VARIoT IoT vulnerabilities database

The web server in Siemens WinCC before 7.2, as used in SIMATIC PCS7 before 8.0 SP1 and other products, allows remote attackers to obtain sensitive information or cause a denial of service via a crafted project file. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC PCS is a process control system. Code. Multiple information-disclosure vulnerabilities 2. A directory-traversal vulnerability 3. Failed exploit attempts will result in a denial-of-service conditions

Siemens WinCC before 7.2, as used in SIMATIC PCS7 before 8.0 SP1 and other products, does not properly represent WebNavigator credentials in a database, which makes it easier for remote authenticated users to obtain sensitive information via a SQL query. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC PCS is a process control system. Siemens SIMATIC WinCC 7.2, Siemens SIMATIC PCS 7 8.0 SP1 versions have information disclosure, directory traversal, buffer overflow security vulnerabilities, which can be exploited by attackers to obtain sensitive information, any system files, and execute arbitrary applications in the context of applications using ActiveX controls. Code. Multiple information-disclosure vulnerabilities 2. A directory-traversal vulnerability 3. Failed exploit attempts will result in a denial-of-service conditions

Directory traversal vulnerability in the web server in Siemens WinCC before 7.2, as used in SIMATIC PCS7 before 8.0 SP1 and other products, allows remote authenticated users to read arbitrary files via vectors involving a query for a pathname. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC PCS is a process control system. Siemens SIMATIC WinCC 7.2, Siemens SIMATIC PCS 7 8.0 SP1 versions have information disclosure, directory traversal, buffer overflow security vulnerabilities, which can be exploited by attackers to obtain sensitive information, any system files, and execute arbitrary applications in the context of applications using ActiveX controls. Code. Multiple information-disclosure vulnerabilities 2. A directory-traversal vulnerability 3. Failed exploit attempts will result in a denial-of-service conditions

Polycom HDX Series devices are prone to a format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. An attacker may exploit this issue to execute arbitrary code with root access in the context of the vulnerable device. Failed exploit attempts will likely result in a denial-of-service condition.

Polycom HDX Series devices are prone to an SQL-injection vulnerability because they fail to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an authenticated attacker to compromise the affected device, access or modify data, or exploit latent vulnerabilities in the underlying database.

Polycom HDX is a high-definition series of network cameras. The Polycom HDX series uses user input that is not properly filtered for use in SQL queries. There is a SQL injection vulnerability in the implementation that an attacker can use to perform unauthorized database operations. Polycom HDX Series devices are prone to a remote command-injection vulnerability. Attackers can exploit this issue to inject and execute arbitrary commands within the context of the affected device

The traffic engineering (TE) processing subsystem in Cisco IOS XR allows remote attackers to cause a denial of service (process restart) via crafted TE packets, aka Bug ID CSCue04000. Cisco IOS XR is a member of the Cisco IOS Software family that uses a microkernel-based operating system architecture. Cisco IOS is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause a denial of service condition. This issue is being tracked by Cisco Bug ID CSCue04000

Siemens WinCC (TIA Portal) 11 uses a reversible algorithm for storing HMI web-application passwords in world-readable and world-writable files, which allows local users to obtain sensitive information by leveraging (1) physical access or (2) Sm@rt Server access. The Siemens SIMATIC WinCC TIA Portal covers engineering tools for the entire HMI field, from compact series panels to SCADA systems. There are several vulnerabilities in the Siemens SIMATIC WinCC TIA Portal that can be exploited by malicious users to disclose sensitive information, bypass security restrictions, insert and execute scripts, cause denial of service, and so on. 1. There is an error in processing the HTTP request, which can be exploited to cause the HMI web server to crash. 2. Some of the input in the HMI web application is not properly filtered and can be used to insert arbitrary HTML and script code, or to insert any HTTP header. 3, some URLs are not properly filtered to access certain files, can be used to leak the source code of the panel server-side web application files. To successfully exploit these vulnerabilities, you need to open the web server. Siemens SIMATIC WinCC TIA Portal is prone to multiple security vulnerabilities, including: 1. A security-bypass vulnerability 2. A denial-of-service vulnerability 3. An HTML-injection vulnerability 4. An information-disclosure vulnerability 5. An HTTP-header-injection vulnerability 6. An information-disclosure vulnerability 7. A cross-site scripting vulnerability Attackers can exploit these issues to bypass certain security restrictions, obtain sensitive information and gain unauthorized access, allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, insert arbitrary headers into an HTTP response, or perform a denial-of-service attack. Other attacks may be possible. Siemens SIMATIC WinCC is a set of automatic data acquisition and monitoring (SCADA) system of German Siemens (Siemens). The system provides process monitoring, data acquisition and other functions

TP-Link is a popular wireless router. Some TP-Link wireless router devices have backdoors in their implementations, which can completely control the devices by sending specific requests. Send a request to the device "http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html" (here assume that the router IP is 192.168.0.1), the router will download a nart.out file from the requesting machine and execute it with root authority file.

Cross-site scripting (XSS) vulnerability in Performance Provider in SAP NetWeaver allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Tor is an implementation of the second generation of onion routing, through which users can communicate anonymously over the Internet. The Tor 'connection_ap_process_not_open()' function has a security bypass vulnerability. An attacker could exploit this vulnerability to bypass certain security restrictions and perform unauthorized actions. Tor 0.2.4.11-alpha is vulnerable; other versions may also be affected

IOAcceleratorFamily in Apple Mac OS X before 10.8.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted graphics image. Apple Mac OS X is prone to multiple vulnerabilities. The update addresses new vulnerabilities that affect Apache, CoreTypes, IOAcceleratorFamily, Login Window, Messages, PDFKit, and Software Update. Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, gain unauthorized access, obtain sensitive information, bypass security restrictions, and perform other attacks. These issues affect OS X prior to 10.8.3. Note: This issue was previously discussed in BID 58494 (Apple Mac OS X Security Update 2013-001 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-14-1 OS X Mountain Lion v10.8.3 and Security Update 2013-001 OS X Mountain Lion v10.8.3 and Security Update 2013-001 is now available and addresses the following: Apache Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker may be able to access directories that are protected with HTTP authentication without knowing the correct credentials Description: A canonicalization issue existed in the handling of URIs with ignorable Unicode character sequences. This issue was addressed by updating mod_hfs_apple to forbid access to URIs with ignorable Unicode character sequences. CVE-ID CVE-2013-0966 : Clint Ruoho of Laconic Security CoreTypes Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory. CVE-ID CVE-2013-0967 International Components for Unicode Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A canonicalization issue existed in the handling of the EUC-JP encoding, which could lead to a cross-site scripting attack on EUC-JP encoded websites. This issue was addressed by updating the EUC-JP mapping table. CVE-ID CVE-2011-3058 : Masato Kinugawa Identity Services Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Authentication relying on certificate-based Apple ID authentication may be bypassed Description: An error handling issue existed in Identity Services. If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust. This issue was addressed by ensuring that NULL is returned instead of an empty string. CVE-ID CVE-2013-0963 ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of TIFF images. This issue was addressed through additional validation of TIFF images. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0976 : an anonymous researcher Kernel Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2012-3749 : Mark Dowd of Azimuth Security, Eric Monti of Square, and additional anonymous researchers Login Window Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker with keyboard access may modify the system configuration Description: A logic error existed in VoiceOver's handling of the Login Window, whereby an attacker with access to the keyboard could launch System Preferences and modify the system configuration. This issue was addressed by preventing VoiceOver from launching applications at the Login Window. CVE-ID CVE-2013-0969 : Eric A. Schulman of Purpletree Labs Messages Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Clicking a link from Messages may initiate a FaceTime call without prompting Description: Clicking on a specifically-formatted FaceTime:// URL in Messages could bypass the standard confirmation prompt. This issue was addressed by additional validation of FaceTime:// URLs. CVE-ID CVE-2013-0970 : Aaron Sigel of vtty.com Messages Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may reroute federated Jabber messages Description: An issue existed in the Jabber server's handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages. CVE-ID CVE-2012-3525 PDFKit Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of ink annotations in PDF files. This issue was addressed through improved memory management. CVE-ID CVE-2013-0971 : Tobias Klein working with HP TippingPoint's Zero Day Initiative Podcast Producer Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0156 Podcast Producer Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0333 PostgreSQL Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: Multiple vulnerabilities in PostgreSQL Description: PostgreSQL was updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html CVE-ID CVE-2012-3488 CVE-2012-3489 Profile Manager Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Profile Manager. CVE-ID CVE-2013-0156 QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'rnet' boxes in MP4 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-3756 : Kevin Szkudlapski of QuarksLab Ruby Available for: Mac OS X Server 10.6.8 Impact: A remote attacker may be able to cause arbitrary code execution if a Rails application is running Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling YAML and symbols in XML parameters in Rails. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates. Software Update Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5 Impact: An attacker with a privileged network position may be able to cause arbitrary code execution Description: Software Update allowed a man in the middle attacker to insert plugin content into the marketing text displayed for updates. This may allow the exploitation of a vulnerable plugin, or facilitate social engineering attacks involving plugins. This issue was addressed by preventing plugins from being loaded in Software Update's marketing text WebView. CVE-ID CVE-2013-0973 : Emilio Escobar Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Wiki Server. CVE-ID CVE-2013-0156 Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Wiki Server. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found. Note: OS X Mountain Lion v10.8.3 includes the content of Safari 6.0.3. For further details see "About the security content of Safari 6.0.3" at http://http//support.apple.com/kb/HT5671 OS X Mountain Lion v10.8.3 and Security Update 2013-001 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.3, or Security Update 2013-001. For OS X Mountain Lion v10.8.2 The download file is named: OSXUpd10.8.3.dmg Its SHA-1 digest is: e6165572e9145ea05aac23fa30372a9b0a0bbf3c For OS X Mountain Lion v10.8 and v10.8.1 The download file is named: OSXUpdCombo10.8.3.dmg Its SHA-1 digest is: 1bc49fde5ff6e252aa7908b4cb1f9cb9c8a5fa29 For OS X Lion v10.7.5 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: 5bc540a208c720fce3448f853d852336781e1a17 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: e88ff36fc8e88c4c995422d3f2364c56ebe51b07 For Mac OS X v10.6.8 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: dc52d0f7d2db6080c57c7b9252a4d85c5e178450 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: fd7946f8d1f1bce0394b6e56c8d7387812e14694 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRQiuBAAoJEPefwLHPlZEwGfgP/0UDCn2KBop3IJ4Ad31yiG3N gH+yQl4GDONhm/HgrPWGQgcuVI69FmAqk+7arwOL7+7hlsSDQ5uSWDraRdd0EPmO aq2DxPxt6bYi4fHSrfkvRblVr/PcPxswEEshM82JU60Oy88EDA87bI8yy4qi8KJ4 E8+6O31vLuUeAaHf0SNE8y1p2iKpdmHH/Afo0iAVx3ddm8e8wMVPZ9XbR02pe8MV qmMWj8icBLNyHGoSl48zm5t4Ah4MS9qgXNjsYY+Mq2AcrqQI5EFTbdWpKFM7SQ1G UcM6zmeHtKNz8H21MDYKg1UHjo49MZnFb6ahRXN0E3jsPrfO4Co/2t6ogOLRZ90X 2Sd1RfwqYnRZRfwyOAe3htBYDpVEfvU1eaNMoTTHLRKWgarxUoXvww2cjnomAg5y tg+btVeQfzdHu+yClvioCbYqblKKxJf8lmhiLEgoH2bRaz2L+fluWW9yGQarxmrb vQ+cMKuy7heyLpNhwRHZioo4/b2K/IZBnkKwH76Ey3yAXnSSAD9xwbFZZAU5J8YQ liULOm9tv1sUlNHMyTsjplIsFkAIrkl+H43hn3/A+q4TIsDkmtPvOOl4Rc9/5w8H ZibyLnmr1XgXvd6CgFzIvl7Ink+d/xGHTnlybHszCMzR5o6Rg7sTeQsD34aNymcc Lz1nnBtRAbfDgARdRX4e =WUBR -----END PGP SIGNATURE-----

Software Update in Apple Mac OS X through 10.7.5 does not prevent plugin loading within the marketing-text WebView, which allows man-in-the-middle attackers to execute plugin code by modifying the client-server data stream. Apple Mac OS X is prone to multiple vulnerabilities. The update addresses new vulnerabilities that affect Apache, CoreTypes, IOAcceleratorFamily, Login Window, Messages, PDFKit, and Software Update. Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, gain unauthorized access, obtain sensitive information, bypass security restrictions, and perform other attacks. These issues affect OS X prior to 10.8.3. Failed exploit attempts may result in a denial-of-service condition. Note: This issue was previously discussed in BID 58494 (Apple Mac OS X Security Update 2013-001 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-14-1 OS X Mountain Lion v10.8.3 and Security Update 2013-001 OS X Mountain Lion v10.8.3 and Security Update 2013-001 is now available and addresses the following: Apache Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker may be able to access directories that are protected with HTTP authentication without knowing the correct credentials Description: A canonicalization issue existed in the handling of URIs with ignorable Unicode character sequences. This issue was addressed by updating mod_hfs_apple to forbid access to URIs with ignorable Unicode character sequences. CVE-ID CVE-2013-0966 : Clint Ruoho of Laconic Security CoreTypes Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory. CVE-ID CVE-2013-0967 International Components for Unicode Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A canonicalization issue existed in the handling of the EUC-JP encoding, which could lead to a cross-site scripting attack on EUC-JP encoded websites. This issue was addressed by updating the EUC-JP mapping table. CVE-ID CVE-2011-3058 : Masato Kinugawa Identity Services Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Authentication relying on certificate-based Apple ID authentication may be bypassed Description: An error handling issue existed in Identity Services. If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust. This issue was addressed by ensuring that NULL is returned instead of an empty string. CVE-ID CVE-2013-0963 ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of TIFF images. This issue was addressed through additional validation of TIFF images. CVE-ID CVE-2012-2088 IOAcceleratorFamily Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted image may lead to an unexpected system termination or arbitrary code execution Description: A memory corruption issue existed in the handling of graphics data. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0976 : an anonymous researcher Kernel Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2012-3749 : Mark Dowd of Azimuth Security, Eric Monti of Square, and additional anonymous researchers Login Window Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker with keyboard access may modify the system configuration Description: A logic error existed in VoiceOver's handling of the Login Window, whereby an attacker with access to the keyboard could launch System Preferences and modify the system configuration. This issue was addressed by preventing VoiceOver from launching applications at the Login Window. CVE-ID CVE-2013-0969 : Eric A. Schulman of Purpletree Labs Messages Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Clicking a link from Messages may initiate a FaceTime call without prompting Description: Clicking on a specifically-formatted FaceTime:// URL in Messages could bypass the standard confirmation prompt. This issue was addressed by additional validation of FaceTime:// URLs. CVE-ID CVE-2013-0970 : Aaron Sigel of vtty.com Messages Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may reroute federated Jabber messages Description: An issue existed in the Jabber server's handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages. CVE-ID CVE-2012-3525 PDFKit Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of ink annotations in PDF files. This issue was addressed through improved memory management. CVE-ID CVE-2013-0971 : Tobias Klein working with HP TippingPoint's Zero Day Initiative Podcast Producer Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0156 Podcast Producer Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0333 PostgreSQL Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: Multiple vulnerabilities in PostgreSQL Description: PostgreSQL was updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html CVE-ID CVE-2012-3488 CVE-2012-3489 Profile Manager Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Profile Manager. CVE-ID CVE-2013-0156 QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'rnet' boxes in MP4 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-3756 : Kevin Szkudlapski of QuarksLab Ruby Available for: Mac OS X Server 10.6.8 Impact: A remote attacker may be able to cause arbitrary code execution if a Rails application is running Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling YAML and symbols in XML parameters in Rails. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates. This may allow the exploitation of a vulnerable plugin, or facilitate social engineering attacks involving plugins. This issue was addressed by preventing plugins from being loaded in Software Update's marketing text WebView. CVE-ID CVE-2013-0973 : Emilio Escobar Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Wiki Server. CVE-ID CVE-2013-0156 Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Wiki Server. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found. Note: OS X Mountain Lion v10.8.3 includes the content of Safari 6.0.3. For further details see "About the security content of Safari 6.0.3" at http://http//support.apple.com/kb/HT5671 OS X Mountain Lion v10.8.3 and Security Update 2013-001 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.3, or Security Update 2013-001. For OS X Mountain Lion v10.8.2 The download file is named: OSXUpd10.8.3.dmg Its SHA-1 digest is: e6165572e9145ea05aac23fa30372a9b0a0bbf3c For OS X Mountain Lion v10.8 and v10.8.1 The download file is named: OSXUpdCombo10.8.3.dmg Its SHA-1 digest is: 1bc49fde5ff6e252aa7908b4cb1f9cb9c8a5fa29 For OS X Lion v10.7.5 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: 5bc540a208c720fce3448f853d852336781e1a17 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: e88ff36fc8e88c4c995422d3f2364c56ebe51b07 For Mac OS X v10.6.8 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: dc52d0f7d2db6080c57c7b9252a4d85c5e178450 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: fd7946f8d1f1bce0394b6e56c8d7387812e14694 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRQiuBAAoJEPefwLHPlZEwGfgP/0UDCn2KBop3IJ4Ad31yiG3N gH+yQl4GDONhm/HgrPWGQgcuVI69FmAqk+7arwOL7+7hlsSDQ5uSWDraRdd0EPmO aq2DxPxt6bYi4fHSrfkvRblVr/PcPxswEEshM82JU60Oy88EDA87bI8yy4qi8KJ4 E8+6O31vLuUeAaHf0SNE8y1p2iKpdmHH/Afo0iAVx3ddm8e8wMVPZ9XbR02pe8MV qmMWj8icBLNyHGoSl48zm5t4Ah4MS9qgXNjsYY+Mq2AcrqQI5EFTbdWpKFM7SQ1G UcM6zmeHtKNz8H21MDYKg1UHjo49MZnFb6ahRXN0E3jsPrfO4Co/2t6ogOLRZ90X 2Sd1RfwqYnRZRfwyOAe3htBYDpVEfvU1eaNMoTTHLRKWgarxUoXvww2cjnomAg5y tg+btVeQfzdHu+yClvioCbYqblKKxJf8lmhiLEgoH2bRaz2L+fluWW9yGQarxmrb vQ+cMKuy7heyLpNhwRHZioo4/b2K/IZBnkKwH76Ey3yAXnSSAD9xwbFZZAU5J8YQ liULOm9tv1sUlNHMyTsjplIsFkAIrkl+H43hn3/A+q4TIsDkmtPvOOl4Rc9/5w8H ZibyLnmr1XgXvd6CgFzIvl7Ink+d/xGHTnlybHszCMzR5o6Rg7sTeQsD34aNymcc Lz1nnBtRAbfDgARdRX4e =WUBR -----END PGP SIGNATURE-----

Use-after-free vulnerability in PDFKit in Apple Mac OS X before 10.8.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted ink annotations in a PDF document. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of a PDF file. During the processing of a specific InkList array, a reference is created to an object that is freed before use. By abusing this behavior an attacker can ensure this memory is under control and leverage the situation to achieve remote code execution under the context of the user currently logged in. Apple Mac OS X is prone to multiple vulnerabilities. The update addresses new vulnerabilities that affect Apache, CoreTypes, IOAcceleratorFamily, Login Window, Messages, PDFKit, and Software Update. Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, gain unauthorized access, obtain sensitive information, bypass security restrictions, and perform other attacks. These issues affect OS X prior to 10.8.3. Note: This issue was previously discussed in BID 58494 (Apple Mac OS X Security Update 2013-001 Multiple Security Vulnerabilities), but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-14-1 OS X Mountain Lion v10.8.3 and Security Update 2013-001 OS X Mountain Lion v10.8.3 and Security Update 2013-001 is now available and addresses the following: Apache Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker may be able to access directories that are protected with HTTP authentication without knowing the correct credentials Description: A canonicalization issue existed in the handling of URIs with ignorable Unicode character sequences. This issue was addressed by updating mod_hfs_apple to forbid access to URIs with ignorable Unicode character sequences. CVE-ID CVE-2013-0966 : Clint Ruoho of Laconic Security CoreTypes Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory. CVE-ID CVE-2013-0967 International Components for Unicode Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A canonicalization issue existed in the handling of the EUC-JP encoding, which could lead to a cross-site scripting attack on EUC-JP encoded websites. This issue was addressed by updating the EUC-JP mapping table. CVE-ID CVE-2011-3058 : Masato Kinugawa Identity Services Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Authentication relying on certificate-based Apple ID authentication may be bypassed Description: An error handling issue existed in Identity Services. If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust. This issue was addressed by ensuring that NULL is returned instead of an empty string. CVE-ID CVE-2013-0963 ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of TIFF images. This issue was addressed through additional validation of TIFF images. CVE-ID CVE-2012-2088 IOAcceleratorFamily Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted image may lead to an unexpected system termination or arbitrary code execution Description: A memory corruption issue existed in the handling of graphics data. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0976 : an anonymous researcher Kernel Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2012-3749 : Mark Dowd of Azimuth Security, Eric Monti of Square, and additional anonymous researchers Login Window Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker with keyboard access may modify the system configuration Description: A logic error existed in VoiceOver's handling of the Login Window, whereby an attacker with access to the keyboard could launch System Preferences and modify the system configuration. This issue was addressed by preventing VoiceOver from launching applications at the Login Window. CVE-ID CVE-2013-0969 : Eric A. Schulman of Purpletree Labs Messages Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Clicking a link from Messages may initiate a FaceTime call without prompting Description: Clicking on a specifically-formatted FaceTime:// URL in Messages could bypass the standard confirmation prompt. This issue was addressed by additional validation of FaceTime:// URLs. CVE-ID CVE-2013-0970 : Aaron Sigel of vtty.com Messages Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may reroute federated Jabber messages Description: An issue existed in the Jabber server's handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages. This issue was addressed through improved memory management. CVE-ID CVE-2013-0971 : Tobias Klein working with HP TippingPoint's Zero Day Initiative Podcast Producer Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0156 Podcast Producer Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0333 PostgreSQL Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: Multiple vulnerabilities in PostgreSQL Description: PostgreSQL was updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html CVE-ID CVE-2012-3488 CVE-2012-3489 Profile Manager Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Profile Manager. CVE-ID CVE-2013-0156 QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'rnet' boxes in MP4 files. This issue was addressed through improved bounds checking. This issue was addressed by disabling YAML and symbols in XML parameters in Rails. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates. Software Update Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5 Impact: An attacker with a privileged network position may be able to cause arbitrary code execution Description: Software Update allowed a man in the middle attacker to insert plugin content into the marketing text displayed for updates. This may allow the exploitation of a vulnerable plugin, or facilitate social engineering attacks involving plugins. This issue was addressed by preventing plugins from being loaded in Software Update's marketing text WebView. CVE-ID CVE-2013-0973 : Emilio Escobar Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Wiki Server. CVE-ID CVE-2013-0156 Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Wiki Server. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found. Note: OS X Mountain Lion v10.8.3 includes the content of Safari 6.0.3. For further details see "About the security content of Safari 6.0.3" at http://http//support.apple.com/kb/HT5671 OS X Mountain Lion v10.8.3 and Security Update 2013-001 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.3, or Security Update 2013-001. For OS X Mountain Lion v10.8.2 The download file is named: OSXUpd10.8.3.dmg Its SHA-1 digest is: e6165572e9145ea05aac23fa30372a9b0a0bbf3c For OS X Mountain Lion v10.8 and v10.8.1 The download file is named: OSXUpdCombo10.8.3.dmg Its SHA-1 digest is: 1bc49fde5ff6e252aa7908b4cb1f9cb9c8a5fa29 For OS X Lion v10.7.5 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: 5bc540a208c720fce3448f853d852336781e1a17 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: e88ff36fc8e88c4c995422d3f2364c56ebe51b07 For Mac OS X v10.6.8 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: dc52d0f7d2db6080c57c7b9252a4d85c5e178450 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: fd7946f8d1f1bce0394b6e56c8d7387812e14694 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRQiuBAAoJEPefwLHPlZEwGfgP/0UDCn2KBop3IJ4Ad31yiG3N gH+yQl4GDONhm/HgrPWGQgcuVI69FmAqk+7arwOL7+7hlsSDQ5uSWDraRdd0EPmO aq2DxPxt6bYi4fHSrfkvRblVr/PcPxswEEshM82JU60Oy88EDA87bI8yy4qi8KJ4 E8+6O31vLuUeAaHf0SNE8y1p2iKpdmHH/Afo0iAVx3ddm8e8wMVPZ9XbR02pe8MV qmMWj8icBLNyHGoSl48zm5t4Ah4MS9qgXNjsYY+Mq2AcrqQI5EFTbdWpKFM7SQ1G UcM6zmeHtKNz8H21MDYKg1UHjo49MZnFb6ahRXN0E3jsPrfO4Co/2t6ogOLRZ90X 2Sd1RfwqYnRZRfwyOAe3htBYDpVEfvU1eaNMoTTHLRKWgarxUoXvww2cjnomAg5y tg+btVeQfzdHu+yClvioCbYqblKKxJf8lmhiLEgoH2bRaz2L+fluWW9yGQarxmrb vQ+cMKuy7heyLpNhwRHZioo4/b2K/IZBnkKwH76Ey3yAXnSSAD9xwbFZZAU5J8YQ liULOm9tv1sUlNHMyTsjplIsFkAIrkl+H43hn3/A+q4TIsDkmtPvOOl4Rc9/5w8H ZibyLnmr1XgXvd6CgFzIvl7Ink+d/xGHTnlybHszCMzR5o6Rg7sTeQsD34aNymcc Lz1nnBtRAbfDgARdRX4e =WUBR -----END PGP SIGNATURE-----

Messages in Apple Mac OS X before 10.8.3 allows remote attackers to bypass the FaceTime call-confirmation prompt via a crafted FaceTime: URL. Apple Mac OS X is prone to multiple vulnerabilities. The update addresses new vulnerabilities that affect Apache, CoreTypes, IOAcceleratorFamily, Login Window, Messages, PDFKit, and Software Update. Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, gain unauthorized access, obtain sensitive information, bypass security restrictions, and perform other attacks. These issues affect OS X prior to 10.8.3. Note: This issue was previously discussed in BID 58494 (Apple Mac OS X Security Update 2013-001 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-14-1 OS X Mountain Lion v10.8.3 and Security Update 2013-001 OS X Mountain Lion v10.8.3 and Security Update 2013-001 is now available and addresses the following: Apache Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker may be able to access directories that are protected with HTTP authentication without knowing the correct credentials Description: A canonicalization issue existed in the handling of URIs with ignorable Unicode character sequences. This issue was addressed by updating mod_hfs_apple to forbid access to URIs with ignorable Unicode character sequences. CVE-ID CVE-2013-0966 : Clint Ruoho of Laconic Security CoreTypes Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory. CVE-ID CVE-2013-0967 International Components for Unicode Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A canonicalization issue existed in the handling of the EUC-JP encoding, which could lead to a cross-site scripting attack on EUC-JP encoded websites. This issue was addressed by updating the EUC-JP mapping table. CVE-ID CVE-2011-3058 : Masato Kinugawa Identity Services Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Authentication relying on certificate-based Apple ID authentication may be bypassed Description: An error handling issue existed in Identity Services. If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust. This issue was addressed by ensuring that NULL is returned instead of an empty string. CVE-ID CVE-2013-0963 ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of TIFF images. This issue was addressed through additional validation of TIFF images. CVE-ID CVE-2012-2088 IOAcceleratorFamily Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted image may lead to an unexpected system termination or arbitrary code execution Description: A memory corruption issue existed in the handling of graphics data. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0976 : an anonymous researcher Kernel Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2012-3749 : Mark Dowd of Azimuth Security, Eric Monti of Square, and additional anonymous researchers Login Window Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker with keyboard access may modify the system configuration Description: A logic error existed in VoiceOver's handling of the Login Window, whereby an attacker with access to the keyboard could launch System Preferences and modify the system configuration. This issue was addressed by preventing VoiceOver from launching applications at the Login Window. CVE-ID CVE-2013-0969 : Eric A. This issue was addressed by additional validation of FaceTime:// URLs. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages. CVE-ID CVE-2012-3525 PDFKit Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of ink annotations in PDF files. This issue was addressed through improved memory management. CVE-ID CVE-2013-0971 : Tobias Klein working with HP TippingPoint's Zero Day Initiative Podcast Producer Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0156 Podcast Producer Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0333 PostgreSQL Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: Multiple vulnerabilities in PostgreSQL Description: PostgreSQL was updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html CVE-ID CVE-2012-3488 CVE-2012-3489 Profile Manager Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Profile Manager. CVE-ID CVE-2013-0156 QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'rnet' boxes in MP4 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-3756 : Kevin Szkudlapski of QuarksLab Ruby Available for: Mac OS X Server 10.6.8 Impact: A remote attacker may be able to cause arbitrary code execution if a Rails application is running Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling YAML and symbols in XML parameters in Rails. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates. Software Update Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5 Impact: An attacker with a privileged network position may be able to cause arbitrary code execution Description: Software Update allowed a man in the middle attacker to insert plugin content into the marketing text displayed for updates. This may allow the exploitation of a vulnerable plugin, or facilitate social engineering attacks involving plugins. This issue was addressed by preventing plugins from being loaded in Software Update's marketing text WebView. CVE-ID CVE-2013-0973 : Emilio Escobar Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Wiki Server. CVE-ID CVE-2013-0156 Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Wiki Server. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found. Note: OS X Mountain Lion v10.8.3 includes the content of Safari 6.0.3. For further details see "About the security content of Safari 6.0.3" at http://http//support.apple.com/kb/HT5671 OS X Mountain Lion v10.8.3 and Security Update 2013-001 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.3, or Security Update 2013-001. For OS X Mountain Lion v10.8.2 The download file is named: OSXUpd10.8.3.dmg Its SHA-1 digest is: e6165572e9145ea05aac23fa30372a9b0a0bbf3c For OS X Mountain Lion v10.8 and v10.8.1 The download file is named: OSXUpdCombo10.8.3.dmg Its SHA-1 digest is: 1bc49fde5ff6e252aa7908b4cb1f9cb9c8a5fa29 For OS X Lion v10.7.5 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: 5bc540a208c720fce3448f853d852336781e1a17 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: e88ff36fc8e88c4c995422d3f2364c56ebe51b07 For Mac OS X v10.6.8 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: dc52d0f7d2db6080c57c7b9252a4d85c5e178450 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: fd7946f8d1f1bce0394b6e56c8d7387812e14694 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRQiuBAAoJEPefwLHPlZEwGfgP/0UDCn2KBop3IJ4Ad31yiG3N gH+yQl4GDONhm/HgrPWGQgcuVI69FmAqk+7arwOL7+7hlsSDQ5uSWDraRdd0EPmO aq2DxPxt6bYi4fHSrfkvRblVr/PcPxswEEshM82JU60Oy88EDA87bI8yy4qi8KJ4 E8+6O31vLuUeAaHf0SNE8y1p2iKpdmHH/Afo0iAVx3ddm8e8wMVPZ9XbR02pe8MV qmMWj8icBLNyHGoSl48zm5t4Ah4MS9qgXNjsYY+Mq2AcrqQI5EFTbdWpKFM7SQ1G UcM6zmeHtKNz8H21MDYKg1UHjo49MZnFb6ahRXN0E3jsPrfO4Co/2t6ogOLRZ90X 2Sd1RfwqYnRZRfwyOAe3htBYDpVEfvU1eaNMoTTHLRKWgarxUoXvww2cjnomAg5y tg+btVeQfzdHu+yClvioCbYqblKKxJf8lmhiLEgoH2bRaz2L+fluWW9yGQarxmrb vQ+cMKuy7heyLpNhwRHZioo4/b2K/IZBnkKwH76Ey3yAXnSSAD9xwbFZZAU5J8YQ liULOm9tv1sUlNHMyTsjplIsFkAIrkl+H43hn3/A+q4TIsDkmtPvOOl4Rc9/5w8H ZibyLnmr1XgXvd6CgFzIvl7Ink+d/xGHTnlybHszCMzR5o6Rg7sTeQsD34aNymcc Lz1nnBtRAbfDgARdRX4e =WUBR -----END PGP SIGNATURE-----

Login Window in Apple Mac OS X before 10.8.3 does not prevent application launching with the VoiceOver feature, which allows physically proximate attackers to bypass authentication and make arbitrary System Preferences changes via unspecified use of the keyboard. Apple Mac OS X is prone to multiple vulnerabilities. The update addresses new vulnerabilities that affect Apache, CoreTypes, IOAcceleratorFamily, Login Window, Messages, PDFKit, and Software Update. Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, gain unauthorized access, obtain sensitive information, bypass security restrictions, and perform other attacks. These issues affect OS X prior to 10.8.3. Note: This issue was previously discussed in BID 58494 (Apple Mac OS X Security Update 2013-001 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-14-1 OS X Mountain Lion v10.8.3 and Security Update 2013-001 OS X Mountain Lion v10.8.3 and Security Update 2013-001 is now available and addresses the following: Apache Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker may be able to access directories that are protected with HTTP authentication without knowing the correct credentials Description: A canonicalization issue existed in the handling of URIs with ignorable Unicode character sequences. This issue was addressed by updating mod_hfs_apple to forbid access to URIs with ignorable Unicode character sequences. CVE-ID CVE-2013-0966 : Clint Ruoho of Laconic Security CoreTypes Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory. CVE-ID CVE-2013-0967 International Components for Unicode Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A canonicalization issue existed in the handling of the EUC-JP encoding, which could lead to a cross-site scripting attack on EUC-JP encoded websites. This issue was addressed by updating the EUC-JP mapping table. CVE-ID CVE-2011-3058 : Masato Kinugawa Identity Services Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Authentication relying on certificate-based Apple ID authentication may be bypassed Description: An error handling issue existed in Identity Services. If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust. This issue was addressed by ensuring that NULL is returned instead of an empty string. CVE-ID CVE-2013-0963 ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of TIFF images. This issue was addressed through additional validation of TIFF images. CVE-ID CVE-2012-2088 IOAcceleratorFamily Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted image may lead to an unexpected system termination or arbitrary code execution Description: A memory corruption issue existed in the handling of graphics data. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0976 : an anonymous researcher Kernel Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2012-3749 : Mark Dowd of Azimuth Security, Eric Monti of Square, and additional anonymous researchers Login Window Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker with keyboard access may modify the system configuration Description: A logic error existed in VoiceOver's handling of the Login Window, whereby an attacker with access to the keyboard could launch System Preferences and modify the system configuration. This issue was addressed by preventing VoiceOver from launching applications at the Login Window. CVE-ID CVE-2013-0969 : Eric A. Schulman of Purpletree Labs Messages Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Clicking a link from Messages may initiate a FaceTime call without prompting Description: Clicking on a specifically-formatted FaceTime:// URL in Messages could bypass the standard confirmation prompt. This issue was addressed by additional validation of FaceTime:// URLs. CVE-ID CVE-2013-0970 : Aaron Sigel of vtty.com Messages Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may reroute federated Jabber messages Description: An issue existed in the Jabber server's handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages. CVE-ID CVE-2012-3525 PDFKit Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of ink annotations in PDF files. This issue was addressed through improved memory management. CVE-ID CVE-2013-0971 : Tobias Klein working with HP TippingPoint's Zero Day Initiative Podcast Producer Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0156 Podcast Producer Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0333 PostgreSQL Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: Multiple vulnerabilities in PostgreSQL Description: PostgreSQL was updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html CVE-ID CVE-2012-3488 CVE-2012-3489 Profile Manager Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Profile Manager. CVE-ID CVE-2013-0156 QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'rnet' boxes in MP4 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-3756 : Kevin Szkudlapski of QuarksLab Ruby Available for: Mac OS X Server 10.6.8 Impact: A remote attacker may be able to cause arbitrary code execution if a Rails application is running Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling YAML and symbols in XML parameters in Rails. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates. Software Update Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5 Impact: An attacker with a privileged network position may be able to cause arbitrary code execution Description: Software Update allowed a man in the middle attacker to insert plugin content into the marketing text displayed for updates. This may allow the exploitation of a vulnerable plugin, or facilitate social engineering attacks involving plugins. This issue was addressed by preventing plugins from being loaded in Software Update's marketing text WebView. CVE-ID CVE-2013-0973 : Emilio Escobar Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Wiki Server. CVE-ID CVE-2013-0156 Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Wiki Server. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found. Note: OS X Mountain Lion v10.8.3 includes the content of Safari 6.0.3. For further details see "About the security content of Safari 6.0.3" at http://http//support.apple.com/kb/HT5671 OS X Mountain Lion v10.8.3 and Security Update 2013-001 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.3, or Security Update 2013-001. For OS X Mountain Lion v10.8.2 The download file is named: OSXUpd10.8.3.dmg Its SHA-1 digest is: e6165572e9145ea05aac23fa30372a9b0a0bbf3c For OS X Mountain Lion v10.8 and v10.8.1 The download file is named: OSXUpdCombo10.8.3.dmg Its SHA-1 digest is: 1bc49fde5ff6e252aa7908b4cb1f9cb9c8a5fa29 For OS X Lion v10.7.5 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: 5bc540a208c720fce3448f853d852336781e1a17 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: e88ff36fc8e88c4c995422d3f2364c56ebe51b07 For Mac OS X v10.6.8 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: dc52d0f7d2db6080c57c7b9252a4d85c5e178450 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: fd7946f8d1f1bce0394b6e56c8d7387812e14694 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRQiuBAAoJEPefwLHPlZEwGfgP/0UDCn2KBop3IJ4Ad31yiG3N gH+yQl4GDONhm/HgrPWGQgcuVI69FmAqk+7arwOL7+7hlsSDQ5uSWDraRdd0EPmO aq2DxPxt6bYi4fHSrfkvRblVr/PcPxswEEshM82JU60Oy88EDA87bI8yy4qi8KJ4 E8+6O31vLuUeAaHf0SNE8y1p2iKpdmHH/Afo0iAVx3ddm8e8wMVPZ9XbR02pe8MV qmMWj8icBLNyHGoSl48zm5t4Ah4MS9qgXNjsYY+Mq2AcrqQI5EFTbdWpKFM7SQ1G UcM6zmeHtKNz8H21MDYKg1UHjo49MZnFb6ahRXN0E3jsPrfO4Co/2t6ogOLRZ90X 2Sd1RfwqYnRZRfwyOAe3htBYDpVEfvU1eaNMoTTHLRKWgarxUoXvww2cjnomAg5y tg+btVeQfzdHu+yClvioCbYqblKKxJf8lmhiLEgoH2bRaz2L+fluWW9yGQarxmrb vQ+cMKuy7heyLpNhwRHZioo4/b2K/IZBnkKwH76Ey3yAXnSSAD9xwbFZZAU5J8YQ liULOm9tv1sUlNHMyTsjplIsFkAIrkl+H43hn3/A+q4TIsDkmtPvOOl4Rc9/5w8H ZibyLnmr1XgXvd6CgFzIvl7Ink+d/xGHTnlybHszCMzR5o6Rg7sTeQsD34aNymcc Lz1nnBtRAbfDgARdRX4e =WUBR -----END PGP SIGNATURE-----

CoreTypes in Apple Mac OS X before 10.8.3 includes JNLP files in the list of safe file types, which allows remote attackers to bypass a Java plug-in disabled setting, and trigger the launch of Java Web Start applications, via a crafted web site. Apple Mac OS X is prone to multiple vulnerabilities. The update addresses new vulnerabilities that affect Apache, CoreTypes, IOAcceleratorFamily, Login Window, Messages, PDFKit, and Software Update. Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, gain unauthorized access, obtain sensitive information, bypass security restrictions, and perform other attacks. These issues affect OS X prior to 10.8.3. Note: This issue was previously discussed in BID 58494 (Apple Mac OS X Security Update 2013-001 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-14-1 OS X Mountain Lion v10.8.3 and Security Update 2013-001 OS X Mountain Lion v10.8.3 and Security Update 2013-001 is now available and addresses the following: Apache Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker may be able to access directories that are protected with HTTP authentication without knowing the correct credentials Description: A canonicalization issue existed in the handling of URIs with ignorable Unicode character sequences. This issue was addressed by updating mod_hfs_apple to forbid access to URIs with ignorable Unicode character sequences. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory. CVE-ID CVE-2013-0967 International Components for Unicode Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A canonicalization issue existed in the handling of the EUC-JP encoding, which could lead to a cross-site scripting attack on EUC-JP encoded websites. This issue was addressed by updating the EUC-JP mapping table. CVE-ID CVE-2011-3058 : Masato Kinugawa Identity Services Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Authentication relying on certificate-based Apple ID authentication may be bypassed Description: An error handling issue existed in Identity Services. If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust. This issue was addressed by ensuring that NULL is returned instead of an empty string. CVE-ID CVE-2013-0963 ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of TIFF images. This issue was addressed through additional validation of TIFF images. CVE-ID CVE-2012-2088 IOAcceleratorFamily Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted image may lead to an unexpected system termination or arbitrary code execution Description: A memory corruption issue existed in the handling of graphics data. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0976 : an anonymous researcher Kernel Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2012-3749 : Mark Dowd of Azimuth Security, Eric Monti of Square, and additional anonymous researchers Login Window Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker with keyboard access may modify the system configuration Description: A logic error existed in VoiceOver's handling of the Login Window, whereby an attacker with access to the keyboard could launch System Preferences and modify the system configuration. This issue was addressed by preventing VoiceOver from launching applications at the Login Window. CVE-ID CVE-2013-0969 : Eric A. Schulman of Purpletree Labs Messages Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Clicking a link from Messages may initiate a FaceTime call without prompting Description: Clicking on a specifically-formatted FaceTime:// URL in Messages could bypass the standard confirmation prompt. This issue was addressed by additional validation of FaceTime:// URLs. CVE-ID CVE-2013-0970 : Aaron Sigel of vtty.com Messages Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may reroute federated Jabber messages Description: An issue existed in the Jabber server's handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages. CVE-ID CVE-2012-3525 PDFKit Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of ink annotations in PDF files. This issue was addressed through improved memory management. CVE-ID CVE-2013-0971 : Tobias Klein working with HP TippingPoint's Zero Day Initiative Podcast Producer Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0156 Podcast Producer Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0333 PostgreSQL Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: Multiple vulnerabilities in PostgreSQL Description: PostgreSQL was updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html CVE-ID CVE-2012-3488 CVE-2012-3489 Profile Manager Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Profile Manager. CVE-ID CVE-2013-0156 QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'rnet' boxes in MP4 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-3756 : Kevin Szkudlapski of QuarksLab Ruby Available for: Mac OS X Server 10.6.8 Impact: A remote attacker may be able to cause arbitrary code execution if a Rails application is running Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling YAML and symbols in XML parameters in Rails. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates. Software Update Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5 Impact: An attacker with a privileged network position may be able to cause arbitrary code execution Description: Software Update allowed a man in the middle attacker to insert plugin content into the marketing text displayed for updates. This may allow the exploitation of a vulnerable plugin, or facilitate social engineering attacks involving plugins. This issue was addressed by preventing plugins from being loaded in Software Update's marketing text WebView. CVE-ID CVE-2013-0973 : Emilio Escobar Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Wiki Server. CVE-ID CVE-2013-0156 Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Wiki Server. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found. Note: OS X Mountain Lion v10.8.3 includes the content of Safari 6.0.3. For further details see "About the security content of Safari 6.0.3" at http://http//support.apple.com/kb/HT5671 OS X Mountain Lion v10.8.3 and Security Update 2013-001 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.3, or Security Update 2013-001. For OS X Mountain Lion v10.8.2 The download file is named: OSXUpd10.8.3.dmg Its SHA-1 digest is: e6165572e9145ea05aac23fa30372a9b0a0bbf3c For OS X Mountain Lion v10.8 and v10.8.1 The download file is named: OSXUpdCombo10.8.3.dmg Its SHA-1 digest is: 1bc49fde5ff6e252aa7908b4cb1f9cb9c8a5fa29 For OS X Lion v10.7.5 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: 5bc540a208c720fce3448f853d852336781e1a17 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: e88ff36fc8e88c4c995422d3f2364c56ebe51b07 For Mac OS X v10.6.8 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: dc52d0f7d2db6080c57c7b9252a4d85c5e178450 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: fd7946f8d1f1bce0394b6e56c8d7387812e14694 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRQiuBAAoJEPefwLHPlZEwGfgP/0UDCn2KBop3IJ4Ad31yiG3N gH+yQl4GDONhm/HgrPWGQgcuVI69FmAqk+7arwOL7+7hlsSDQ5uSWDraRdd0EPmO aq2DxPxt6bYi4fHSrfkvRblVr/PcPxswEEshM82JU60Oy88EDA87bI8yy4qi8KJ4 E8+6O31vLuUeAaHf0SNE8y1p2iKpdmHH/Afo0iAVx3ddm8e8wMVPZ9XbR02pe8MV qmMWj8icBLNyHGoSl48zm5t4Ah4MS9qgXNjsYY+Mq2AcrqQI5EFTbdWpKFM7SQ1G UcM6zmeHtKNz8H21MDYKg1UHjo49MZnFb6ahRXN0E3jsPrfO4Co/2t6ogOLRZ90X 2Sd1RfwqYnRZRfwyOAe3htBYDpVEfvU1eaNMoTTHLRKWgarxUoXvww2cjnomAg5y tg+btVeQfzdHu+yClvioCbYqblKKxJf8lmhiLEgoH2bRaz2L+fluWW9yGQarxmrb vQ+cMKuy7heyLpNhwRHZioo4/b2K/IZBnkKwH76Ey3yAXnSSAD9xwbFZZAU5J8YQ liULOm9tv1sUlNHMyTsjplIsFkAIrkl+H43hn3/A+q4TIsDkmtPvOOl4Rc9/5w8H ZibyLnmr1XgXvd6CgFzIvl7Ink+d/xGHTnlybHszCMzR5o6Rg7sTeQsD34aNymcc Lz1nnBtRAbfDgARdRX4e =WUBR -----END PGP SIGNATURE-----

WebKit in Apple Safari before 6.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2013-0960. This vulnerability CVE-2013-0960 Is a different vulnerability. WebKit is prone to an unspecified memory-corruption vulnerability. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-14-2 Safari 6.0.3 Safari 6.0.3 is now available and addresses the following: WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.2 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2012-2824 : miaubiz CVE-2012-2857 : Arthur Gerkis CVE-2013-0948 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0949 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0950 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0951 : Apple CVE-2013-0952 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0953 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0954 : Dominic Cooney of Google and Martin Barbella of the Google Chrome Security Team CVE-2013-0955 : Apple CVE-2013-0956 : Apple Product Security CVE-2013-0958 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0959 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0960 : Apple CVE-2013-0961 : wushi of team509 working with iDefense VCP WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-site scripting issue existed in the handling of frame elements. This issue was addressed through improved origin tracking. CVE-ID CVE-2012-2889 : Sergey Glazunov WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.2 Impact: Copying and pasting content on a malicious website may lead to a cross-site scripting attack Description: A cross-site scripting issue existed in the handling of content pasted from a different origin. This issue was addressed through additional validation of pasted content. CVE-ID CVE-2013-0962 : Mario Heiderich of Cure53 For OS X Lion systems Safari 6.0.3 is available via the Apple Software Update application. For OS X Mountain Lion systems Safari 6.0.3 is included with OS X v10.8.3. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRQBJQAAoJEPefwLHPlZEwj8MP/0dgfaWcn1PZL/BJWaCiBHFn /FLQX83+8v+KexkQY4j1DxvlnrIT6ufAuAZV1VHOzWHhDngwt7EWzPUhT8o8FygE 7qWzamv47n/u2PfMmjNqTivBkEx6PchF1Hlny9cu6xY41NzKsYeQKiIwMJWGAojj huYz31K/YKG/mx1AaS0eVSn7Ypevpq9j7QmnvS6ojQm+b7jKCmpHRlnTSDLRshST QzWo/Do5fcavT9gPqVVm1qag+QzvKTMa6ZK7IDEsnHil1aA3T94taR0AJLVtYzrv zeB8ZJyKNC2ols5QnNknJeqwpTkijaUoRkoZkG/HLGA4OT9PKXRWUoBxpvxGjj6W bixIKYGItWEm5DndatgdDdpKXIlAIf1nMKNmjdDq3C0TYi4bTR6jkcRC8LL+2MrZ ZZdjXdzjmm4PTJpXaIxL7IiaMy1j4Hy+EpciUVZ0sDHGQ+pBgv7QBPKym+g56VNB o48bFGYbyGyDX2Jiag17rLxlh25qZ6YU2ZDsdFs+dXOgg+VX+sU31O94cOa07whH 6k3916hAGRaE4E+sQZYyHdWzgosk1J5Fj2aN6OGzrjYOxNH4ZiNvzmloruGFQKBx fhDw8HUijO6eFfhqBEkGm/9rp99SobXBo4A13S6lAbu9x/hQ7WyzC86T03JcoQlu f08mcBxZvJYFFXVgWg6x =SOkH -----END PGP SIGNATURE----- . In certain contexts, an active network attacker could present untrusted certificates to iTunes and they would be accepted without warning

WebKit in Apple Safari before 6.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2013-0961. This vulnerability CVE-2013-0961 Is a different vulnerability. WebKit is prone to an unspecified memory-corruption vulnerability. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-14-2 Safari 6.0.3 Safari 6.0.3 is now available and addresses the following: WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.2 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2012-2824 : miaubiz CVE-2012-2857 : Arthur Gerkis CVE-2013-0948 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0949 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0950 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0951 : Apple CVE-2013-0952 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0953 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0954 : Dominic Cooney of Google and Martin Barbella of the Google Chrome Security Team CVE-2013-0955 : Apple CVE-2013-0956 : Apple Product Security CVE-2013-0958 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0959 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0960 : Apple CVE-2013-0961 : wushi of team509 working with iDefense VCP WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-site scripting issue existed in the handling of frame elements. This issue was addressed through improved origin tracking. CVE-ID CVE-2012-2889 : Sergey Glazunov WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.2 Impact: Copying and pasting content on a malicious website may lead to a cross-site scripting attack Description: A cross-site scripting issue existed in the handling of content pasted from a different origin. This issue was addressed through additional validation of pasted content. CVE-ID CVE-2013-0962 : Mario Heiderich of Cure53 For OS X Lion systems Safari 6.0.3 is available via the Apple Software Update application. For OS X Mountain Lion systems Safari 6.0.3 is included with OS X v10.8.3. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRQBJQAAoJEPefwLHPlZEwj8MP/0dgfaWcn1PZL/BJWaCiBHFn /FLQX83+8v+KexkQY4j1DxvlnrIT6ufAuAZV1VHOzWHhDngwt7EWzPUhT8o8FygE 7qWzamv47n/u2PfMmjNqTivBkEx6PchF1Hlny9cu6xY41NzKsYeQKiIwMJWGAojj huYz31K/YKG/mx1AaS0eVSn7Ypevpq9j7QmnvS6ojQm+b7jKCmpHRlnTSDLRshST QzWo/Do5fcavT9gPqVVm1qag+QzvKTMa6ZK7IDEsnHil1aA3T94taR0AJLVtYzrv zeB8ZJyKNC2ols5QnNknJeqwpTkijaUoRkoZkG/HLGA4OT9PKXRWUoBxpvxGjj6W bixIKYGItWEm5DndatgdDdpKXIlAIf1nMKNmjdDq3C0TYi4bTR6jkcRC8LL+2MrZ ZZdjXdzjmm4PTJpXaIxL7IiaMy1j4Hy+EpciUVZ0sDHGQ+pBgv7QBPKym+g56VNB o48bFGYbyGyDX2Jiag17rLxlh25qZ6YU2ZDsdFs+dXOgg+VX+sU31O94cOa07whH 6k3916hAGRaE4E+sQZYyHdWzgosk1J5Fj2aN6OGzrjYOxNH4ZiNvzmloruGFQKBx fhDw8HUijO6eFfhqBEkGm/9rp99SobXBo4A13S6lAbu9x/hQ7WyzC86T03JcoQlu f08mcBxZvJYFFXVgWg6x =SOkH -----END PGP SIGNATURE----- . In certain contexts, an active network attacker could present untrusted certificates to iTunes and they would be accepted without warning

The Apple mod_hfs_apple module for the Apache HTTP Server in Apple Mac OS X before 10.8.3 does not properly handle ignorable Unicode characters, which allows remote attackers to bypass intended directory authentication requirements via a crafted pathname in a URI. Apple Mac OS X is prone to multiple vulnerabilities. The update addresses new vulnerabilities that affect Apache, CoreTypes, IOAcceleratorFamily, Login Window, Messages, PDFKit, and Software Update. Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, gain unauthorized access, obtain sensitive information, bypass security restrictions, and perform other attacks. These issues affect OS X prior to 10.8.3. Note: This issue was previously discussed in BID 58494 (Apple Mac OS X Security Update 2013-001 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-14-1 OS X Mountain Lion v10.8.3 and Security Update 2013-001 OS X Mountain Lion v10.8.3 and Security Update 2013-001 is now available and addresses the following: Apache Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker may be able to access directories that are protected with HTTP authentication without knowing the correct credentials Description: A canonicalization issue existed in the handling of URIs with ignorable Unicode character sequences. This issue was addressed by updating mod_hfs_apple to forbid access to URIs with ignorable Unicode character sequences. CVE-ID CVE-2013-0966 : Clint Ruoho of Laconic Security CoreTypes Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory. CVE-ID CVE-2013-0967 International Components for Unicode Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A canonicalization issue existed in the handling of the EUC-JP encoding, which could lead to a cross-site scripting attack on EUC-JP encoded websites. This issue was addressed by updating the EUC-JP mapping table. CVE-ID CVE-2011-3058 : Masato Kinugawa Identity Services Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Authentication relying on certificate-based Apple ID authentication may be bypassed Description: An error handling issue existed in Identity Services. If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust. This issue was addressed by ensuring that NULL is returned instead of an empty string. CVE-ID CVE-2013-0963 ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of TIFF images. This issue was addressed through additional validation of TIFF images. CVE-ID CVE-2012-2088 IOAcceleratorFamily Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted image may lead to an unexpected system termination or arbitrary code execution Description: A memory corruption issue existed in the handling of graphics data. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0976 : an anonymous researcher Kernel Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2012-3749 : Mark Dowd of Azimuth Security, Eric Monti of Square, and additional anonymous researchers Login Window Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker with keyboard access may modify the system configuration Description: A logic error existed in VoiceOver's handling of the Login Window, whereby an attacker with access to the keyboard could launch System Preferences and modify the system configuration. This issue was addressed by preventing VoiceOver from launching applications at the Login Window. CVE-ID CVE-2013-0969 : Eric A. Schulman of Purpletree Labs Messages Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Clicking a link from Messages may initiate a FaceTime call without prompting Description: Clicking on a specifically-formatted FaceTime:// URL in Messages could bypass the standard confirmation prompt. This issue was addressed by additional validation of FaceTime:// URLs. CVE-ID CVE-2013-0970 : Aaron Sigel of vtty.com Messages Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may reroute federated Jabber messages Description: An issue existed in the Jabber server's handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages. CVE-ID CVE-2012-3525 PDFKit Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of ink annotations in PDF files. This issue was addressed through improved memory management. CVE-ID CVE-2013-0971 : Tobias Klein working with HP TippingPoint's Zero Day Initiative Podcast Producer Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0156 Podcast Producer Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0333 PostgreSQL Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: Multiple vulnerabilities in PostgreSQL Description: PostgreSQL was updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html CVE-ID CVE-2012-3488 CVE-2012-3489 Profile Manager Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Profile Manager. CVE-ID CVE-2013-0156 QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'rnet' boxes in MP4 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-3756 : Kevin Szkudlapski of QuarksLab Ruby Available for: Mac OS X Server 10.6.8 Impact: A remote attacker may be able to cause arbitrary code execution if a Rails application is running Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling YAML and symbols in XML parameters in Rails. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates. Software Update Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5 Impact: An attacker with a privileged network position may be able to cause arbitrary code execution Description: Software Update allowed a man in the middle attacker to insert plugin content into the marketing text displayed for updates. This may allow the exploitation of a vulnerable plugin, or facilitate social engineering attacks involving plugins. This issue was addressed by preventing plugins from being loaded in Software Update's marketing text WebView. CVE-ID CVE-2013-0973 : Emilio Escobar Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Wiki Server. CVE-ID CVE-2013-0156 Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Wiki Server. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found. Note: OS X Mountain Lion v10.8.3 includes the content of Safari 6.0.3. For further details see "About the security content of Safari 6.0.3" at http://http//support.apple.com/kb/HT5671 OS X Mountain Lion v10.8.3 and Security Update 2013-001 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.3, or Security Update 2013-001. For OS X Mountain Lion v10.8.2 The download file is named: OSXUpd10.8.3.dmg Its SHA-1 digest is: e6165572e9145ea05aac23fa30372a9b0a0bbf3c For OS X Mountain Lion v10.8 and v10.8.1 The download file is named: OSXUpdCombo10.8.3.dmg Its SHA-1 digest is: 1bc49fde5ff6e252aa7908b4cb1f9cb9c8a5fa29 For OS X Lion v10.7.5 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: 5bc540a208c720fce3448f853d852336781e1a17 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: e88ff36fc8e88c4c995422d3f2364c56ebe51b07 For Mac OS X v10.6.8 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: dc52d0f7d2db6080c57c7b9252a4d85c5e178450 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: fd7946f8d1f1bce0394b6e56c8d7387812e14694 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRQiuBAAoJEPefwLHPlZEwGfgP/0UDCn2KBop3IJ4Ad31yiG3N gH+yQl4GDONhm/HgrPWGQgcuVI69FmAqk+7arwOL7+7hlsSDQ5uSWDraRdd0EPmO aq2DxPxt6bYi4fHSrfkvRblVr/PcPxswEEshM82JU60Oy88EDA87bI8yy4qi8KJ4 E8+6O31vLuUeAaHf0SNE8y1p2iKpdmHH/Afo0iAVx3ddm8e8wMVPZ9XbR02pe8MV qmMWj8icBLNyHGoSl48zm5t4Ah4MS9qgXNjsYY+Mq2AcrqQI5EFTbdWpKFM7SQ1G UcM6zmeHtKNz8H21MDYKg1UHjo49MZnFb6ahRXN0E3jsPrfO4Co/2t6ogOLRZ90X 2Sd1RfwqYnRZRfwyOAe3htBYDpVEfvU1eaNMoTTHLRKWgarxUoXvww2cjnomAg5y tg+btVeQfzdHu+yClvioCbYqblKKxJf8lmhiLEgoH2bRaz2L+fluWW9yGQarxmrb vQ+cMKuy7heyLpNhwRHZioo4/b2K/IZBnkKwH76Ey3yAXnSSAD9xwbFZZAU5J8YQ liULOm9tv1sUlNHMyTsjplIsFkAIrkl+H43hn3/A+q4TIsDkmtPvOOl4Rc9/5w8H ZibyLnmr1XgXvd6CgFzIvl7Ink+d/xGHTnlybHszCMzR5o6Rg7sTeQsD34aNymcc Lz1nnBtRAbfDgARdRX4e =WUBR -----END PGP SIGNATURE-----