Update 2012-004. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 4) Jesse Ruderman, Mozilla Corporation 5) aazubel via ZDI 11) An anonymous person 12, 17) Will Dormann, CERT/CC 13) Harald Wagener, Google 15) Derick Cassidy, XEquals Corporation 19) Andy Davis, NGS Secure ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5501 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Mobile Accounts in Apple Mac OS X before 10.7.5 and 10.8.x before 10.8.2 saves password hashes for external-account use even if external accounts are not enabled, which might allow remote attackers to determine passwords via unspecified access to a mobile account. Apple Mac OS X is prone to an information-disclosure vulnerability. Attackers can leverage this issue to gain access to sensitive information. Information obtained may aid in further attacks. The following versions are affected: Mac OS X 10.8 Mac OS X Server 10.8.1 NOTE: This issue was previously discussed in BID 55623 (Apple Mac OS X Security Update 2012-004 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50628 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50628/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 RELEASE DATE: 2012-09-20 DISCUSS ADVISORY: http://secunia.com/advisories/50628/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50628/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Various vulnerabilities exist in the bundled version of Apache. For more information: SA46288 SA45793 SA46987 SA47779 SA47410 2) An assertion error in BIND when handling DNS records can be exploited to cause a DoS (Denial of Service). For more information: SA46887 3) An error in BIND can be exploited to disclose potentially sensitive information or cause a DoS. For more information: SA49338 4) An error in the CoreText component when handling text glyphs can be exploited to cause a buffer overflow and potentially compromise an application using the component. 5) An error in the DirectoryService Proxy can be exploited to cause a buffer overflow. 6) Errors in the ImageIO component when parsing PNG images can be exploited to corrupt memory. For more information: SA48026 SA48587 7) An integer overflow error in the ImageIO component when parsing TIFF images can be exploited to cause a buffer overflow. For more information: SA48684#1 8) A previous fix did not properly address an error in the Installer component that allowed users to obtain account information. The original fix ensured that passwords were not recorded to the system log, but did not remove the old system log entries containing passwords. This is related to: SA49039#1 9) An error in International Components for Unicode (ICU) when handling ICU locale IDs can be exploited to cause a stack-based buffer overflow. For more information: SA47146 10) A logic error in the kernel when handling debug system calls can be exploited by a malicious program to bypass sandbox restrictions. For more information: SA48288#3 11) An error in the LoginWindow component can be exploited by local users to obtain other users' login passwords. 12) An input validation error in Mail can be exploited to execute web plugins when viewing an e-mail message. 14) Multiple errors exist in the bundled version of PHP. For more information: SA49014 SA44335 15) An authentication error in Profile Manager Device Management private interface can be exploited to enumerate managed devices. 16) Various errors exist in the bundled versions of QuickLook and QuickTime. For more information: SA47447 17) An uninitialised memory access error exists in QuickTime when viewing Sorenson-encoded movie files. 18) An error in Ruby may allow decryption of SSL-protected data when a cipher suite uses a block cipher in CBC mode. 19) An error in the USB component can be exploited to corrupt memory by attaching a malicious USB device. SOLUTION: Update to version 10.8.2 or 10.7.5 or apply Security Update 2012-004. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 4) Jesse Ruderman, Mozilla Corporation 5) aazubel via ZDI 11) An anonymous person 12, 17) Will Dormann, CERT/CC 13) Harald Wagener, Google 15) Derick Cassidy, XEquals Corporation 19) Andy Davis, NGS Secure ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5501 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Mail in Apple Mac OS X before 10.7.5 does not properly handle embedded web plugins, which allows remote attackers to execute arbitrary plugin code via an e-mail message that triggers the loading of a third-party plugin. Apple Mac OS X is prone to an arbitrary code-execution vulnerability. Successfully exploiting this issue can allow attackers to execute arbitrary code in the context of the of the currently logged-in user. NOTE: This issue was previously discussed in BID 55623 (Apple Mac OS X Security Update 2012-004 Multiple Security Vulnerabilities) but has been given its own record to better document it. This issue is fixed in the following versions: Mac OS X 10.7.5 Mac OS X 10.8.2. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50628 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50628/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 RELEASE DATE: 2012-09-20 DISCUSS ADVISORY: http://secunia.com/advisories/50628/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50628/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Various vulnerabilities exist in the bundled version of Apache. For more information: SA46288 SA45793 SA46987 SA47779 SA47410 2) An assertion error in BIND when handling DNS records can be exploited to cause a DoS (Denial of Service). For more information: SA46887 3) An error in BIND can be exploited to disclose potentially sensitive information or cause a DoS. For more information: SA49338 4) An error in the CoreText component when handling text glyphs can be exploited to cause a buffer overflow and potentially compromise an application using the component. 5) An error in the DirectoryService Proxy can be exploited to cause a buffer overflow. 6) Errors in the ImageIO component when parsing PNG images can be exploited to corrupt memory. For more information: SA48026 SA48587 7) An integer overflow error in the ImageIO component when parsing TIFF images can be exploited to cause a buffer overflow. For more information: SA48684#1 8) A previous fix did not properly address an error in the Installer component that allowed users to obtain account information. The original fix ensured that passwords were not recorded to the system log, but did not remove the old system log entries containing passwords. This is related to: SA49039#1 9) An error in International Components for Unicode (ICU) when handling ICU locale IDs can be exploited to cause a stack-based buffer overflow. For more information: SA47146 10) A logic error in the kernel when handling debug system calls can be exploited by a malicious program to bypass sandbox restrictions. For more information: SA48288#3 11) An error in the LoginWindow component can be exploited by local users to obtain other users' login passwords. 12) An input validation error in Mail can be exploited to execute web plugins when viewing an e-mail message. 13) An error in Mobile Accounts can be exploited by a user with access to the contents of a mobile account to obtain the account password. 14) Multiple errors exist in the bundled version of PHP. For more information: SA49014 SA44335 15) An authentication error in Profile Manager Device Management private interface can be exploited to enumerate managed devices. 16) Various errors exist in the bundled versions of QuickLook and QuickTime. For more information: SA47447 17) An uninitialised memory access error exists in QuickTime when viewing Sorenson-encoded movie files. 18) An error in Ruby may allow decryption of SSL-protected data when a cipher suite uses a block cipher in CBC mode. 19) An error in the USB component can be exploited to corrupt memory by attaching a malicious USB device. SOLUTION: Update to version 10.8.2 or 10.7.5 or apply Security Update 2012-004. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 4) Jesse Ruderman, Mozilla Corporation 5) aazubel via ZDI 11) An anonymous person 12, 17) Will Dormann, CERT/CC 13) Harald Wagener, Google 15) Derick Cassidy, XEquals Corporation 19) Andy Davis, NGS Secure ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5501 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Sorenson codec in QuickTime in Apple Mac OS X before 10.7.5, and in CoreMedia in iOS before 6, accesses uninitialized memory locations, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with Sorenson encoding. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to a remote code-execution vulnerability that affects the 'CoreMedia' component. Successfully exploiting this issue will allow attackers to execute arbitrary code in the context of the application or cause denial-of-service conditions. Note: This issue was previously discussed in BID 55612 (Apple iPhone/iPad/iPod touch Prior to iOS 6 Multiple Vulnerabilities) but has been given its own record to better document it. Apple Mac OS X is a dedicated operating system developed by Apple for Mac computers. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50628 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50628/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 RELEASE DATE: 2012-09-20 DISCUSS ADVISORY: http://secunia.com/advisories/50628/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50628/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Various vulnerabilities exist in the bundled version of Apache. For more information: SA46288 SA45793 SA46987 SA47779 SA47410 2) An assertion error in BIND when handling DNS records can be exploited to cause a DoS (Denial of Service). For more information: SA46887 3) An error in BIND can be exploited to disclose potentially sensitive information or cause a DoS. For more information: SA49338 4) An error in the CoreText component when handling text glyphs can be exploited to cause a buffer overflow and potentially compromise an application using the component. 5) An error in the DirectoryService Proxy can be exploited to cause a buffer overflow. 6) Errors in the ImageIO component when parsing PNG images can be exploited to corrupt memory. For more information: SA48026 SA48587 7) An integer overflow error in the ImageIO component when parsing TIFF images can be exploited to cause a buffer overflow. For more information: SA48684#1 8) A previous fix did not properly address an error in the Installer component that allowed users to obtain account information. The original fix ensured that passwords were not recorded to the system log, but did not remove the old system log entries containing passwords. This is related to: SA49039#1 9) An error in International Components for Unicode (ICU) when handling ICU locale IDs can be exploited to cause a stack-based buffer overflow. For more information: SA47146 10) A logic error in the kernel when handling debug system calls can be exploited by a malicious program to bypass sandbox restrictions. For more information: SA48288#3 11) An error in the LoginWindow component can be exploited by local users to obtain other users' login passwords. 12) An input validation error in Mail can be exploited to execute web plugins when viewing an e-mail message. 13) An error in Mobile Accounts can be exploited by a user with access to the contents of a mobile account to obtain the account password. 14) Multiple errors exist in the bundled version of PHP. For more information: SA49014 SA44335 15) An authentication error in Profile Manager Device Management private interface can be exploited to enumerate managed devices. 16) Various errors exist in the bundled versions of QuickLook and QuickTime. For more information: SA47447 17) An uninitialised memory access error exists in QuickTime when viewing Sorenson-encoded movie files. 18) An error in Ruby may allow decryption of SSL-protected data when a cipher suite uses a block cipher in CBC mode. 19) An error in the USB component can be exploited to corrupt memory by attaching a malicious USB device. SOLUTION: Update to version 10.8.2 or 10.7.5 or apply Security Update 2012-004. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 4) Jesse Ruderman, Mozilla Corporation 5) aazubel via ZDI 11) An anonymous person 12, 17) Will Dormann, CERT/CC 13) Harald Wagener, Google 15) Derick Cassidy, XEquals Corporation 19) Andy Davis, NGS Secure ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5501 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-09-24-1 Apple TV 5.1 Apple TV 5.1 is now available and addresses the following: Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access existed in the handling of Sorenson encoded movie files. This issue was addressed through improved memory initialization. CVE-ID CVE-2012-3722 : Will Dormann of the CERT/CC Apple TV Available for: Apple TV 2nd generation and later Impact: A malicious Wi-Fi network may be able to determine networks a device has previously accessed Description: Upon connecting to a Wi-Fi network, iOS may broadcast MAC addresses of previously accessed networks per the DNAv4 protocol. This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi networks CVE-ID CVE-2012-3725 : Mark Wuergler of Immunity, Inc. Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of ThunderScan encoded TIFF images. This issue was addressed by updating libtiff to version 3.9.5. CVE-ID CVE-2011-1167 Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in libpng's handling of PNG images. These issues were addressed through improved validation of PNG images. CVE-ID CVE-2011-3026 : Juri Aedla CVE-2011-3048 CVE-2011-3328 Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution Description: A double free issue existed in ImageIO's handling of JPEG images. This issue was addressed through improved memory management. CVE-ID CVE-2012-3726 : Phil of PKJE Consulting Apple TV Available for: Apple TV 2nd generation and later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in libTIFF's handling of TIFF images. This issue was addressed through improved validation of TIFF images. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-1173 Apple TV Available for: Apple TV 2nd generation and later Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in the handling of ICU locale IDs. This issue was addressed through improved bounds checking. These issues were addressed by applying the relevant upstream patches. CVE-ID CVE-2011-1944 : Chris Evans of Google Chrome Security Team CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-3919 : Juri Aedla Apple TV Available for: Apple TV 2nd generation and later Impact: An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in JavaScriptCore. These issues were addressed through improved memory handling. CVE-ID CVE-2012-0682 : Apple Product Security CVE-2012-0683 : Dave Mandelin of Mozilla CVE-2012-3589 : Dave Mandelin of Mozilla CVE-2012-3590 : Apple Product Security CVE-2012-3591 : Apple Product Security CVE-2012-3592 : Apple Product Security CVE-2012-3678 : Apple Product Security CVE-2012-3679 : Chris Leary of Mozilla Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> General -> Update Software". To check the current version of software, select "Settings -> General -> About". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQXO50AAoJEPefwLHPlZEwc40P/AmBKys+PAsdT8gGrSpOY1B9 8h+Y0xdE+Hmesq9D4p6wvdY/lR+zMqtSwT6amNImYCIaRmm1P8+r8n31be52TYlg 7GqEAZbDtFztHwIISC8Khf8dMvWSrLhzRa7X/cxlIgRKmoXFnqJZzYcUov/M9Uw8 KwejQnztmAx7srHnZCNI+dxFqAC7hPoegnDnlVPx1DkwKDjt8q9xD3PGQyiGWWkI wqUEWvMGWr65CFyA7R0hDqKuNCowWn2cKP1UhIoEur5yRmc4aQVtOnHhJ8k9mdoO +58JC/y8lCtqGUyEL2Ar0FmIcRX/GJf+/isKOtmHx0JuEhH5beQ6s9FxU5eNR9DH EVPmVXowY9wMvKxwHFU3jwq8kQ3+IYC+7KA6lScb5mXO5mC5dbJPLp7uJto7+VtI atgQmvzdB8G562wpwTPuA4UQWWr0i6WWl8zkfgkRHO+cXyN683rkBP/vVEo9FipR YkQ10RsXqYDRXBcRywmTZZwQy6txMtV9D2bnk1uukQHBsZh30/mEpcmZbo6CO3s3 mnOtu5D2OQsNt4MqbviUkEgdc9JIJnqAOo+9YguDCEu6Rd7unbKB3RpmD+A3OJnR GhEa2Gqyvm/ozfb2D4L01y4UQo7dMLw+t/FOZXkrpdLlWn2LANWvXDCPSzIFCKoN cXF+ij425pfY+d7Iekz3 =PSL+ -----END PGP SIGNATURE-----

Apple Safari before 6.0.1 makes http requests for https URIs in certain circumstances involving a paste into the address bar, which allows user-assisted remote attackers to obtain sensitive information by sniffing the network. Apple Safari is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions and gain access to potentially sensitive information. Apple Safari versions prior to 6.0.1 are vulnerable. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple Safari for Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50577 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50577/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50577 RELEASE DATE: 2012-09-20 DISCUSS ADVISORY: http://secunia.com/advisories/50577/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50577/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50577 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, gain knowledge of sensitive information, or compromise a user's system. 1) A logic error in the handling of the Quarantine attribute when opening HTML documents in safe mode can be exploited to cause the document to not be opened in safe mode and disclose the contents of arbitrary files. 2) An error in the handling of Form Autofill may lead to Address Book "Me" card details being disclosed when using Form Autofill on a specially crafted web page. 3) A logic error when handling HTTPS URLs in the address bar may cause a request to be unexpectedly sent over HTTP if part of the request in the address bar was edited by pasting text. 4) A use-after-free error in the Webkit Cascading Style Sheets (CSS) implementation when handling the :first-letter pseudo-element can be exploited to dereference already freed memory. 5) A use-after-free error in Webkit when handling tables with sections can be exploited to dereference already freed memory. 6) A use-after-free error in Webkit when handling the layout of documents using the Cascading Style Sheets (CSS) counters feature can be exploited to dereference already freed memory. 7) A use-after-free error in the Webkit Cascading Style Sheets (CSS) implementation when handling the :first-letter pseudo-element can be exploited to dereference already freed memory. 8) A use-after-free error in Webkit when handling SVG references can be exploited to dereference already freed memory. 9) A use-after-free error in Webkit when handling counters can be exploited to dereference already freed memory. 10) A use-after-free error in Webkit when handling layout height tracking can be exploited to dereference already freed memory. 11) An unspecified error in Webkit can be exploited to corrupt memory. 12) An unspecified error in Webkit can be exploited to corrupt memory. 13) An unspecified error in Webkit can be exploited to corrupt memory. 14) An unspecified error in Webkit can be exploited to corrupt memory. 15) An unspecified error in Webkit can be exploited to corrupt memory. 16) An unspecified error in Webkit can be exploited to corrupt memory. 17) An unspecified error in Webkit can be exploited to corrupt memory. 18) An unspecified error in Webkit can be exploited to corrupt memory. 19) An unspecified error in Webkit can be exploited to corrupt memory. 20) An unspecified error in Webkit can be exploited to corrupt memory. 21) An unspecified error in Webkit can be exploited to corrupt memory. 22) An unspecified error in Webkit can be exploited to corrupt memory. 23) An unspecified error in Webkit can be exploited to corrupt memory. 24) An unspecified error in Webkit can be exploited to corrupt memory. 25) An unspecified error in Webkit can be exploited to corrupt memory. 26) An unspecified error in Webkit can be exploited to corrupt memory. 27) An unspecified error in Webkit can be exploited to corrupt memory. 28) An unspecified error in Webkit can be exploited to corrupt memory. 29) An unspecified error in Webkit can be exploited to corrupt memory. 30) An unspecified error in Webkit can be exploited to corrupt memory. 31) An unspecified error in Webkit can be exploited to corrupt memory. 32) An unspecified error in Webkit can be exploited to corrupt memory. 33) An unspecified error in Webkit can be exploited to corrupt memory. 34) An unspecified error in Webkit can be exploited to corrupt memory. 35) An unspecified error in Webkit can be exploited to corrupt memory. 36) An unspecified error in Webkit can be exploited to corrupt memory. 37) An unspecified error in Webkit can be exploited to corrupt memory. 38) An unspecified error in Webkit can be exploited to corrupt memory. 39) An unspecified error in Webkit can be exploited to corrupt memory. 40) An unspecified error in Webkit can be exploited to corrupt memory. 41) An unspecified error in Webkit can be exploited to corrupt memory. 42) An unspecified error in Webkit can be exploited to corrupt memory. 43) An unspecified error in Webkit can be exploited to corrupt memory. 44) An unspecified error in Webkit can be exploited to corrupt memory. 45) An unspecified error in Webkit can be exploited to corrupt memory. 46) An unspecified error in Webkit can be exploited to corrupt memory. 47) An unspecified error in Webkit can be exploited to corrupt memory. 48) An unspecified error in Webkit can be exploited to corrupt memory. 49) An unspecified error in Webkit can be exploited to corrupt memory. 50) An unspecified error in Webkit can be exploited to corrupt memory. 51) An unspecified error in Webkit can be exploited to corrupt memory. 52) An unspecified error in Webkit can be exploited to corrupt memory. 53) An unspecified error in Webkit can be exploited to corrupt memory. 54) An unspecified error in Webkit can be exploited to corrupt memory. 55) An unspecified error in Webkit can be exploited to corrupt memory. 56) An unspecified error in Webkit can be exploited to corrupt memory. 57) An unspecified error in Webkit can be exploited to corrupt memory. 58) An unspecified error in Webkit can be exploited to corrupt memory. 59) An unspecified error in Webkit can be exploited to corrupt memory. 60) An unspecified error in Webkit can be exploited to corrupt memory. 61) An unspecified error in Webkit can be exploited to corrupt memory. SOLUTION: Update to version 6.0.1. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Aaron Sigel, vtty.com and Masahiro Yamada 2) Jonathan Hogervorst, Buzzera 3) Aaron Rhoads, East Watch Services LLC and Pepi Zawodsky 4-10, 13) miaubiz 11, 20, 34, 42, 44, 47, 49, 52, 55, 57, 58) Apple Product Security 12) Martin Barbella, Google Chrome Security Team 14, 15, 17, 19, 22, 25, 28, 33, 36, 38-40, 46, 48, 50, 51, 54, 56, 61) Abhishek Arya (Inferno), Google Chrome Security Team 16, 21, 23, 24, 26, 27, 32, 47, 53, 60) Skylined, Google Chrome Security Team 18) Yong Li, Research In Motion 29) Dominic Cooney, Google and Martin Barbella, Google Chrome Security Team 30) Abhishek Arya and Martin Barbella, Google Chrome Security Team 31) Martin Barbella, Google Chrome Security Team 35) Mario Gomes, netfuzzer.blogspot.com and Abhishek Arya (Inferno), Google Chrome Security Team 37) Skylined and Martin Barbella, Google Chrome Security Team 41) Julien Chaffraix, Chromium development community 43, 45) kuzzcc 59) James Robinson of Google ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5502 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Form Autofill feature in Apple Safari before 6.0.1 does not restrict the filled fields to the set of fields contained in an Autofill popover, which allows remote attackers to obtain the Me card from an Address Book via a crafted web site. Apple Safari is prone to an information-disclosure vulnerability. An attacker can exploit this issue to obtain sensitive information that may lead to further attacks. Apple Safari versions prior to 6.0.1 are vulnerable. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple Safari for Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50577 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50577/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50577 RELEASE DATE: 2012-09-20 DISCUSS ADVISORY: http://secunia.com/advisories/50577/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50577/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50577 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, gain knowledge of sensitive information, or compromise a user's system. 1) A logic error in the handling of the Quarantine attribute when opening HTML documents in safe mode can be exploited to cause the document to not be opened in safe mode and disclose the contents of arbitrary files. 3) A logic error when handling HTTPS URLs in the address bar may cause a request to be unexpectedly sent over HTTP if part of the request in the address bar was edited by pasting text. 4) A use-after-free error in the Webkit Cascading Style Sheets (CSS) implementation when handling the :first-letter pseudo-element can be exploited to dereference already freed memory. 5) A use-after-free error in Webkit when handling tables with sections can be exploited to dereference already freed memory. 6) A use-after-free error in Webkit when handling the layout of documents using the Cascading Style Sheets (CSS) counters feature can be exploited to dereference already freed memory. 7) A use-after-free error in the Webkit Cascading Style Sheets (CSS) implementation when handling the :first-letter pseudo-element can be exploited to dereference already freed memory. 8) A use-after-free error in Webkit when handling SVG references can be exploited to dereference already freed memory. 9) A use-after-free error in Webkit when handling counters can be exploited to dereference already freed memory. 10) A use-after-free error in Webkit when handling layout height tracking can be exploited to dereference already freed memory. 11) An unspecified error in Webkit can be exploited to corrupt memory. 12) An unspecified error in Webkit can be exploited to corrupt memory. 13) An unspecified error in Webkit can be exploited to corrupt memory. 14) An unspecified error in Webkit can be exploited to corrupt memory. 15) An unspecified error in Webkit can be exploited to corrupt memory. 16) An unspecified error in Webkit can be exploited to corrupt memory. 17) An unspecified error in Webkit can be exploited to corrupt memory. 18) An unspecified error in Webkit can be exploited to corrupt memory. 19) An unspecified error in Webkit can be exploited to corrupt memory. 20) An unspecified error in Webkit can be exploited to corrupt memory. 21) An unspecified error in Webkit can be exploited to corrupt memory. 22) An unspecified error in Webkit can be exploited to corrupt memory. 23) An unspecified error in Webkit can be exploited to corrupt memory. 24) An unspecified error in Webkit can be exploited to corrupt memory. 25) An unspecified error in Webkit can be exploited to corrupt memory. 26) An unspecified error in Webkit can be exploited to corrupt memory. 27) An unspecified error in Webkit can be exploited to corrupt memory. 28) An unspecified error in Webkit can be exploited to corrupt memory. 29) An unspecified error in Webkit can be exploited to corrupt memory. 30) An unspecified error in Webkit can be exploited to corrupt memory. 31) An unspecified error in Webkit can be exploited to corrupt memory. 32) An unspecified error in Webkit can be exploited to corrupt memory. 33) An unspecified error in Webkit can be exploited to corrupt memory. 34) An unspecified error in Webkit can be exploited to corrupt memory. 35) An unspecified error in Webkit can be exploited to corrupt memory. 36) An unspecified error in Webkit can be exploited to corrupt memory. 37) An unspecified error in Webkit can be exploited to corrupt memory. 38) An unspecified error in Webkit can be exploited to corrupt memory. 39) An unspecified error in Webkit can be exploited to corrupt memory. 40) An unspecified error in Webkit can be exploited to corrupt memory. 41) An unspecified error in Webkit can be exploited to corrupt memory. 42) An unspecified error in Webkit can be exploited to corrupt memory. 43) An unspecified error in Webkit can be exploited to corrupt memory. 44) An unspecified error in Webkit can be exploited to corrupt memory. 45) An unspecified error in Webkit can be exploited to corrupt memory. 46) An unspecified error in Webkit can be exploited to corrupt memory. 47) An unspecified error in Webkit can be exploited to corrupt memory. 48) An unspecified error in Webkit can be exploited to corrupt memory. 49) An unspecified error in Webkit can be exploited to corrupt memory. 50) An unspecified error in Webkit can be exploited to corrupt memory. 51) An unspecified error in Webkit can be exploited to corrupt memory. 52) An unspecified error in Webkit can be exploited to corrupt memory. 53) An unspecified error in Webkit can be exploited to corrupt memory. 54) An unspecified error in Webkit can be exploited to corrupt memory. 55) An unspecified error in Webkit can be exploited to corrupt memory. 56) An unspecified error in Webkit can be exploited to corrupt memory. 57) An unspecified error in Webkit can be exploited to corrupt memory. 58) An unspecified error in Webkit can be exploited to corrupt memory. 59) An unspecified error in Webkit can be exploited to corrupt memory. 60) An unspecified error in Webkit can be exploited to corrupt memory. 61) An unspecified error in Webkit can be exploited to corrupt memory. SOLUTION: Update to version 6.0.1. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Aaron Sigel, vtty.com and Masahiro Yamada 2) Jonathan Hogervorst, Buzzera 3) Aaron Rhoads, East Watch Services LLC and Pepi Zawodsky 4-10, 13) miaubiz 11, 20, 34, 42, 44, 47, 49, 52, 55, 57, 58) Apple Product Security 12) Martin Barbella, Google Chrome Security Team 14, 15, 17, 19, 22, 25, 28, 33, 36, 38-40, 46, 48, 50, 51, 54, 56, 61) Abhishek Arya (Inferno), Google Chrome Security Team 16, 21, 23, 24, 26, 27, 32, 47, 53, 60) Skylined, Google Chrome Security Team 18) Yong Li, Research In Motion 29) Dominic Cooney, Google and Martin Barbella, Google Chrome Security Team 30) Abhishek Arya and Martin Barbella, Google Chrome Security Team 31) Martin Barbella, Google Chrome Security Team 35) Mario Gomes, netfuzzer.blogspot.com and Abhishek Arya (Inferno), Google Chrome Security Team 37) Skylined and Martin Barbella, Google Chrome Security Team 41) Julien Chaffraix, Chromium development community 43, 45) kuzzcc 59) James Robinson of Google ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5502 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari before 6.0.1 does not properly handle the Quarantine attribute of HTML documents, which allows user-assisted remote attackers to read arbitrary files by leveraging the presence of a downloaded document. Safari contains a vulnerability where a local file may be accessed from remote, which may result in a local file content disclosure. Masahiro YAMADA reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.By opening a specially crafted HTML document as a local file, an arbitrary local file may be obtained from remote even though access from other users is restricted. Apple Safari is prone to an information-disclosure vulnerability. An attacker can exploit this issue to obtain sensitive information that may lead to further attacks. Apple Safari versions prior to 6.0.1 are vulnerable. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple Safari for Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50577 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50577/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50577 RELEASE DATE: 2012-09-20 DISCUSS ADVISORY: http://secunia.com/advisories/50577/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50577/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50577 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, gain knowledge of sensitive information, or compromise a user's system. 2) An error in the handling of Form Autofill may lead to Address Book "Me" card details being disclosed when using Form Autofill on a specially crafted web page. 3) A logic error when handling HTTPS URLs in the address bar may cause a request to be unexpectedly sent over HTTP if part of the request in the address bar was edited by pasting text. 4) A use-after-free error in the Webkit Cascading Style Sheets (CSS) implementation when handling the :first-letter pseudo-element can be exploited to dereference already freed memory. 5) A use-after-free error in Webkit when handling tables with sections can be exploited to dereference already freed memory. 6) A use-after-free error in Webkit when handling the layout of documents using the Cascading Style Sheets (CSS) counters feature can be exploited to dereference already freed memory. 7) A use-after-free error in the Webkit Cascading Style Sheets (CSS) implementation when handling the :first-letter pseudo-element can be exploited to dereference already freed memory. 8) A use-after-free error in Webkit when handling SVG references can be exploited to dereference already freed memory. 9) A use-after-free error in Webkit when handling counters can be exploited to dereference already freed memory. 10) A use-after-free error in Webkit when handling layout height tracking can be exploited to dereference already freed memory. 11) An unspecified error in Webkit can be exploited to corrupt memory. 12) An unspecified error in Webkit can be exploited to corrupt memory. 13) An unspecified error in Webkit can be exploited to corrupt memory. 14) An unspecified error in Webkit can be exploited to corrupt memory. 15) An unspecified error in Webkit can be exploited to corrupt memory. 16) An unspecified error in Webkit can be exploited to corrupt memory. 17) An unspecified error in Webkit can be exploited to corrupt memory. 18) An unspecified error in Webkit can be exploited to corrupt memory. 19) An unspecified error in Webkit can be exploited to corrupt memory. 20) An unspecified error in Webkit can be exploited to corrupt memory. 21) An unspecified error in Webkit can be exploited to corrupt memory. 22) An unspecified error in Webkit can be exploited to corrupt memory. 23) An unspecified error in Webkit can be exploited to corrupt memory. 24) An unspecified error in Webkit can be exploited to corrupt memory. 25) An unspecified error in Webkit can be exploited to corrupt memory. 26) An unspecified error in Webkit can be exploited to corrupt memory. 27) An unspecified error in Webkit can be exploited to corrupt memory. 28) An unspecified error in Webkit can be exploited to corrupt memory. 29) An unspecified error in Webkit can be exploited to corrupt memory. 30) An unspecified error in Webkit can be exploited to corrupt memory. 31) An unspecified error in Webkit can be exploited to corrupt memory. 32) An unspecified error in Webkit can be exploited to corrupt memory. 33) An unspecified error in Webkit can be exploited to corrupt memory. 34) An unspecified error in Webkit can be exploited to corrupt memory. 35) An unspecified error in Webkit can be exploited to corrupt memory. 36) An unspecified error in Webkit can be exploited to corrupt memory. 37) An unspecified error in Webkit can be exploited to corrupt memory. 38) An unspecified error in Webkit can be exploited to corrupt memory. 39) An unspecified error in Webkit can be exploited to corrupt memory. 40) An unspecified error in Webkit can be exploited to corrupt memory. 41) An unspecified error in Webkit can be exploited to corrupt memory. 42) An unspecified error in Webkit can be exploited to corrupt memory. 43) An unspecified error in Webkit can be exploited to corrupt memory. 44) An unspecified error in Webkit can be exploited to corrupt memory. 45) An unspecified error in Webkit can be exploited to corrupt memory. 46) An unspecified error in Webkit can be exploited to corrupt memory. 47) An unspecified error in Webkit can be exploited to corrupt memory. 48) An unspecified error in Webkit can be exploited to corrupt memory. 49) An unspecified error in Webkit can be exploited to corrupt memory. 50) An unspecified error in Webkit can be exploited to corrupt memory. 51) An unspecified error in Webkit can be exploited to corrupt memory. 52) An unspecified error in Webkit can be exploited to corrupt memory. 53) An unspecified error in Webkit can be exploited to corrupt memory. 54) An unspecified error in Webkit can be exploited to corrupt memory. 55) An unspecified error in Webkit can be exploited to corrupt memory. 56) An unspecified error in Webkit can be exploited to corrupt memory. 57) An unspecified error in Webkit can be exploited to corrupt memory. 58) An unspecified error in Webkit can be exploited to corrupt memory. 59) An unspecified error in Webkit can be exploited to corrupt memory. 60) An unspecified error in Webkit can be exploited to corrupt memory. 61) An unspecified error in Webkit can be exploited to corrupt memory. SOLUTION: Update to version 6.0.1. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Aaron Sigel, vtty.com and Masahiro Yamada 2) Jonathan Hogervorst, Buzzera 3) Aaron Rhoads, East Watch Services LLC and Pepi Zawodsky 4-10, 13) miaubiz 11, 20, 34, 42, 44, 47, 49, 52, 55, 57, 58) Apple Product Security 12) Martin Barbella, Google Chrome Security Team 14, 15, 17, 19, 22, 25, 28, 33, 36, 38-40, 46, 48, 50, 51, 54, 56, 61) Abhishek Arya (Inferno), Google Chrome Security Team 16, 21, 23, 24, 26, 27, 32, 47, 53, 60) Skylined, Google Chrome Security Team 18) Yong Li, Research In Motion 29) Dominic Cooney, Google and Martin Barbella, Google Chrome Security Team 30) Abhishek Arya and Martin Barbella, Google Chrome Security Team 31) Martin Barbella, Google Chrome Security Team 35) Mario Gomes, netfuzzer.blogspot.com and Abhishek Arya (Inferno), Google Chrome Security Team 37) Skylined and Martin Barbella, Google Chrome Security Team 41) Julien Chaffraix, Chromium development community 43, 45) kuzzcc 59) James Robinson of Google ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5502 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the DirectoryService Proxy in DirectoryService in Apple Mac OS X through 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. Authentication is not required to exploit this vulnerability.The flaw exists within the DirectoryService daemon. This process listens on TCP port 625 by default on Mac OSX Server pre 10.7. Request types to the service include a sComProxyData structure having a translate field which is responsible for describing the endianness of the payload. When passing a message to SwapProxyMessage for byte-reordering, multiple user controlled fields are trusted including lengths and offsets. When processing this data with DSSwapObjectData, the process will address memory out of the bounds of the allocated region. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the process. Apple Mac OS X is prone to a buffer-overflow vulnerability. Failed exploit attempts will likely result in a denial-of-service condition. The following versions are affected: Mac OS X v10.6.8 Mac OS X Server v10.6.8 NOTE: This issue was previously discussed in BID 55623 (Apple Mac OS X Security Update 2012-004 Multiple Security Vulnerabilities) but has been given its own record to better document it. - -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 - -- Disclosure Timeline: 2011-11-29 - Vulnerability reported to vendor 2012-11-15 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * aazubel - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUKT7f1VtgMGTo1scAQIlHQf/QnM7bofxiLdPTJR3lQRTUh56ctLsMSGz VmKZt4wkOaMhRX73nmmg4SbMFVlXmEEbCxgFHWNh+K66MD5vLSNrLT8iWEsopHUt 5ogXz+rrw8S5DY8UCaZy4ZHAOqQXBlzmk31b6bUG6VTtisc44t4EFUrLYDAqmOui pZc1MUrj+0P2PJrOnnzq6ZyF6RxODiw4Ex1iEQIn9HAdY2cl+qY3nqWD6hHDFYbq 0qLg5anzQo/cPpVBgwe/bbistnyKIDrnbBFpyKnzV1uH8329SFygKArI5YRIavZe MmyH6GkGbI7t5AaJ4igD/JPgzr6z8O4023P99VMEXOO/wqE06JAjIg== =ocwX -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50628 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50628/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 RELEASE DATE: 2012-09-20 DISCUSS ADVISORY: http://secunia.com/advisories/50628/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50628/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Various vulnerabilities exist in the bundled version of Apache. For more information: SA46887 3) An error in BIND can be exploited to disclose potentially sensitive information or cause a DoS. For more information: SA49338 4) An error in the CoreText component when handling text glyphs can be exploited to cause a buffer overflow and potentially compromise an application using the component. 5) An error in the DirectoryService Proxy can be exploited to cause a buffer overflow. 6) Errors in the ImageIO component when parsing PNG images can be exploited to corrupt memory. For more information: SA48026 SA48587 7) An integer overflow error in the ImageIO component when parsing TIFF images can be exploited to cause a buffer overflow. For more information: SA48684#1 8) A previous fix did not properly address an error in the Installer component that allowed users to obtain account information. This is related to: SA49039#1 9) An error in International Components for Unicode (ICU) when handling ICU locale IDs can be exploited to cause a stack-based buffer overflow. For more information: SA48288#3 11) An error in the LoginWindow component can be exploited by local users to obtain other users' login passwords. 12) An input validation error in Mail can be exploited to execute web plugins when viewing an e-mail message. 14) Multiple errors exist in the bundled version of PHP. 16) Various errors exist in the bundled versions of QuickLook and QuickTime. For more information: SA47447 17) An uninitialised memory access error exists in QuickTime when viewing Sorenson-encoded movie files. 18) An error in Ruby may allow decryption of SSL-protected data when a cipher suite uses a block cipher in CBC mode. 19) An error in the USB component can be exploited to corrupt memory by attaching a malicious USB device. SOLUTION: Update to version 10.8.2 or 10.7.5 or apply Security Update 2012-004. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 4) Jesse Ruderman, Mozilla Corporation 5) aazubel via ZDI 11) An anonymous person 12, 17) Will Dormann, CERT/CC 13) Harald Wagener, Google 15) Derick Cassidy, XEquals Corporation 19) Andy Davis, NGS Secure ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5501 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Further information is available via the Apache web site at http://httpd.apache.org/. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2011-3368 CVE-2011-3607 CVE-2011-4317 CVE-2012-0021 CVE-2012-0031 CVE-2012-0053 BIND Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: A remote attacker may be able to cause a denial of service in systems configured to run BIND as a DNS nameserver Description: A reachable assertion issue existed in the handling of DNS records. This issue was addressed by updating to BIND 9.7.6-P1. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2011-4313 BIND Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4, OS X Mountain Lion v10.8 and v10.8.1 Impact: A remote attacker may be able to cause a denial of service, data corruption, or obtain sensitive information from process memory in systems configured to run BIND as a DNS nameserver Description: A memory management issue existed in the handling of DNS records. This issue was addressed by updating to BIND 9.7.6-P1 on OS X Lion systems, and BIND 9.8.3-P1 on OS X Mountain Lion systems. CVE-ID CVE-2012-1667 CoreText Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Applications that use CoreText may be vulnerable to an unexpected application termination or arbitrary code execution Description: A bounds checking issue existed in the handling of text glyphs, which may lead to out of bounds memory reads or writes. This issue was addressed through improved bounds checking. This sub-CA facilitated the interception of communications secured by Transport Layer Security (TLS). This update adds the involved sub-CA certificate to OS X's list of untrusted certificates. This issue was addressed through improved bounds checking. This issue does not affect OS X Lion and Mountain Lion systems. These issues were addressed through improved validation of PNG images. These issues do not affect OS X Mountain Lion systems. This issue was addressed through improved validation of TIFF images. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day Initiative Installer Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Remote admins and persons with physical access to the system may obtain account information Description: The fix for CVE-2012-0652 in OS X Lion 10.7.4 prevented user passwords from being recorded in the system log, but did not remove the old log entries. This issue was addressed by deleting log files that contained passwords. This issue was addressed through improved bounds checking. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2011-4599 Kernel Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: A malicious program could bypass sandbox restrictions Description: A logic issue existed in the handling of debug system calls. This may allow a malicious program to gain code execution in other programs with the same user privileges. This issue was addressed by disabling handling of addresses in PT_STEP and PT_CONTINUE. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-0643 : iOS Jailbreak Dream Team LoginWindow Available for: OS X Mountain Lion v10.8 and v10.8.1 Impact: A local user may be able to obtain other user's login passwords Description: A user-installed input method could intercept password keystrokes from Login Window or Screen Saver Unlock. This issue was addressed by preventing user-installed methods from being used when the system is handling login information. This issue was addressed by disabling third- party plug-ins in Mail. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-3719 : Will Dormann of the CERT/CC Mobile Accounts Available for: OS X Mountain Lion v10.8 and v10.8.1 Impact: A user with access to the contents of a mobile account may obtain the account password Description: Creating a mobile account saved a hash of the password in the account, which was used to login when the mobile account was used as an external account. The password hash could be used to determine the user's password. This issue was addressed by creating the password hash only if external accounts are enabled on the system where the mobile account is created. CVE-ID CVE-2012-3720 : Harald Wagener of Google, Inc. This issue was addressed by updating PHP's copy of libpng to version 1.5.10. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2011-3048 Profile Manager Available for: OS X Lion Server v10.7 to v10.7.4 Impact: An unauthenticated user could enumerate managed devices Description: An authentication issue existed in the Device Management private interface. This issue was addressed by removing the interface. This issue does not affect OS X Mountain Lion systems. This issue was addressed through improved validation of .pict files. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-0671 : Rodrigo Rubira Branco (twitter.com/bsdaemon) from the Qualys Vulnerability & Malware Research Labs (VMRL) QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in QuickTime's handling of sean atoms. This issue was addressed through improved bounds checking. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-0670 : Tom Gallagher (Microsoft) and Paul Bates (Microsoft) working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access existed in the handling of Sorenson encoded movie files. This issue was addressed through improved memory initialization. This issue does not affect OS X Mountain Lion systems. This issue was addressed through improved bounds checking. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-0668 : Luigi Auriemma working with HP's Zero Day Initiative Ruby Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. The Ruby OpenSSL module disabled the 'empty fragment' countermeasure which prevented these attacks. This issue was addressed by enabling empty fragments. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2011-3389 USB Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Attaching a USB device may lead to an unexpected system termination or arbitrary code execution Description: A memory corruption issue existed in the handling of USB hub descriptors. This issue was addressed through improved handling of the bNbrPorts descriptor field. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-3723 : Andy Davis of NGS Secure Note: OS X Mountain Lion v10.8.2 includes the content of Safari 6.0.1. For further details see "About the security content of Safari 6.0.1" at http://http//support.apple.com/kb/HT5502 OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update 2012-004 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 or Security Update 2012-004. For OS X Mountain Lion v10.8.1 The download file is named: OSXUpd10.8.2.dmg Its SHA-1 digest is: d6779e1cc748b78af0207499383b1859ffbebe33 For OS X Mountain Lion v10.8 The download file is named: OSXUpdCombo10.8.2.dmg Its SHA-1 digest is: b08f10233d362e39f20b69f91d1d73f5e7b68a2c For OS X Lion v10.7.4 The download file is named: MacOSXUpd10.7.5.dmg Its SHA-1 digest is: e0a9582cce9896938a7a541bd431862d93893532 For OS X Lion v10.7 and v10.7.3 The download file is named: MacOSXUpdCombo10.7.5.dmg Its SHA-1 digest is: f7a26b164fa10dae4fe646e57b01c34a619c8d9b For OS X Lion Server v10.7.4 The download file is named: MacOSXServerUpd10.7.5.dmg Its SHA-1 digest is: a891b03bfb4eecb745c0c39a32f39960fdb6796a For OS X Lion Server v10.7 and v10.7.3 The download file is named: MacOSXServerUpdCombo10.7.5.dmg Its SHA-1 digest is: df6e1748ab0a3c9e05c890be49d514673efd965e For Mac OS X v10.6.8 The download file is named: SecUpd2012-004.dmg Its SHA-1 digest is: 5b136e29a871d41012f0c6ea1362d6210c8b4fb7 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2012-004.dmg Its SHA-1 digest is: 9b24496be15078e58a88537700f2f39c112e3b28 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQWhlbAAoJEPefwLHPlZEwwjwQAKrpQlZh1B2mkSTLxR7QZg6e Qm7SmIZL9sjl5gQkTxoAvOGxJ8uRdYPlJ1IpyU/MbK0GqO53KmFSeKkwCnvLKMaW pc6tiFaQ4zV4LEAwBAFEuqCsMyPEJqKDhYXl2cHQmWfAlrLCyCKfzGLy2mY2UnkE DQC2+ys70DChFv2GzyXlibBXAGMKDygJ5dVKynsi1ceZLYWbUJoGwlUtXPylBpnO QyGWXmEloPbhK6HJbKMNacuDdVcb26pvIeFiivkTSxPVlZ3ns2tAwEyvHrzA9O4n 7rQ6jvfDbguOZmM5sPFvVKBw2GVDBNU+G3T8ouIXhk6Pjhr4in8VFCb8MIMLb8hm 7YYn2z1TzKTNmUuYbwe6ukQvf57cPuW0bAvslbl6PgrzqorlNPU4rDoSvPrJx/RO BOYkcxfirevHDGibfkeqXPjL3h+bVrb1USZpAv+ZOAy0M89SHFcvMtpAhxnoGiV5 w4EyKB+9Yi/CSAk2Ne3Y5kHH7/v3pWV68aJwhVirya7ex3vnJ+M+lRLKSm2BUjL3 +9fykrJBDujFDXoCmK5CN5Wx36DSVZ4VO1h635crotudtcvd+LQ2VHma/Chav5wK q5SSllf4KEownpx6o/qTxpg5tcC4lvgTcsDHlYcNq2s8KTTjmOden8ar4h7M7QD2 xyBfrQfG/dsif6jGHaot =8joH -----END PGP SIGNATURE-----

Apple Mac OS X before 10.7.5 and 10.8.x before 10.8.2 allows local users to read passwords entered into Login Window (aka LoginWindow) or Screen Saver Unlock by installing an input method that intercepts keystrokes. Apple Mac OS X is prone to an information-disclosure vulnerability. Local attackers can exploit this issue to obtain other user's login passwords. This may aid in further attacks. NOTE: This issue was previously discussed in BID 55623 (Apple Mac OS X Security Update 2012-004 Multiple Security Vulnerabilities) but has been given its own record to better document it. This issue is fixed in the following versions: Mac OS X 10.7.5 Mac OS X 10.8.2. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50628 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50628/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 RELEASE DATE: 2012-09-20 DISCUSS ADVISORY: http://secunia.com/advisories/50628/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50628/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Various vulnerabilities exist in the bundled version of Apache. For more information: SA46887 3) An error in BIND can be exploited to disclose potentially sensitive information or cause a DoS. For more information: SA49338 4) An error in the CoreText component when handling text glyphs can be exploited to cause a buffer overflow and potentially compromise an application using the component. 5) An error in the DirectoryService Proxy can be exploited to cause a buffer overflow. 6) Errors in the ImageIO component when parsing PNG images can be exploited to corrupt memory. For more information: SA48026 SA48587 7) An integer overflow error in the ImageIO component when parsing TIFF images can be exploited to cause a buffer overflow. For more information: SA48684#1 8) A previous fix did not properly address an error in the Installer component that allowed users to obtain account information. This is related to: SA49039#1 9) An error in International Components for Unicode (ICU) when handling ICU locale IDs can be exploited to cause a stack-based buffer overflow. 12) An input validation error in Mail can be exploited to execute web plugins when viewing an e-mail message. 14) Multiple errors exist in the bundled version of PHP. 16) Various errors exist in the bundled versions of QuickLook and QuickTime. For more information: SA47447 17) An uninitialised memory access error exists in QuickTime when viewing Sorenson-encoded movie files. 18) An error in Ruby may allow decryption of SSL-protected data when a cipher suite uses a block cipher in CBC mode. 19) An error in the USB component can be exploited to corrupt memory by attaching a malicious USB device. SOLUTION: Update to version 10.8.2 or 10.7.5 or apply Security Update 2012-004. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 4) Jesse Ruderman, Mozilla Corporation 5) aazubel via ZDI 11) An anonymous person 12, 17) Will Dormann, CERT/CC 13) Harald Wagener, Google 15) Derick Cassidy, XEquals Corporation 19) Andy Davis, NGS Secure ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5501 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Further information is available via the Apache web site at http://httpd.apache.org/. CVE-ID CVE-2011-3368 CVE-2011-3607 CVE-2011-4317 CVE-2012-0021 CVE-2012-0031 CVE-2012-0053 BIND Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: A remote attacker may be able to cause a denial of service in systems configured to run BIND as a DNS nameserver Description: A reachable assertion issue existed in the handling of DNS records. This issue was addressed by updating to BIND 9.7.6-P1. CVE-ID CVE-2011-4313 BIND Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4, OS X Mountain Lion v10.8 and v10.8.1 Impact: A remote attacker may be able to cause a denial of service, data corruption, or obtain sensitive information from process memory in systems configured to run BIND as a DNS nameserver Description: A memory management issue existed in the handling of DNS records. CVE-ID CVE-2012-1667 CoreText Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Applications that use CoreText may be vulnerable to an unexpected application termination or arbitrary code execution Description: A bounds checking issue existed in the handling of text glyphs, which may lead to out of bounds memory reads or writes. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-3716 : Jesse Ruderman of Mozilla Corporation Data Security Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4, OS X Mountain Lion v10.8 and v10.8.1 Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: TrustWave, a trusted root CA, has issued, and subsequently revoked, a sub-CA certificate from one of its trusted anchors. This sub-CA facilitated the interception of communications secured by Transport Layer Security (TLS). This update adds the involved sub-CA certificate to OS X's list of untrusted certificates. DirectoryService Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: If the DirectoryService Proxy is used, a remote attacker may cause a denial of service or arbitrary code execution Description: A buffer overflow existed in the DirectoryService Proxy. This issue was addressed through improved bounds checking. This issue does not affect OS X Lion and Mountain Lion systems. CVE-ID CVE-2012-0650 : aazubel working with HP's Zero Day Initiative ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in libpng's handling of PNG images. These issues were addressed through improved validation of PNG images. These issues do not affect OS X Mountain Lion systems. CVE-ID CVE-2011-3026 : Juri Aedla CVE-2011-3048 ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in libTIFF's handling of TIFF images. This issue was addressed through improved validation of TIFF images. CVE-ID CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day Initiative Installer Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Remote admins and persons with physical access to the system may obtain account information Description: The fix for CVE-2012-0652 in OS X Lion 10.7.4 prevented user passwords from being recorded in the system log, but did not remove the old log entries. This issue was addressed by deleting log files that contained passwords. CVE-ID CVE-2012-0652 International Components for Unicode Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in the handling of ICU locale IDs. This issue was addressed through improved bounds checking. CVE-ID CVE-2011-4599 Kernel Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: A malicious program could bypass sandbox restrictions Description: A logic issue existed in the handling of debug system calls. This may allow a malicious program to gain code execution in other programs with the same user privileges. This issue was addressed by disabling handling of addresses in PT_STEP and PT_CONTINUE. This issue was addressed by preventing user-installed methods from being used when the system is handling login information. CVE-ID CVE-2012-3718 : An anonymous researcher Mail Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing an e-mail message may lead to execution of web plugins Description: An input validation issue existed in Mail's handling of embedded web plugins. This issue was addressed by disabling third- party plug-ins in Mail. CVE-ID CVE-2012-3719 : Will Dormann of the CERT/CC Mobile Accounts Available for: OS X Mountain Lion v10.8 and v10.8.1 Impact: A user with access to the contents of a mobile account may obtain the account password Description: Creating a mobile account saved a hash of the password in the account, which was used to login when the mobile account was used as an external account. The password hash could be used to determine the user's password. This issue was addressed by creating the password hash only if external accounts are enabled on the system where the mobile account is created. CVE-ID CVE-2012-3720 : Harald Wagener of Google, Inc. Further information is available via the PHP web site at http://www.php.net CVE-ID CVE-2012-0831 CVE-2012-1172 CVE-2012-1823 CVE-2012-2143 CVE-2012-2311 CVE-2012-2386 CVE-2012-2688 PHP Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: PHP scripts which use libpng may be vulnerable to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of PNG files. This issue was addressed by updating PHP's copy of libpng to version 1.5.10. CVE-ID CVE-2011-3048 Profile Manager Available for: OS X Lion Server v10.7 to v10.7.4 Impact: An unauthenticated user could enumerate managed devices Description: An authentication issue existed in the Device Management private interface. This issue was addressed by removing the interface. CVE-ID CVE-2012-3721 : Derick Cassidy of XEquals Corporation QuickLook Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted .pict file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of .pict files. This issue was addressed through improved validation of .pict files. CVE-ID CVE-2012-0671 : Rodrigo Rubira Branco (twitter.com/bsdaemon) from the Qualys Vulnerability & Malware Research Labs (VMRL) QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in QuickTime's handling of sean atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-0670 : Tom Gallagher (Microsoft) and Paul Bates (Microsoft) working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access existed in the handling of Sorenson encoded movie files. This issue was addressed through improved memory initialization. CVE-ID CVE-2012-3722 : Will Dormann of the CERT/CC QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of RLE encoded movie files. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-0668 : Luigi Auriemma working with HP's Zero Day Initiative Ruby Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. The Ruby OpenSSL module disabled the 'empty fragment' countermeasure which prevented these attacks. This issue was addressed by enabling empty fragments. CVE-ID CVE-2011-3389 USB Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Attaching a USB device may lead to an unexpected system termination or arbitrary code execution Description: A memory corruption issue existed in the handling of USB hub descriptors. This issue was addressed through improved handling of the bNbrPorts descriptor field. CVE-ID CVE-2012-3723 : Andy Davis of NGS Secure Note: OS X Mountain Lion v10.8.2 includes the content of Safari 6.0.1. For further details see "About the security content of Safari 6.0.1" at http://http//support.apple.com/kb/HT5502 OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update 2012-004 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. For OS X Mountain Lion v10.8.1 The download file is named: OSXUpd10.8.2.dmg Its SHA-1 digest is: d6779e1cc748b78af0207499383b1859ffbebe33 For OS X Mountain Lion v10.8 The download file is named: OSXUpdCombo10.8.2.dmg Its SHA-1 digest is: b08f10233d362e39f20b69f91d1d73f5e7b68a2c For OS X Lion v10.7.4 The download file is named: MacOSXUpd10.7.5.dmg Its SHA-1 digest is: e0a9582cce9896938a7a541bd431862d93893532 For OS X Lion v10.7 and v10.7.3 The download file is named: MacOSXUpdCombo10.7.5.dmg Its SHA-1 digest is: f7a26b164fa10dae4fe646e57b01c34a619c8d9b For OS X Lion Server v10.7.4 The download file is named: MacOSXServerUpd10.7.5.dmg Its SHA-1 digest is: a891b03bfb4eecb745c0c39a32f39960fdb6796a For OS X Lion Server v10.7 and v10.7.3 The download file is named: MacOSXServerUpdCombo10.7.5.dmg Its SHA-1 digest is: df6e1748ab0a3c9e05c890be49d514673efd965e For Mac OS X v10.6.8 The download file is named: SecUpd2012-004.dmg Its SHA-1 digest is: 5b136e29a871d41012f0c6ea1362d6210c8b4fb7 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2012-004.dmg Its SHA-1 digest is: 9b24496be15078e58a88537700f2f39c112e3b28 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQWhlbAAoJEPefwLHPlZEwwjwQAKrpQlZh1B2mkSTLxR7QZg6e Qm7SmIZL9sjl5gQkTxoAvOGxJ8uRdYPlJ1IpyU/MbK0GqO53KmFSeKkwCnvLKMaW pc6tiFaQ4zV4LEAwBAFEuqCsMyPEJqKDhYXl2cHQmWfAlrLCyCKfzGLy2mY2UnkE DQC2+ys70DChFv2GzyXlibBXAGMKDygJ5dVKynsi1ceZLYWbUJoGwlUtXPylBpnO QyGWXmEloPbhK6HJbKMNacuDdVcb26pvIeFiivkTSxPVlZ3ns2tAwEyvHrzA9O4n 7rQ6jvfDbguOZmM5sPFvVKBw2GVDBNU+G3T8ouIXhk6Pjhr4in8VFCb8MIMLb8hm 7YYn2z1TzKTNmUuYbwe6ukQvf57cPuW0bAvslbl6PgrzqorlNPU4rDoSvPrJx/RO BOYkcxfirevHDGibfkeqXPjL3h+bVrb1USZpAv+ZOAy0M89SHFcvMtpAhxnoGiV5 w4EyKB+9Yi/CSAk2Ne3Y5kHH7/v3pWV68aJwhVirya7ex3vnJ+M+lRLKSm2BUjL3 +9fykrJBDujFDXoCmK5CN5Wx36DSVZ4VO1h635crotudtcvd+LQ2VHma/Chav5wK q5SSllf4KEownpx6o/qTxpg5tcC4lvgTcsDHlYcNq2s8KTTjmOden8ar4h7M7QD2 xyBfrQfG/dsif6jGHaot =8joH -----END PGP SIGNATURE-----

CoreText in Apple Mac OS X 10.7.x before 10.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write or read) via a crafted text glyph. Apple Mac OS X is prone to a buffer-overflow vulnerability. Successfully exploiting this issue may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: This issue was previously discussed in BID 55623 (Apple Mac OS X Security Update 2012-004 Multiple Security Vulnerabilities) but has been given its own record to better document it. This issue is fixed in following versions: Mac OS X 10.7.5 Mac OS X 10.8.2. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50628 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50628/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 RELEASE DATE: 2012-09-20 DISCUSS ADVISORY: http://secunia.com/advisories/50628/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50628/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50628 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Various vulnerabilities exist in the bundled version of Apache. For more information: SA46887 3) An error in BIND can be exploited to disclose potentially sensitive information or cause a DoS. For more information: SA49338 4) An error in the CoreText component when handling text glyphs can be exploited to cause a buffer overflow and potentially compromise an application using the component. 5) An error in the DirectoryService Proxy can be exploited to cause a buffer overflow. 6) Errors in the ImageIO component when parsing PNG images can be exploited to corrupt memory. For more information: SA48026 SA48587 7) An integer overflow error in the ImageIO component when parsing TIFF images can be exploited to cause a buffer overflow. For more information: SA48684#1 8) A previous fix did not properly address an error in the Installer component that allowed users to obtain account information. This is related to: SA49039#1 9) An error in International Components for Unicode (ICU) when handling ICU locale IDs can be exploited to cause a stack-based buffer overflow. For more information: SA48288#3 11) An error in the LoginWindow component can be exploited by local users to obtain other users' login passwords. 12) An input validation error in Mail can be exploited to execute web plugins when viewing an e-mail message. 14) Multiple errors exist in the bundled version of PHP. 16) Various errors exist in the bundled versions of QuickLook and QuickTime. For more information: SA47447 17) An uninitialised memory access error exists in QuickTime when viewing Sorenson-encoded movie files. 18) An error in Ruby may allow decryption of SSL-protected data when a cipher suite uses a block cipher in CBC mode. 19) An error in the USB component can be exploited to corrupt memory by attaching a malicious USB device. SOLUTION: Update to version 10.8.2 or 10.7.5 or apply Security Update 2012-004. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 4) Jesse Ruderman, Mozilla Corporation 5) aazubel via ZDI 11) An anonymous person 12, 17) Will Dormann, CERT/CC 13) Harald Wagener, Google 15) Derick Cassidy, XEquals Corporation 19) Andy Davis, NGS Secure ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5501 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Further information is available via the Apache web site at http://httpd.apache.org/. CVE-ID CVE-2011-3368 CVE-2011-3607 CVE-2011-4317 CVE-2012-0021 CVE-2012-0031 CVE-2012-0053 BIND Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: A remote attacker may be able to cause a denial of service in systems configured to run BIND as a DNS nameserver Description: A reachable assertion issue existed in the handling of DNS records. This issue was addressed by updating to BIND 9.7.6-P1. CVE-ID CVE-2011-4313 BIND Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4, OS X Mountain Lion v10.8 and v10.8.1 Impact: A remote attacker may be able to cause a denial of service, data corruption, or obtain sensitive information from process memory in systems configured to run BIND as a DNS nameserver Description: A memory management issue existed in the handling of DNS records. CVE-ID CVE-2012-1667 CoreText Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Applications that use CoreText may be vulnerable to an unexpected application termination or arbitrary code execution Description: A bounds checking issue existed in the handling of text glyphs, which may lead to out of bounds memory reads or writes. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-3716 : Jesse Ruderman of Mozilla Corporation Data Security Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4, OS X Mountain Lion v10.8 and v10.8.1 Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: TrustWave, a trusted root CA, has issued, and subsequently revoked, a sub-CA certificate from one of its trusted anchors. This sub-CA facilitated the interception of communications secured by Transport Layer Security (TLS). This update adds the involved sub-CA certificate to OS X's list of untrusted certificates. This issue was addressed through improved bounds checking. This issue does not affect OS X Lion and Mountain Lion systems. CVE-ID CVE-2012-0650 : aazubel working with HP's Zero Day Initiative ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in libpng's handling of PNG images. These issues were addressed through improved validation of PNG images. These issues do not affect OS X Mountain Lion systems. CVE-ID CVE-2011-3026 : Juri Aedla CVE-2011-3048 ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in libTIFF's handling of TIFF images. This issue was addressed through improved validation of TIFF images. CVE-ID CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day Initiative Installer Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Remote admins and persons with physical access to the system may obtain account information Description: The fix for CVE-2012-0652 in OS X Lion 10.7.4 prevented user passwords from being recorded in the system log, but did not remove the old log entries. This issue was addressed by deleting log files that contained passwords. CVE-ID CVE-2012-0652 International Components for Unicode Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in the handling of ICU locale IDs. This issue was addressed through improved bounds checking. CVE-ID CVE-2011-4599 Kernel Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: A malicious program could bypass sandbox restrictions Description: A logic issue existed in the handling of debug system calls. This may allow a malicious program to gain code execution in other programs with the same user privileges. This issue was addressed by disabling handling of addresses in PT_STEP and PT_CONTINUE. CVE-ID CVE-2012-0643 : iOS Jailbreak Dream Team LoginWindow Available for: OS X Mountain Lion v10.8 and v10.8.1 Impact: A local user may be able to obtain other user's login passwords Description: A user-installed input method could intercept password keystrokes from Login Window or Screen Saver Unlock. This issue was addressed by preventing user-installed methods from being used when the system is handling login information. CVE-ID CVE-2012-3718 : An anonymous researcher Mail Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing an e-mail message may lead to execution of web plugins Description: An input validation issue existed in Mail's handling of embedded web plugins. This issue was addressed by disabling third- party plug-ins in Mail. CVE-ID CVE-2012-3719 : Will Dormann of the CERT/CC Mobile Accounts Available for: OS X Mountain Lion v10.8 and v10.8.1 Impact: A user with access to the contents of a mobile account may obtain the account password Description: Creating a mobile account saved a hash of the password in the account, which was used to login when the mobile account was used as an external account. The password hash could be used to determine the user's password. This issue was addressed by creating the password hash only if external accounts are enabled on the system where the mobile account is created. CVE-ID CVE-2012-3720 : Harald Wagener of Google, Inc. Further information is available via the PHP web site at http://www.php.net CVE-ID CVE-2012-0831 CVE-2012-1172 CVE-2012-1823 CVE-2012-2143 CVE-2012-2311 CVE-2012-2386 CVE-2012-2688 PHP Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: PHP scripts which use libpng may be vulnerable to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of PNG files. This issue was addressed by updating PHP's copy of libpng to version 1.5.10. CVE-ID CVE-2011-3048 Profile Manager Available for: OS X Lion Server v10.7 to v10.7.4 Impact: An unauthenticated user could enumerate managed devices Description: An authentication issue existed in the Device Management private interface. This issue was addressed by removing the interface. CVE-ID CVE-2012-3721 : Derick Cassidy of XEquals Corporation QuickLook Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted .pict file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of .pict files. This issue was addressed through improved validation of .pict files. CVE-ID CVE-2012-0671 : Rodrigo Rubira Branco (twitter.com/bsdaemon) from the Qualys Vulnerability & Malware Research Labs (VMRL) QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in QuickTime's handling of sean atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-0670 : Tom Gallagher (Microsoft) and Paul Bates (Microsoft) working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access existed in the handling of Sorenson encoded movie files. This issue was addressed through improved memory initialization. CVE-ID CVE-2012-3722 : Will Dormann of the CERT/CC QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of RLE encoded movie files. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-0668 : Luigi Auriemma working with HP's Zero Day Initiative Ruby Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. The Ruby OpenSSL module disabled the 'empty fragment' countermeasure which prevented these attacks. This issue was addressed by enabling empty fragments. CVE-ID CVE-2011-3389 USB Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Attaching a USB device may lead to an unexpected system termination or arbitrary code execution Description: A memory corruption issue existed in the handling of USB hub descriptors. This issue was addressed through improved handling of the bNbrPorts descriptor field. CVE-ID CVE-2012-3723 : Andy Davis of NGS Secure Note: OS X Mountain Lion v10.8.2 includes the content of Safari 6.0.1. For further details see "About the security content of Safari 6.0.1" at http://http//support.apple.com/kb/HT5502 OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update 2012-004 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. For OS X Mountain Lion v10.8.1 The download file is named: OSXUpd10.8.2.dmg Its SHA-1 digest is: d6779e1cc748b78af0207499383b1859ffbebe33 For OS X Mountain Lion v10.8 The download file is named: OSXUpdCombo10.8.2.dmg Its SHA-1 digest is: b08f10233d362e39f20b69f91d1d73f5e7b68a2c For OS X Lion v10.7.4 The download file is named: MacOSXUpd10.7.5.dmg Its SHA-1 digest is: e0a9582cce9896938a7a541bd431862d93893532 For OS X Lion v10.7 and v10.7.3 The download file is named: MacOSXUpdCombo10.7.5.dmg Its SHA-1 digest is: f7a26b164fa10dae4fe646e57b01c34a619c8d9b For OS X Lion Server v10.7.4 The download file is named: MacOSXServerUpd10.7.5.dmg Its SHA-1 digest is: a891b03bfb4eecb745c0c39a32f39960fdb6796a For OS X Lion Server v10.7 and v10.7.3 The download file is named: MacOSXServerUpdCombo10.7.5.dmg Its SHA-1 digest is: df6e1748ab0a3c9e05c890be49d514673efd965e For Mac OS X v10.6.8 The download file is named: SecUpd2012-004.dmg Its SHA-1 digest is: 5b136e29a871d41012f0c6ea1362d6210c8b4fb7 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2012-004.dmg Its SHA-1 digest is: 9b24496be15078e58a88537700f2f39c112e3b28 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQWhlbAAoJEPefwLHPlZEwwjwQAKrpQlZh1B2mkSTLxR7QZg6e Qm7SmIZL9sjl5gQkTxoAvOGxJ8uRdYPlJ1IpyU/MbK0GqO53KmFSeKkwCnvLKMaW pc6tiFaQ4zV4LEAwBAFEuqCsMyPEJqKDhYXl2cHQmWfAlrLCyCKfzGLy2mY2UnkE DQC2+ys70DChFv2GzyXlibBXAGMKDygJ5dVKynsi1ceZLYWbUJoGwlUtXPylBpnO QyGWXmEloPbhK6HJbKMNacuDdVcb26pvIeFiivkTSxPVlZ3ns2tAwEyvHrzA9O4n 7rQ6jvfDbguOZmM5sPFvVKBw2GVDBNU+G3T8ouIXhk6Pjhr4in8VFCb8MIMLb8hm 7YYn2z1TzKTNmUuYbwe6ukQvf57cPuW0bAvslbl6PgrzqorlNPU4rDoSvPrJx/RO BOYkcxfirevHDGibfkeqXPjL3h+bVrb1USZpAv+ZOAy0M89SHFcvMtpAhxnoGiV5 w4EyKB+9Yi/CSAk2Ne3Y5kHH7/v3pWV68aJwhVirya7ex3vnJ+M+lRLKSm2BUjL3 +9fykrJBDujFDXoCmK5CN5Wx36DSVZ4VO1h635crotudtcvd+LQ2VHma/Chav5wK q5SSllf4KEownpx6o/qTxpg5tcC4lvgTcsDHlYcNq2s8KTTjmOden8ar4h7M7QD2 xyBfrQfG/dsif6jGHaot =8joH -----END PGP SIGNATURE-----

Directory traversal vulnerability in the web server in Fultek WinTr Scada 4.0.5 and earlier allows remote attackers to read arbitrary files via a crafted request. Fultek WinTr Scada is a Turkish SCADA software. Fultek WinTr Scada is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. Information obtained could aid in further attacks. WinTr Scada 4.0.5 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: WinTR Unspecified Directory Traversal Vulnerability SECUNIA ADVISORY ID: SA50668 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50668/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50668 RELEASE DATE: 2012-09-19 DISCUSS ADVISORY: http://secunia.com/advisories/50668/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50668/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50668 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in WinTr, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is reported in version 4.0.5 and prior. SOLUTION: No official solution is currently available. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Daiki Fukumori, Cyber Defense Institute. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-262-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Microsoft Windows Phone 7 does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL server for the (1) POP3, (2) IMAP, or (3) SMTP protocol via an arbitrary valid certificate. Microsoft Windows Phone 7 is a smartphone from Microsoft. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid further attacks

IBM Remote Supervisor Adapter II firmware for System x3650, x3850 M2, and x3950 M2 1.13 and earlier generates weak RSA keys, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors. IBM Remote Supervisor Adapter II is prone to a security-bypass vulnerability. Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. Attackers can exploit this vulnerability to break through the encryption protection mechanism through unknown vectors

The Cisco Application Control Engine (ACE) module 3.0 for Cisco Catalyst switches and Cisco routers does not properly monitor Load Balancer (LB) queues, which allows remote attackers to cause a denial of service (incorrect memory access and module reboot) via application traffic, aka Bug ID CSCtw70879. The problem is Bug ID CSCtw70879 It is a problem.Service disruption via application traffic by a third party ( Incorrect memory access and module restart ) There is a possibility of being put into a state. Application Control Engine Module is prone to a denial-of-service vulnerability. Cisco Catalyst is a series of commercial grade switches distributed and maintained by CISCO Corporation

Cisco NX-OS 5.2 and 6.1 on Nexus 7000 series switches allows remote attackers to cause a denial of service (process crash or packet loss) via a large number of ARP packets, aka Bug ID CSCtr44822. Adopt the Cisco Nexus OS operating system. Cisco NX-OS fails to process a large number of ARP packets correctly. The vulnerability Cisco bug ID is CSCtr44822. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. Cisco NX-OS version 5.2 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Cisco Nexus 7000 Series NX-OS ARP Packet Handling Denial of Service SECUNIA ADVISORY ID: SA50671 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50671/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50671 RELEASE DATE: 2012-09-19 DISCUSS ADVISORY: http://secunia.com/advisories/50671/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50671/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50671 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Nexus 7000 Series NX-OS, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is reported in version 5.2. SOLUTION: No official solution is currently available. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: CSCtr44822: http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/release/notes/52_nx-os_release_note.html#wp402884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Unity Connection (UC) 8.6, 9.0, and 9.5 allows remote attackers to cause a denial of service (CPU consumption) via malformed UDP packets, aka Bug ID CSCtz76269. Cisco Unity is an advanced unified communications solution for enterprise-level organizations that can provide powerful messaging services and intelligent voice messaging services

Cisco IOS 12.2 allows remote attackers to cause a denial of service (CPU consumption) by establishing many IPv6 neighbors, aka Bug ID CSCtn78957. Cisco IOS is a popular Internet operating system. This vulnerability Cisco bug ID is CSCtn78957