VARIoT IoT vulnerabilities database

VAR-201107-0256 | CVE-2011-2956 |
AzeoTech DAQFactory Denial of service vulnerability
Related entries in the VARIoT exploits database: VAR-E-201106-0001 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal. ( System restart or shutdown ) There is a vulnerability that becomes a condition.Service disruption via a signal by a third party ( System restart or shutdown ) There is a possibility of being put into a state. AzeoTech DAQFactory is a complete system solution that embraces data acquisition, process control and data analysis. AzeoTech DAQFactory has a denial of service vulnerability that a malicious attacker can use to cause a denial of service. AzeoTech DAQFactory is prone to a denial-of-service vulnerability.
Versions prior to DAQFactory 5.85 are vulnerable. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
AzeoTech DAQFactory Unspecified Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA45633
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45633/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45633
RELEASE DATE:
2011-08-23
DISCUSS ADVISORY:
http://secunia.com/advisories/45633/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45633/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45633
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in AzeoTech DAQFactory, which can
be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an unspecified error related to
certain network features and can be exploited to cause a crash.
SOLUTION:
Update to version 5.85 build 1842.
PROVIDED AND/OR DISCOVERED BY:
nSense via ICS-CERT.
ORIGINAL ADVISORY:
AzeoTech:
http://www.azeotech.com/revisionhistory.php
ISC-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-11-122-01.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201107-0125 | CVE-2011-2192 | Haxx libcurl Trust Management Issue Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests. cURL/libcURL is prone to a vulnerability that may allow attackers to spoof clients' security credentials.
Remote attackers can exploit this issue to impersonate a client on any server that uses the same GSSAPI mechanism.
This issue affects cURL/libcURL versions 7.10.6 through 7.21.6.
This is obviously a very sensitive operation, which should only be done when
the user explicitly so directs.
For the oldstable distribution (lenny), this problem has been fixed in
version 7.18.2-8lenny5.
For the stable distribution (squeeze), this problem has been fixed in
version 7.21.0-2.
For the testing distribution (wheezy), this problem has been fixed in
version 7.21.6-2.
For the unstable distribution (sid), this problem has been fixed in
version 7.21.6-2.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. Summary:
Updated curl packages that fix one security issue are now available for Red
Hat Enterprise Linux 4, 5, and 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section. Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
3. Description:
cURL provides the libcurl library and a command line tool for downloading
files from servers using various protocols, including HTTP, FTP, and LDAP. (CVE-2011-2192)
Users of curl should upgrade to these updated packages, which contain a
backported patch to correct this issue. All running applications using
libcurl must be restarted for the update to take effect. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
711454 - CVE-2011-2192 curl: Improper delegation of client credentials during GSS negotiation
6. Package List:
Red Hat Enterprise Linux AS version 4:
Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/curl-7.12.1-17.el4.src.rpm
i386:
curl-7.12.1-17.el4.i386.rpm
curl-debuginfo-7.12.1-17.el4.i386.rpm
curl-devel-7.12.1-17.el4.i386.rpm
ia64:
curl-7.12.1-17.el4.i386.rpm
curl-7.12.1-17.el4.ia64.rpm
curl-debuginfo-7.12.1-17.el4.i386.rpm
curl-debuginfo-7.12.1-17.el4.ia64.rpm
curl-devel-7.12.1-17.el4.ia64.rpm
ppc:
curl-7.12.1-17.el4.ppc.rpm
curl-7.12.1-17.el4.ppc64.rpm
curl-debuginfo-7.12.1-17.el4.ppc.rpm
curl-debuginfo-7.12.1-17.el4.ppc64.rpm
curl-devel-7.12.1-17.el4.ppc.rpm
s390:
curl-7.12.1-17.el4.s390.rpm
curl-debuginfo-7.12.1-17.el4.s390.rpm
curl-devel-7.12.1-17.el4.s390.rpm
s390x:
curl-7.12.1-17.el4.s390.rpm
curl-7.12.1-17.el4.s390x.rpm
curl-debuginfo-7.12.1-17.el4.s390.rpm
curl-debuginfo-7.12.1-17.el4.s390x.rpm
curl-devel-7.12.1-17.el4.s390x.rpm
x86_64:
curl-7.12.1-17.el4.i386.rpm
curl-7.12.1-17.el4.x86_64.rpm
curl-debuginfo-7.12.1-17.el4.i386.rpm
curl-debuginfo-7.12.1-17.el4.x86_64.rpm
curl-devel-7.12.1-17.el4.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/curl-7.12.1-17.el4.src.rpm
i386:
curl-7.12.1-17.el4.i386.rpm
curl-debuginfo-7.12.1-17.el4.i386.rpm
curl-devel-7.12.1-17.el4.i386.rpm
x86_64:
curl-7.12.1-17.el4.i386.rpm
curl-7.12.1-17.el4.x86_64.rpm
curl-debuginfo-7.12.1-17.el4.i386.rpm
curl-debuginfo-7.12.1-17.el4.x86_64.rpm
curl-devel-7.12.1-17.el4.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/curl-7.12.1-17.el4.src.rpm
i386:
curl-7.12.1-17.el4.i386.rpm
curl-debuginfo-7.12.1-17.el4.i386.rpm
curl-devel-7.12.1-17.el4.i386.rpm
ia64:
curl-7.12.1-17.el4.i386.rpm
curl-7.12.1-17.el4.ia64.rpm
curl-debuginfo-7.12.1-17.el4.i386.rpm
curl-debuginfo-7.12.1-17.el4.ia64.rpm
curl-devel-7.12.1-17.el4.ia64.rpm
x86_64:
curl-7.12.1-17.el4.i386.rpm
curl-7.12.1-17.el4.x86_64.rpm
curl-debuginfo-7.12.1-17.el4.i386.rpm
curl-debuginfo-7.12.1-17.el4.x86_64.rpm
curl-devel-7.12.1-17.el4.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/curl-7.12.1-17.el4.src.rpm
i386:
curl-7.12.1-17.el4.i386.rpm
curl-debuginfo-7.12.1-17.el4.i386.rpm
curl-devel-7.12.1-17.el4.i386.rpm
ia64:
curl-7.12.1-17.el4.i386.rpm
curl-7.12.1-17.el4.ia64.rpm
curl-debuginfo-7.12.1-17.el4.i386.rpm
curl-debuginfo-7.12.1-17.el4.ia64.rpm
curl-devel-7.12.1-17.el4.ia64.rpm
x86_64:
curl-7.12.1-17.el4.i386.rpm
curl-7.12.1-17.el4.x86_64.rpm
curl-debuginfo-7.12.1-17.el4.i386.rpm
curl-debuginfo-7.12.1-17.el4.x86_64.rpm
curl-devel-7.12.1-17.el4.x86_64.rpm
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/curl-7.15.5-9.el5_6.3.src.rpm
i386:
curl-7.15.5-9.el5_6.3.i386.rpm
curl-debuginfo-7.15.5-9.el5_6.3.i386.rpm
x86_64:
curl-7.15.5-9.el5_6.3.i386.rpm
curl-7.15.5-9.el5_6.3.x86_64.rpm
curl-debuginfo-7.15.5-9.el5_6.3.i386.rpm
curl-debuginfo-7.15.5-9.el5_6.3.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/curl-7.15.5-9.el5_6.3.src.rpm
i386:
curl-debuginfo-7.15.5-9.el5_6.3.i386.rpm
curl-devel-7.15.5-9.el5_6.3.i386.rpm
x86_64:
curl-debuginfo-7.15.5-9.el5_6.3.i386.rpm
curl-debuginfo-7.15.5-9.el5_6.3.x86_64.rpm
curl-devel-7.15.5-9.el5_6.3.i386.rpm
curl-devel-7.15.5-9.el5_6.3.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/curl-7.15.5-9.el5_6.3.src.rpm
i386:
curl-7.15.5-9.el5_6.3.i386.rpm
curl-debuginfo-7.15.5-9.el5_6.3.i386.rpm
curl-devel-7.15.5-9.el5_6.3.i386.rpm
ia64:
curl-7.15.5-9.el5_6.3.ia64.rpm
curl-debuginfo-7.15.5-9.el5_6.3.ia64.rpm
curl-devel-7.15.5-9.el5_6.3.ia64.rpm
ppc:
curl-7.15.5-9.el5_6.3.ppc.rpm
curl-7.15.5-9.el5_6.3.ppc64.rpm
curl-debuginfo-7.15.5-9.el5_6.3.ppc.rpm
curl-debuginfo-7.15.5-9.el5_6.3.ppc64.rpm
curl-devel-7.15.5-9.el5_6.3.ppc.rpm
curl-devel-7.15.5-9.el5_6.3.ppc64.rpm
s390x:
curl-7.15.5-9.el5_6.3.s390.rpm
curl-7.15.5-9.el5_6.3.s390x.rpm
curl-debuginfo-7.15.5-9.el5_6.3.s390.rpm
curl-debuginfo-7.15.5-9.el5_6.3.s390x.rpm
curl-devel-7.15.5-9.el5_6.3.s390.rpm
curl-devel-7.15.5-9.el5_6.3.s390x.rpm
x86_64:
curl-7.15.5-9.el5_6.3.i386.rpm
curl-7.15.5-9.el5_6.3.x86_64.rpm
curl-debuginfo-7.15.5-9.el5_6.3.i386.rpm
curl-debuginfo-7.15.5-9.el5_6.3.x86_64.rpm
curl-devel-7.15.5-9.el5_6.3.i386.rpm
curl-devel-7.15.5-9.el5_6.3.x86_64.rpm
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/curl-7.19.7-26.el6_1.1.src.rpm
i386:
curl-7.19.7-26.el6_1.1.i686.rpm
curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm
libcurl-7.19.7-26.el6_1.1.i686.rpm
x86_64:
curl-7.19.7-26.el6_1.1.x86_64.rpm
curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm
curl-debuginfo-7.19.7-26.el6_1.1.x86_64.rpm
libcurl-7.19.7-26.el6_1.1.i686.rpm
libcurl-7.19.7-26.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/curl-7.19.7-26.el6_1.1.src.rpm
i386:
curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm
libcurl-devel-7.19.7-26.el6_1.1.i686.rpm
x86_64:
curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm
curl-debuginfo-7.19.7-26.el6_1.1.x86_64.rpm
libcurl-devel-7.19.7-26.el6_1.1.i686.rpm
libcurl-devel-7.19.7-26.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/curl-7.19.7-26.el6_1.1.src.rpm
x86_64:
curl-7.19.7-26.el6_1.1.x86_64.rpm
curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm
curl-debuginfo-7.19.7-26.el6_1.1.x86_64.rpm
libcurl-7.19.7-26.el6_1.1.i686.rpm
libcurl-7.19.7-26.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/curl-7.19.7-26.el6_1.1.src.rpm
x86_64:
curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm
curl-debuginfo-7.19.7-26.el6_1.1.x86_64.rpm
libcurl-devel-7.19.7-26.el6_1.1.i686.rpm
libcurl-devel-7.19.7-26.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/curl-7.19.7-26.el6_1.1.src.rpm
i386:
curl-7.19.7-26.el6_1.1.i686.rpm
curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm
libcurl-7.19.7-26.el6_1.1.i686.rpm
libcurl-devel-7.19.7-26.el6_1.1.i686.rpm
ppc64:
curl-7.19.7-26.el6_1.1.ppc64.rpm
curl-debuginfo-7.19.7-26.el6_1.1.ppc.rpm
curl-debuginfo-7.19.7-26.el6_1.1.ppc64.rpm
libcurl-7.19.7-26.el6_1.1.ppc.rpm
libcurl-7.19.7-26.el6_1.1.ppc64.rpm
libcurl-devel-7.19.7-26.el6_1.1.ppc.rpm
libcurl-devel-7.19.7-26.el6_1.1.ppc64.rpm
s390x:
curl-7.19.7-26.el6_1.1.s390x.rpm
curl-debuginfo-7.19.7-26.el6_1.1.s390.rpm
curl-debuginfo-7.19.7-26.el6_1.1.s390x.rpm
libcurl-7.19.7-26.el6_1.1.s390.rpm
libcurl-7.19.7-26.el6_1.1.s390x.rpm
libcurl-devel-7.19.7-26.el6_1.1.s390.rpm
libcurl-devel-7.19.7-26.el6_1.1.s390x.rpm
x86_64:
curl-7.19.7-26.el6_1.1.x86_64.rpm
curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm
curl-debuginfo-7.19.7-26.el6_1.1.x86_64.rpm
libcurl-7.19.7-26.el6_1.1.i686.rpm
libcurl-7.19.7-26.el6_1.1.x86_64.rpm
libcurl-devel-7.19.7-26.el6_1.1.i686.rpm
libcurl-devel-7.19.7-26.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/curl-7.19.7-26.el6_1.1.src.rpm
i386:
curl-7.19.7-26.el6_1.1.i686.rpm
curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm
libcurl-7.19.7-26.el6_1.1.i686.rpm
libcurl-devel-7.19.7-26.el6_1.1.i686.rpm
x86_64:
curl-7.19.7-26.el6_1.1.x86_64.rpm
curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm
curl-debuginfo-7.19.7-26.el6_1.1.x86_64.rpm
libcurl-7.19.7-26.el6_1.1.i686.rpm
libcurl-7.19.7-26.el6_1.1.x86_64.rpm
libcurl-devel-7.19.7-26.el6_1.1.i686.rpm
libcurl-devel-7.19.7-26.el6_1.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2192.html
https://access.redhat.com/security/updates/classification/#moderate
http://curl.haxx.se/docs/adv_20110623.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-02-01-1 OS X Lion v10.7.3 and Security Update 2012-001
OS X Lion v10.7.3 and Security Update 2012-001 is now available and
addresses the following:
Address Book
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: An attacker in a privileged network position may intercept
CardDAV data
Description: Address Book supports Secure Sockets Layer (SSL) for
accessing CardDAV. A downgrade issue caused Address Book to attempt
an unencrypted connection if an encrypted connection failed. An
attacker in a privileged network position could abuse this behavior
to intercept CardDAV data. This issue is addressed by not downgrading
to an unencrypted connection without user approval.
CVE-ID
CVE-2011-3444 : Bernard Desruisseaux of Oracle Corporation
Apache
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Multiple vulnerabilities in Apache
Description: Apache is updated to version 2.2.21 to address several
vulnerabilities, the most serious of which may lead to a denial of
service. Further information is available via the Apache web site at
http://httpd.apache.org/
CVE-ID
CVE-2011-3348
Apache
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
Apache disabled the 'empty fragment' countermeasure which prevented
these attacks. This issue is addressed by providing a configuration
parameter to control the countermeasure and enabling it by default.
CVE-ID
CVE-2011-3389
CFNetwork
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. When accessing a maliciously crafted URL, CFNetwork could send
the request to an incorrect origin server. This issue does not affect
systems prior to OS X Lion.
CVE-ID
CVE-2011-3246 : Erling Ellingsen of Facebook
CFNetwork
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. When accessing a maliciously crafted URL, CFNetwork could send
unexpected request headers. This issue does not affect systems prior
to OS X Lion.
CVE-ID
CVE-2011-3447 : Erling Ellingsen of Facebook
ColorSync
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: An integer overflow existed in the handling of images
with an embedded ColorSync profile, which may lead to a heap buffer
overflow. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day
Initiative
CoreAudio
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Playing maliciously crafted audio content may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of AAC
encoded audio streams. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-3252 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
CoreMedia
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in CoreMedia's handling
of H.264 encoded movie files.
CVE-ID
CVE-2011-3448 : Scott Stender of iSEC Partners
CoreText
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to an unexpected application
termination or arbitrary code execution
Description: A use after free issue existed in the handling of font
files.
CVE-ID
CVE-2011-3449 : Will Dormann of the CERT/CC
CoreUI
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a malicious website may lead to an unexpected
application termination or arbitrary code execution
Description: An unbounded stack allocation issue existed in the
handling of long URLs. This issue does not affect systems prior to OS
X Lion.
CVE-ID
CVE-2011-3450 : Ben Syverson
curl
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: A remote server may be able to impersonate clients via
GSSAPI requests
Description: When doing GSSAPI authentication, libcurl
unconditionally performs credential delegation. This issue is
addressed by disabling GSSAPI credential delegation.
CVE-ID
CVE-2011-2192
Data Security
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: Two certificate authorities in the list of trusted root
certificates have independently issued intermediate certificates to
DigiCert Malaysia. DigiCert Malaysia has issued certificates with
weak keys that it is unable to revoke. An attacker with a privileged
network position could intercept user credentials or other sensitive
information intended for a site with a certificate issued by DigiCert
Malaysia. This issue is addressed by configuring default system trust
settings so that DigiCert Malaysia's certificates are not trusted. We
would like to acknowledge Bruce Morton of Entrust, Inc.
dovecot
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
Dovecot disabled the 'empty fragment' countermeasure which prevented
these attacks. This issue is addressed by enabling the
countermeasure.
CVE-ID
CVE-2011-3389 : Apple
filecmds
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Decompressing a maliciously crafted compressed file may lead
to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the 'uncompress' command
line tool.
CVE-ID
CVE-2011-2895
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF files. This issue does not affect OS X
Lion systems.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue is address by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Multiple vulnerabilities in libpng 1.5.4
Description: libpng is updated to version 1.5.5 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-3328
Internet Sharing
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: A Wi-Fi network created by Internet Sharing may lose
security settings after a system update
Description: After updating to a version of OS X Lion prior to
10.7.3, the Wi-Fi configuration used by Internet Sharing may revert
to factory defaults, which disables the WEP password. This issue only
affects systems with Internet Sharing enabled and sharing the
connection to Wi-Fi. This issue is addressed by preserving the Wi-Fi
configuration during a system update.
CVE-ID
CVE-2011-3452 : an anonymous researcher
Libinfo
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in Libinfo's handling of hostname
lookup requests. Libinfo could return incorrect results for a
maliciously crafted hostname. This issue does not affect systems
prior to OS X Lion.
CVE-ID
CVE-2011-3441 : Erling Ellingsen of Facebook
libresolv
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Applications that use OS X's libresolv library may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: An integer overflow existed in the parsing of DNS
resource records, which may lead to heap memory corruption.
CVE-ID
CVE-2011-3453 : Ilja van Sprundel of IOActive
libsecurity
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Some EV certificates may be trusted even if the
corresponding root has been marked as untrusted
Description: The certificate code trusted a root certificate to sign
EV certificates if it was on the list of known EV issuers, even if
the user had marked it as 'Never Trust' in Keychain. The root would
not be trusted to sign non-EV certificates.
CVE-ID
CVE-2011-3422 : Alastair Houghton
OpenGL
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
PHP
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Multiple vulnerabilities in PHP 5.3.6
Description: PHP is updated to version 5.3.8 to address several
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the PHP web site at
http://www.php.net
CVE-ID
CVE-2011-1148
CVE-2011-1657
CVE-2011-1938
CVE-2011-2202
CVE-2011-2483
CVE-2011-3182
CVE-2011-3189
CVE-2011-3267
CVE-2011-3268
PHP
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in FreeType's
handling of Type 1 fonts. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2011-3256 : Apple
PHP
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Multiple vulnerabilities in libpng 1.5.4
Description: libpng is updated to version 1.5.5 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-3328
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Opening a maliciously crafted MP4 encoded file may lead to
an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of MP4 encoded files.
CVE-ID
CVE-2011-3458 : Luigi Auriemma and pa_kt both working with
TippingPoint's Zero Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in the handling of font
tables embedded in QuickTime movie files.
CVE-ID
CVE-2011-3248 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An off by one buffer overflow existed in the handling
of rdrf atoms in QuickTime movie files.
CVE-ID
CVE-2011-3459 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted JPEG2000 image file may lead
to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
files.
CVE-ID
CVE-2011-3250 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Processing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PNG files.
CVE-ID
CVE-2011-3460 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of FLC
encoded movie files
CVE-ID
CVE-2011-3249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
SquirrelMail
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in SquirrelMail
Description: SquirrelMail is updated to version 1.4.22 to address
several vulnerabilities, the most serious of which is a cross-site
scripting issue. This issue does not affect OS X Lion systems.
Further information is available via the SquirrelMail web site at
http://www.SquirrelMail.org/
CVE-ID
CVE-2010-1637
CVE-2010-2813
CVE-2010-4554
CVE-2010-4555
CVE-2011-2023
Subversion
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Accessing a Subversion repository may lead to the disclosure
of sensitive information
Description: Subversion is updated to version 1.6.17 to address
multiple vulnerabilities, the most serious of which may lead to the
disclosure of sensitive information. Further information is available
via the Subversion web site at http://subversion.tigris.org/
CVE-ID
CVE-2011-1752
CVE-2011-1783
CVE-2011-1921
Time Machine
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: A remote attacker may access new backups created by the
user's system
Description: The user may designate a remote AFP volume or Time
Capsule to be used for Time Machine backups. Time Machine did not
verify that the same device was being used for subsequent backup
operations. An attacker who is able to spoof the remote volume could
gain access to new backups created by the user's system. This issue
is addressed by verifying the unique identifier associated with a
disk for backup operations.
CVE-ID
CVE-2011-3462 : Michael Roitzsch of the Technische Universitat
Dresden
Tomcat
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in Tomcat 6.0.32
Description: Tomcat is updated to version 6.0.33 to address multiple
vulnerabilities, the most serious of which may lead to the disclosure
of sensitive information. Tomcat is only provided on Mac OS X Server
systems. This issue does not affect OS X Lion systems. Further
information is available via the Tomcat site at
http://tomcat.apache.org/
CVE-ID
CVE-2011-2204
WebDAV Sharing
Available for: OS X Lion Server v10.7 to v10.7.2
Impact: Local users may obtain system privileges
Description: An issue existed in WebDAV Sharing's handling of user
authentication. A user with a valid account on the server or one of
its bound directories could cause the execution of arbitrary code
with system privileges. This issue does not affect systems prior to
OS X Lion.
CVE-ID
CVE-2011-3463 : Gordon Davisson of Crywolf
Webmail
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted e-mail message may lead to the
disclosure of message content
Description: A cross-site scripting vulnerability existed in the
handling of mail messages. This issue is addressed by updating
Roundcube Webmail to version 0.6. This issue does not affect systems
prior to OS X Lion. Further information is available via the
Roundcube site at http://trac.roundcube.net/
CVE-ID
CVE-2011-2937
X11
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in FreeType's
handling of Type 1 fonts. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2011-3256 : Apple
OS X Lion v10.7.3 and Security Update 2012-001 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Security Update 2021-001 or OS X v10.7.3.
For OS X Lion v10.7.2
The download file is named: MacOSXUpd10.7.3.dmg
Its SHA-1 digest is: 7102fe8f9f47286c45dfa35f6e84e7f730493a7c
For OS X Lion v10.7 and v10.7.1
The download file is named: MacOSXUpdCombo10.7.3.dmg
Its SHA-1 digest is: 07dfce300f6801eb63d9ac13e0bec84e1862a16c
For OS X Lion Server v10.7.2
The download file is named: MacOSXServerUpd10.7.3.dmg
Its SHA-1 digest is: 55a9571635d4ec088c142d68132d0d69fcb8867d
For OS X Lion Server v10.7 and v10.7.1
The download file is named: MacOSXServerUpdCombo10.7.3.dmg
Its SHA-1 digest is: 2c87824f09734499ea166ea0617a3ac21ecf832b
For Mac OS X v10.6.8
The download file is named: SecUpd2012-001Snow.dmg
Its SHA-1 digest is: 40875ee8cb609bbaefc8f421a9c34cc353db42b8
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-001.dmg
Its SHA-1 digest is: 53b3ca5548001a9920aeabed4a034c6e4657fe20
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJPKYxNAAoJEGnF2JsdZQeeLiIIAMLhH2ipDFrhCsw/n4VDeF1V
P6jSkGXC9tBBVMvw1Xq4c2ok4SI34bDfMlURAVR+dde/h6nIZR24aLQVoDLjJuIp
RrO2dm1nQeozLJSx2NbxhVh54BucJdKp4xS1GkDNxkqcdh04RE9hRURXdKagnfGy
9P8QQPOQmKAiWos/LYhCPDInMfrpVNvEVwP8MCDP15g6hylN4De/Oyt7ZshPshSf
MnAFObfBTGX5KioVqTyfdlBkKUfdXHJux61QEFHn8eadX6+/6IuKbUvK9B0icc8E
pvbjOxQatFRps0KNWeIsKQc5i6iQoJhocAiIy6Y6LCuZQuSXCImY2RWXkVYzbWo=
=c1eU
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03280632
Version: 1
HPSBMU02764 SSRT100827 rev.1 - HP System Management Homepage (SMH) Running on Linux and Windows, Remote Cross Site Request Forgery (CSRF), Denial of Service (DoS), Execution of Arbitrary Code, Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-04-16
Last Updated: 2012-04-16
Potential Security Impact: Remote cross site request forgery (CSRF), Denial of Service (DoS), execution of arbitrary code, other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely and locally resulting in cross site request forgery (CSRF), Denial of Service (DoS), execution of arbitrary code, and other vulnerabilities.
HP System Management Homepage (SMH) before v7.0 running on Linux and Windows.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2009-0037 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2010-0734 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2010-1452 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-1623 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-2068 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2010-2791 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2010-3436 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2010-4409 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-4645 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-0014 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-0195 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2011-0419 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2011-1148 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2011-1153 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2011-1464 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2011-1467 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-1468 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2011-1470 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2011-1471 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2011-1928 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2011-1938 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2011-1945 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6
CVE-2011-2192 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2011-2202 (AV:N/AC:L/Au:N/C:N/I:P/A:P) 6.4
CVE-2011-2483 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2011-3182 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-3189 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2011-3192 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8
CVE-2011-3267 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-3268 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-3207 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2011-3210 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-3348 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2011-3368 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2011-3639 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2011-3846 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2011-4317 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2012-0135 (AV:N/AC:M/Au:S/C:N/I:N/A:P) 3.5
CVE-2012-1993 (AV:L/AC:L/Au:S/C:P/I:P/A:N) 3.2
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
The Hewlett-Packard Company thanks Sow Ching Shiong coordinating with Secunia for reporting CVE-2011-3846 to security-alert@hp.com.
RESOLUTION
HP has provided HP System Management Homepage v7.0 or subsequent to resolve the vulnerabilities.
SMH v7.0 is available here: http://h18000.www1.hp.com/products/servers/management/agents/index.html
HISTORY
Version:1 (rev.1) 16 April 2012 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
Packages for 2009.0 are provided as of the Extended Maintenance
Program. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2012-0001
Synopsis: VMware ESXi and ESX updates to third party library
and ESX Service Console
Issue date: 2012-01-30
Updated on: 2012-01-30 (initial advisory)
CVE numbers: --- COS Kernel ---
CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163,
CVE-2011-1166, CVE-2011-1170, CVE-2011-1171,
CVE-2011-1172, CVE-2011-1494, CVE-2011-1495,
CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044,
CVE-2011-1182, CVE-2011-1573, CVE-2011-1576,
CVE-2011-1593, CVE-2011-1745, CVE-2011-1746,
CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780,
CVE-2011-2525, CVE-2011-2689, CVE-2011-2482,
CVE-2011-2491, CVE-2011-2495, CVE-2011-2517,
CVE-2011-2519, CVE-2011-2901
--- COS cURL ---
CVE-2011-2192
--- COS rpm ---
CVE-2010-2059, CVE-2011-3378
--- COS samba ---
CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,
CVE-2011-2522, CVE-2011-2694
--- COS python ---
CVE-2009-3720, CVE-2010-3493, CVE-2011-1015,
CVE-2011-1521
--- python library ---
CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,
CVE-2010-2089, CVE-2011-1521
----------------------------------------------------------------------
1. Summary
VMware ESXi and ESX updates to third party library and ESX Service
Console address several security issues.
2. Relevant releases
ESXi 4.1 without patch ESXi410-201201401-SG
ESX 4.1 without patches ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG,
ESX410-201201406-SG, ESX410-201201407-SG
3. Problem Description
a. ESX third party update for Service Console kernel
The ESX Service Console Operating System (COS) kernel is updated to
kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the
COS kernel.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166,
CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494,
CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182,
CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745,
CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525,
CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495,
CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201401-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
b. ESX third party update for Service Console cURL RPM
The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9
resolving a security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2011-2192 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201402-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
c. ESX third party update for Service Console nspr and nss RPMs
The ESX Service Console (COS) nspr and nss RPMs are updated to
nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving
a security issues.
A Certificate Authority (CA) issued fraudulent SSL certificates and
Netscape Portable Runtime (NSPR) and Network Security Services (NSS)
contain the built-in tokens of this fraudulent Certificate
Authority. This update renders all SSL certificates signed by the
fraudulent CA as untrusted for all uses.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201404-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
d. ESX third party update for Service Console rpm RPMs
The ESX Service Console Operating System (COS) rpm packages are
updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2,
rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2
which fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-2059 and CVE-2011-3378 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201406-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
e. ESX third party update for Service Console samba RPMs
The ESX Service Console Operating System (COS) samba packages are
updated to samba-client-3.0.33-3.29.el5_7.4,
samba-common-3.0.33-3.29.el5_7.4 and
libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security
issues in the Samba client.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,
CVE-2011-2522 and CVE-2011-2694 to these issues.
Note that ESX does not include the Samba Web Administration Tool
(SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and
CVE-2011-2694.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201407-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
f. ESX third party update for Service Console python package
The ESX Service Console (COS) python package is updated to
2.4.3-44 which fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and
CVE-2011-1521 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201405-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
g. ESXi update to third party component python
The python third party library is updated to python 2.5.6 which
fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,
CVE-2010-2089, and CVE-2011-1521 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 5.0 ESXi patch pending
ESXi 4.1 ESXi ESXi410-201201401-SG
ESXi 4.0 ESXi patch pending
ESXi 3.5 ESXi patch pending
ESX 4.1 ESX not affected
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
VMware ESXi 4.1
---------------
ESXi410-201201401
http://downloads.vmware.com/go/selfsupport-download
md5sum: BDF86F10A973346E26C9C2CD4C424E88
sha1sum: CC0B92869A9AAE4F5E0E5B81BEE109BCD7DA780F
http://kb.vmware.com/kb/2009143
ESXi410-201201401 contains ESXi410-201201401-SG
VMware ESX 4.1
--------------
ESX410-201201001
http://downloads.vmware.com/go/selfsupport-download
md5sum: 16DF9ACD3E74BCABC2494BC23AD0927F
sha1sum: 1066AE1436E1A75BA3D541AB65296CFB9AB7A5CC
http://kb.vmware.com/kb/2009142
ESX410-201201001 contains ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG, ESX410-201201406-SG and
ESX410-201201407-SG
5. References
CVE numbers
--- COS Kernel ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0726
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1171
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0711
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2901
--- COS cURL ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2192
--- COS rpm ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378
--- COS samba ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2694
--- COS python ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521
--- python library ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521
----------------------------------------------------------------------
6. Change log
2012-01-30 VMSA-2012-0001
Initial security advisory in conjunction with the release of patches
for ESX 4.1 and ESXi 4.1 on 2012-01-30.
----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFPJ5DIDEcm8Vbi9kMRAnzCAKCmaAoDp49d61Mr1emzh/U0N8vbgACdFZk8
f2pLxi537s+ew4dvnYNWlJ8=
=OAh4
-----END PGP SIGNATURE-----
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201203-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: cURL: Multiple vulnerabilities
Date: March 06, 2012
Bugs: #308645, #373235, #400799
ID: 201203-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in cURL, the worst of which
might allow remote execution of arbitrary code.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/curl < 7.24.0 >= 7.24.0
Description
===========
Multiple vulnerabilities have been found in cURL:
* When zlib is enabled, the amount of data sent to an application for
automatic decompression is not restricted (CVE-2010-0734).
* When SSL is enabled, cURL improperly disables the OpenSSL workaround
to mitigate an information disclosure vulnerability in the SSL and
TLS protocols (CVE-2011-3389).
* libcurl does not properly verify file paths for escape control
characters in IMAP, POP3 or SMTP URLs (CVE-2012-0036).
Impact
======
A remote attacker could entice a user or automated process to open a
specially crafted file or URL using cURL, possibly resulting in the
remote execution of arbitrary code, a Denial of Service condition,
disclosure of sensitive information, or unwanted actions performed via
the IMAP, POP3 or SMTP protocols.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All cURL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/curl-7.24.0"
References
==========
[ 1 ] CVE-2010-0734
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0734
[ 2 ] CVE-2011-2192
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2192
[ 3 ] CVE-2011-3389
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389
[ 4 ] CVE-2012-0036
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0036
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201203-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
VAR-201106-0163 | CVE-2011-0212 | Apple Mac OS X of servermgrd Vulnerable to reading arbitrary files |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
servermgrd in Apple Mac OS X before 10.6.8 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service (CPU and memory consumption), via an XML-RPC request containing an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue. Apple Mac OS X is prone to an information-disclosure vulnerability in 'servermgrd'.
A remote attacker can exploit this issue to retrieve arbitrary files from the vulnerable computer. Information obtained may aid in further attacks.
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
5) An integer overflow error when processing ColorSync profiles
embedded in images can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code via a specially
crafted image.
6) An off-by-one error within the CoreFoundation framework when
handling CFStrings can be exploited to execute arbitrary code.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
23) An error in QuickTime when handling PICT image files can be
exploited to cause a buffer overflow and execute arbitrary code.
24) An error in QuickTime when handling JPEG image files can be
exploited to cause a buffer overflow and execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0164 | CVE-2011-0213 | Apple Mac OS X of QuickTime Vulnerable to buffer overflow |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Buffer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG file. Apple Mac OS X is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Mac OS X 10.6 through 10.6.7 and Mac OS X Server 10.6 through 10.6.7.
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. Viewing a maliciously crafted pict file may lead to an
unexpected application termination or arbitrary code execution. Viewing a maliciously
crafted JPEG2000 image with QuickTime may lead to an unexpected
application termination or arbitrary code execution.
CVE-ID
CVE-2011-0186 : Will Dormann of the CERT/CC
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of video data from another site
Description: A cross-origin issue existed in QuickTime plug-in's
handling of cross-site redirects. Visiting a maliciously crafted
website may lead to the disclosure of video data from another site.
This issue is addressed by preventing QuickTime from following cross-
site redirects. Playing a maliciously crafted WAV file may lead to an
unexpected application termination or arbitrary code execution. Viewing a
maliciously crafted movie file may lead to an unexpected application
termination or arbitrary code execution. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. Viewing a maliciously crafted JPEG file may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0213 : Luigi Auriemma working with iDefense VCP
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in QuickTime's handling
of GIF images. Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0246 : an anonymous contributor working with Beyond
Security's SecuriTeam Secure Disclosure program
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted H.264 movie file may lead to
an unexpected application termination or arbitrary code execution
Description: Multiple stack buffer overflows existed in the handling
of H.264 encoded movie files. Viewing a maliciously crafted H.264
movie file may lead to an unexpected application termination or
arbitrary code execution.
CVE-ID
CVE-2011-0247 : Roi Mallo and Sherab Giovannini working with
TippingPoint's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website using Internet
Explorer may lead to an unexpected application termination or
arbitrary code execution
Description: A stack buffer overflow existed in the QuickTime
ActiveX control's handling of QTL files. Visiting a maliciously
crafted website using Internet Explorer may lead to an unexpected
application termination or arbitrary code execution. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution.
CVE-ID
CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime 7.7 may be obtained from the Software Update
application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
For Mac OS X v10.5.8
The download file is named: "QuickTime77Leopard.dmg"
Its SHA-1 digest is: 0deb99cc44015af7c396750d2c9dd4cbd59fb355
For Windows 7 / Vista / XP SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: a99f61d67be6a6b42e11d17b0b4f25cd88b74dc9
QuickTime is incorporated into Mac OS X v10.6 and later.
QuickTime 7.7 is not presented to systems running
Mac OS X v10.6 or later.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
iQEcBAEBAgAGBQJOOZuHAAoJEGnF2JsdZQeeNWIH/A+KRxzYTBC5nCZQ6m/sRdU0
OrauYjVbXIj1LUgMS9+I0wW4Zg7xtGBEjYBnqiuNuajP5W2+Ts8mNe75ZlEFlNto
KFQI7NS/OsTrjCTR1m1sF2zvsyMKDOjviIy90+PDGKejC8c3Zu/Y8GSdZ++I4aEf
J2g7BqhBDW/RFOemPGrcvr/iwu3twdkiAHeLXFCcecNCKjSUfoxXDuPd/Ege/kS7
95wsNkLjypSEuLpcmjATSXp5X58nzbUCsrQ2doPzLy1/8oWiG9XsiZznmcYlLhHg
trYm+KIMdqBOQWI3uhG+3dG6l2xkJxdYNxHRHXFh78QH0NblHg9u3PmhELUBeXU=
=H+iO
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0158 | CVE-2011-0207 | Apple Mac OS X of MobileMe Vulnerable to obtaining important alias information |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The MobileMe component in Apple Mac OS X before 10.6.8 uses a cleartext HTTP session for the Mail application to read e-mail aliases, which allows remote attackers to obtain potentially sensitive alias information by sniffing the network. Apple Mac OS X is prone to an information-disclosure vulnerability in MobileMe.
A man-in-the-middle attacker may be able to exploit this issue to retrieve MobileMe email aliases. Information obtained may aid in further attacks.
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. A remote attacker could sniff this network for potentially sensitive alias information. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
5) An integer overflow error when processing ColorSync profiles
embedded in images can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code via a specially
crafted image.
6) An off-by-one error within the CoreFoundation framework when
handling CFStrings can be exploited to execute arbitrary code.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
23) An error in QuickTime when handling PICT image files can be
exploited to cause a buffer overflow and execute arbitrary code.
24) An error in QuickTime when handling JPEG image files can be
exploited to cause a buffer overflow and execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0162 | CVE-2011-0211 | Apple Mac OS X of QuickTime Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the way Quicktime handles Apple Lossless Audio Codec streams. While parsing the sample description for the 'alac' codec an integer wrap can occur that results in the allocation of a memory buffer that is smaller than intended. When Quicktime writes to this buffer it causes a memory corruption that can lead to remote code execution under the context of the current user. Apple Mac OS X is prone to an integer-overflow vulnerability that occurs in QuickTime. Failed exploit attempts will likely result in denial-of-service conditions.
The following versions are affected:
Mac OS X 10.6 through v10.6.7
Mac OS X Server 10.6 through v10.6.7
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. Viewing a maliciously crafted pict file may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0186 : Will Dormann of the CERT/CC
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of video data from another site
Description: A cross-origin issue existed in QuickTime plug-in's
handling of cross-site redirects. Visiting a maliciously crafted
website may lead to the disclosure of video data from another site.
This issue is addressed by preventing QuickTime from following cross-
site redirects. Playing a maliciously crafted WAV file may lead to an
unexpected application termination or arbitrary code execution. Viewing a maliciously crafted JPEG file may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0213 : Luigi Auriemma working with iDefense VCP
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in QuickTime's handling
of GIF images. Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0246 : an anonymous contributor working with Beyond
Security's SecuriTeam Secure Disclosure program
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted H.264 movie file may lead to
an unexpected application termination or arbitrary code execution
Description: Multiple stack buffer overflows existed in the handling
of H.264 encoded movie files.
CVE-ID
CVE-2011-0247 : Roi Mallo and Sherab Giovannini working with
TippingPoint's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website using Internet
Explorer may lead to an unexpected application termination or
arbitrary code execution
Description: A stack buffer overflow existed in the QuickTime
ActiveX control's handling of QTL files. Visiting a maliciously
crafted website using Internet Explorer may lead to an unexpected
application termination or arbitrary code execution.
CVE-ID
CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime 7.7 may be obtained from the Software Update
application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
For Mac OS X v10.5.8
The download file is named: "QuickTime77Leopard.dmg"
Its SHA-1 digest is: 0deb99cc44015af7c396750d2c9dd4cbd59fb355
For Windows 7 / Vista / XP SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: a99f61d67be6a6b42e11d17b0b4f25cd88b74dc9
QuickTime is incorporated into Mac OS X v10.6 and later.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
iQEcBAEBAgAGBQJOOZuHAAoJEGnF2JsdZQeeNWIH/A+KRxzYTBC5nCZQ6m/sRdU0
OrauYjVbXIj1LUgMS9+I0wW4Zg7xtGBEjYBnqiuNuajP5W2+Ts8mNe75ZlEFlNto
KFQI7NS/OsTrjCTR1m1sF2zvsyMKDOjviIy90+PDGKejC8c3Zu/Y8GSdZ++I4aEf
J2g7BqhBDW/RFOemPGrcvr/iwu3twdkiAHeLXFCcecNCKjSUfoxXDuPd/Ege/kS7
95wsNkLjypSEuLpcmjATSXp5X58nzbUCsrQ2doPzLy1/8oWiG9XsiZznmcYlLhHg
trYm+KIMdqBOQWI3uhG+3dG6l2xkJxdYNxHRHXFh78QH0NblHg9u3PmhELUBeXU=
=H+iO
-----END PGP SIGNATURE-----
. ZDI-11-230: Apple Quicktime Apple Lossless Audio Codec Parsing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-230
June 29, 2011
-- CVE ID:
CVE-2011-0211
-- CVSS:
7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11428.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT4723
-- Disclosure Timeline:
2011-04-11 - Vulnerability reported to vendor
2011-06-29 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Luigi Auriemma
* Damian Put
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0156 | CVE-2011-0205 | Apple Mac OS X of ImageIO Heap-based buffer overflow vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG2000 image. Apple Mac OS X is prone to a heap buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
NOTE: This vulnerability does not affect Mac OS X 10.6.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
NOTE: This vulnerability only affects Mac OS X 10.6.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0161 | CVE-2011-0210 | Apple Mac OS X of QuickTime Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted sample tables in a movie file.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. Viewing a maliciously crafted pict file may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
This issue does not affect Mac OS X v10.7 systems. Viewing a maliciously
crafted JPEG2000 image with QuickTime may lead to an unexpected
application termination or arbitrary code execution. For Mac OS X
v10.6 systems, this issue is addressed in Mac OS X v10.6.7. This
issue does not affect Mac OS X v10.7 systems. Visiting a maliciously crafted
website may lead to the disclosure of video data from another site.
This issue is addressed by preventing QuickTime from following cross-
site redirects. For Mac OS X v10.6 systems, this issue is addressed
in Mac OS X v10.6.7. This issue does not affect Mac OS X v10.7
systems. Playing a maliciously crafted WAV file may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
This issue does not affect Mac OS X v10.7 systems. Viewing a
maliciously crafted movie file may lead to an unexpected application
termination or arbitrary code execution. For Mac OS X v10.6 systems,
this issue is addressed in Mac OS X v10.6.8. This issue does not
affect Mac OS X v10.7 systems. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. For Mac OS X v10.6 systems, this issue is addressed
in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7
systems.
CVE-ID
CVE-2011-0211 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted JPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of
JPEG files. Viewing a maliciously crafted JPEG file may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0213 : Luigi Auriemma working with iDefense VCP
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in QuickTime's handling
of GIF images. Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution. This
issue does not affect Mac OS X systems.
CVE-ID
CVE-2011-0246 : an anonymous contributor working with Beyond
Security's SecuriTeam Secure Disclosure program
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted H.264 movie file may lead to
an unexpected application termination or arbitrary code execution
Description: Multiple stack buffer overflows existed in the handling
of H.264 encoded movie files. Viewing a maliciously crafted H.264
movie file may lead to an unexpected application termination or
arbitrary code execution. These issues do not affect Mac OS X
systems.
CVE-ID
CVE-2011-0247 : Roi Mallo and Sherab Giovannini working with
TippingPoint's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website using Internet
Explorer may lead to an unexpected application termination or
arbitrary code execution
Description: A stack buffer overflow existed in the QuickTime
ActiveX control's handling of QTL files. Visiting a maliciously
crafted website using Internet Explorer may lead to an unexpected
application termination or arbitrary code execution. This issue does
not affect Mac OS X systems. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue does not affect Mac OS X v10.7 systems.
CVE-ID
CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime 7.7 may be obtained from the Software Update
application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
For Mac OS X v10.5.8
The download file is named: "QuickTime77Leopard.dmg"
Its SHA-1 digest is: 0deb99cc44015af7c396750d2c9dd4cbd59fb355
For Windows 7 / Vista / XP SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: a99f61d67be6a6b42e11d17b0b4f25cd88b74dc9
QuickTime is incorporated into Mac OS X v10.6 and later.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
iQEcBAEBAgAGBQJOOZuHAAoJEGnF2JsdZQeeNWIH/A+KRxzYTBC5nCZQ6m/sRdU0
OrauYjVbXIj1LUgMS9+I0wW4Zg7xtGBEjYBnqiuNuajP5W2+Ts8mNe75ZlEFlNto
KFQI7NS/OsTrjCTR1m1sF2zvsyMKDOjviIy90+PDGKejC8c3Zu/Y8GSdZ++I4aEf
J2g7BqhBDW/RFOemPGrcvr/iwu3twdkiAHeLXFCcecNCKjSUfoxXDuPd/Ege/kS7
95wsNkLjypSEuLpcmjATSXp5X58nzbUCsrQ2doPzLy1/8oWiG9XsiZznmcYlLhHg
trYm+KIMdqBOQWI3uhG+3dG6l2xkJxdYNxHRHXFh78QH0NblHg9u3PmhELUBeXU=
=H+iO
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
5) An integer overflow error when processing ColorSync profiles
embedded in images can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code via a specially
crafted image.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0154 | CVE-2011-0203 | Apple Mac OS X of FTP Server Absolute path traversal vulnerability in components |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Absolute path traversal vulnerability in xftpd in the FTP Server component in Apple Mac OS X before 10.6.8 allows remote attackers to list arbitrary directories by using the root directory as the starting point of a recursive listing.
An attacker can exploit this issue to list files from directories outside of the FTP root directory. Successful exploits may lead to other attacks.
This issue affects Apple Mac OS X server 10.6 through 10.6.7.
NOTE: This issue was previously covered in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities ) but has been assigned its own record to better document it. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
5) An integer overflow error when processing ColorSync profiles
embedded in images can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code via a specially
crafted image.
6) An off-by-one error within the CoreFoundation framework when
handling CFStrings can be exploited to execute arbitrary code.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
23) An error in QuickTime when handling PICT image files can be
exploited to cause a buffer overflow and execute arbitrary code.
24) An error in QuickTime when handling JPEG image files can be
exploited to cause a buffer overflow and execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0150 | CVE-2011-0199 | Apple Mac OS X of  Certificate Trust Policy in the component  SSL Vulnerability to forge servers |
CVSS V2: 5.8 CVSS V3: 5.9 Severity: MEDIUM |
The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle attackers to spoof an SSL server via a revoked certificate.
An attacker can exploit this issue to bypass security restrictions and use a revoked certificate. This may allow attackers to gain access to sensitive information or perform other attacks.
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
5) An integer overflow error when processing ColorSync profiles
embedded in images can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code via a specially
crafted image.
6) An off-by-one error within the CoreFoundation framework when
handling CFStrings can be exploited to execute arbitrary code.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
23) An error in QuickTime when handling PICT image files can be
exploited to cause a buffer overflow and execute arbitrary code.
24) An error in QuickTime when handling JPEG image files can be
exploited to cause a buffer overflow and execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0149 | CVE-2011-0198 | Apple Mac OS X of Apple Type Services Heap-based buffer overflow vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code via a crafted embedded TrueType font. Apple Mac OS X is prone to a heap buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Mac OS X 10.6 through 10.6.7 and Mac OS X Server 10.6 through 10.6.7.
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
23) An error in QuickTime when handling PICT image files can be
exploited to cause a buffer overflow and execute arbitrary code.
24) An error in QuickTime when handling JPEG image files can be
exploited to cause a buffer overflow and execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0148 | CVE-2011-0197 | Apple Mac OS X of App Store Vulnerability in which important information is obtained |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
App Store in Apple Mac OS X before 10.6.8 creates a log entry containing a user's AppleID password, which might allow local users to obtain sensitive information by reading a log file, as demonstrated by a log file that has non-default permissions. Apple Mac OS X is prone to an information-disclosure vulnerability.
A local attacker may be able to exploit this issue to retrieve potentially sensitive information. Information obtained may aid in further attacks.
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
5) An integer overflow error when processing ColorSync profiles
embedded in images can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code via a specially
crafted image.
6) An off-by-one error within the CoreFoundation framework when
handling CFStrings can be exploited to execute arbitrary code.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
23) An error in QuickTime when handling PICT image files can be
exploited to cause a buffer overflow and execute arbitrary code.
24) An error in QuickTime when handling JPEG image files can be
exploited to cause a buffer overflow and execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0147 | CVE-2011-0196 | Apple Mac OS X of AirPort Service disruption in (out-of-bounds read And reboot ) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
AirPort in Apple Mac OS X 10.5.8 allows remote attackers to cause a denial of service (out-of-bounds read and reboot) via Wi-Fi frames on the local wireless network. Apple Mac OS X is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause the system to reset, denying service to legitimate users.
The following versions are affected:
Mac OS X 10.5.8
Mac OS X Server 10.5.8
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
5) An integer overflow error when processing ColorSync profiles
embedded in images can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code via a specially
crafted image.
6) An off-by-one error within the CoreFoundation framework when
handling CFStrings can be exploited to execute arbitrary code.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
23) An error in QuickTime when handling PICT image files can be
exploited to cause a buffer overflow and execute arbitrary code.
24) An error in QuickTime when handling JPEG image files can be
exploited to cause a buffer overflow and execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0159 | CVE-2011-0208 | Apple Mac OS X of QuickLook Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
QuickLook in Apple Mac OS X 10.6 before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Microsoft Office document. Apple Mac OS X is prone to a memory-corruption vulnerability when handling Microsoft Office files.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
5) An integer overflow error when processing ColorSync profiles
embedded in images can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code via a specially
crafted image.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
23) An error in QuickTime when handling PICT image files can be
exploited to cause a buffer overflow and execute arbitrary code.
24) An error in QuickTime when handling JPEG image files can be
exploited to cause a buffer overflow and execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-10-12-1 iOS 5 Software Update
iOS 5 Software Update is now available and addresses the following:
CalDAV
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information from a CalDAV
calendar server
Description: CalDAV did not check that the SSL certificate presented
by the server was trusted.
CVE-ID
CVE-2011-3253 : Leszek Tasiemski of nSense
Calendar
Available for: iOS 4.2.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 4.2.0 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 4.2.0 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted calendar invitation may inject
script in the local domain
Description: A script injection issue existed in Calendar's handling
of invitation notes. This issue is addressed through improved
escaping of special characters in invitation notes. This issues does
not affect devices prior to iOS 4.2.0.
CVE-ID
CVE-2011-3254 : Rick Deacon
CFNetwork
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: User's AppleID password may be logged to a local file
Description: A user's AppleID password and username were logged to a
file that was readable by applications on the system. This is
resolved by no longer logging these credentials.
CVE-ID
CVE-2011-3255 : Peter Quade of qdevelop
CFNetwork
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of HTTP
cookies. When accessing a maliciously crafted HTTP or HTTPS URL,
CFNetwork could incorrectly send the cookies for a domain to a server
outside that domain.
CVE-ID
CVE-2011-3246 : Erling Ellingsen of Facebook
CoreFoundation
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted website or e-mail message may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in CoreFoundation's
handling of string tokenization.
CVE-ID
CVE-2011-0259 : Apple
CoreGraphics
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a document containing a maliciously crafted font may
lead to arbitrary code execution
Description: Multiple memory corruption existed in freetype, the
most serious of which may lead to arbitrary code execution when
processing a maliciously crafted font.
CVE-ID
CVE-2011-3256 : Apple
CoreMedia
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to the
disclosure of video data from another site
Description: A cross-origin issue existed in CoreMedia's handling of
cross-site redirects. This issue is addressed through improved origin
tracking.
CVE-ID
CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability
Research (MSVR)
Data Access
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An exchange mail cookie management issue could incorrectly
cause data synchronization across different accounts
Description: When multiple mail exchange accounts are configured
which connect to the same server, a session could potentially receive
a valid cookie corresponding to a different account. This issue is
addressed by ensuring that cookies are separated across different
accounts.
CVE-ID
CVE-2011-3257 : Bob Sielken of IBM
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: Fraudulent certificates were issued by multiple
certificate authorities operated by DigiNotar. This issue is
addressed by removing DigiNotar from the list of trusted root
certificates, from the list of Extended Validation (EV) certificate
authorities, and by configuring default system trust settings so that
DigiNotar's certificates, including those issued by other
authorities, are not trusted.
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Support for X.509 certificates with MD5 hashes may expose
users to spoofing and information disclosure as attacks improve
Description: Certificates signed using the MD5 hash algorithm were
accepted by iOS. This algorithm has known cryptographic weaknesses.
Further research or a misconfigured certificate authority could have
allowed the creation of X.509 certificates with attacker controlled
values that would have been trusted by the system. This would have
exposed X.509 based protocols to spoofing, man in the middle attacks,
and information disclosure. This update disables support for an X.509
certificate with an MD5 hash for any use other than as a trusted root
certificate.
CVE-ID
CVE-2011-3427
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker could decrypt part of a SSL connection
Description: Only the SSLv3 and TLS 1.0 versions of SSL were
supported. These versions are subject to a protocol weakness when
using block ciphers. A man-in-the-middle attacker could have injected
invalid data, causing the connection to close but revealing some
information about the previous data. If the same connection was
attempted repeatedly the attacker may eventually have been able to
decrypt the data being sent, such as a password. This issue is
addressed by adding support for TLS 1.2.
CVE-ID
CVE-2011-3389
Home screen
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Switching between applications may lead to the disclosure of
sensitive application information
Description: When switching between applications with the four-
finger app switching gesture, the display could have revealed the
previous application state. This issue is addressed by ensuring that
the system properly calls the applicationWillResignActive: method
when transitioning between applications.
CVE-ID
CVE-2011-3431 : Abe White of Hedonic Software Inc.
ImageIO
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted TIFF image may result in an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libTIFF's handling of
CCITT Group 4 encoded TIFF images.
CVE-ID
CVE-2011-0192 : Apple
ImageIO
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF images.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
International Components for Unicode
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow issue existed in ICU's generation of
collation keys for long strings of mostly uppercase letters.
CVE-ID
CVE-2011-0206 : David Bienvenu of Mozilla
Kernel
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A remote attacker may cause a device reset
Description: The kernel failed to promptly reclaim memory from
incomplete TCP connections. An attacker with the ability to connect
to a listening service on an iOS device could exhaust system
resources.
CVE-ID
CVE-2011-3259 : Wouter van der Veer of Topicus I&I, and Josh Enders
Kernel
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A local user may be able to cause a system reset
Description: A null dereference issue existed in the handling of
IPV6 socket options.
CVE-ID
CVE-2011-1132 : Thomas Clement of Intego
Keyboards
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A user may be able to determine information about the last
character of a password
Description: The keyboard used to type the last character of a
password was briefly displayed the next time the keyboard was used.
CVE-ID
CVE-2011-3245 : Paul Mousdicas
libxml
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's
handling of XML data.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted Word file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in OfficeImport's handling of
Microsoft Word documents.
CVE-ID
CVE-2011-3260 : Tobias Klein working with Verisign iDefense Labs
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in OfficeImport's handling
of Excel files.
CVE-ID
CVE-2011-3261 : Tobias Klein of www.trapkit.de
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Downloading a maliciously crafted Microsoft Office file may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in OfficeImport's
handling of Microsoft Office files.
CVE-ID
CVE-2011-0208 : Tobias Klein working with iDefense VCP
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Downloading a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in OfficeImport's
handling of Excel files.
CVE-ID
CVE-2011-0184 : Tobias Klein working with iDefense VCP
Safari
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Opening maliciously crafted files on certain websites may
lead to a cross-site scripting attack
Description: iOS did not support the 'attachment' value for the HTTP
Content-Disposition header. This header is used by many websites to
serve files that were uploaded to the site by a third-party, such as
attachments in web-based e-mail applications. Any script in files
served with this header value would run as if the file had been
served inline, with full access to other resources on the origin
server. This issue is addressed by loading attachments in an isolated
security origin with no access to resources on other sites.
CVE-ID
CVE-2011-3426 : Christian Matthies working with iDefense VCP,
Yoshinori Oota from Business Architects Inc working with JP/CERT
Settings
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with physical access to a device may be able to
recover the restrictions passcode
Description: The parental restrictions functionality enforces UI
restrictions. Configuring parental restrictions is protected by a
passcode, which was previously stored in plaintext on disk. This
issue is addressed by securely storing the parental restrictions
passcode in the system keychain.
CVE-ID
CVE-2011-3429 : an anonymous reporter
Settings
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Misleading UI
Description: Configurations and settings applied via configuration
profiles did not appear to function properly under any non-English
language. Settings could be improperly displayed as a result. This
issue is addressed by fixing a localization error.
CVE-ID
CVE-2011-3430 : Florian Kreitmaier of Siemens CERT
UIKit Alerts
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a malicious website may cause an unexpected device
hang
Description: An excessive maximum text layout length permitted
malicious websites to cause iOS to hang when drawing acceptance
dialogs for very long tel: URIs. This issue is addressed by using a
more reasonable maximum URI size.
CVE-ID
CVE-2011-3432 : Simon Young of Anglia Ruskin University
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2011-0218 : SkyLined of Google Chrome Security Team
CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS
Research Team, and Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative
CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0234 : Rob King working with TippingPoint's Zero Day
Initiative, wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0238 : Adam Barth of Google Chrome Security Team
CVE-2011-0254 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0255 : An anonymous reporter working with TippingPoint's
Zero Day Initiative
CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc
CVE-2011-0983 : Martin Barbella
CVE-2011-1109 : Sergey Glazunov
CVE-2011-1114 : Martin Barbella
CVE-2011-1115 : Martin Barbella
CVE-2011-1117 : wushi of team509
CVE-2011-1121 : miaubiz
CVE-2011-1188 : Martin Barbella
CVE-2011-1203 : Sergey Glazunov
CVE-2011-1204 : Sergey Glazunov
CVE-2011-1288 : Andreas Kling of Nokia
CVE-2011-1293 : Sergey Glazunov
CVE-2011-1296 : Sergey Glazunov
CVE-2011-1449 : Marek Majkowski
CVE-2011-1451 : Sergey Glazunov
CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-1457 : John Knottenbelt of Google
CVE-2011-1462 : wushi of team509
CVE-2011-1797 : wushi of team509
CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team
CVE-2011-2341 : Apple
CVE-2011-2351 : miaubiz
CVE-2011-2352 : Apple
CVE-2011-2354 : Apple
CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome
Security Team using AddressSanitizer
CVE-2011-2359 : miaubiz
CVE-2011-2788 : Mikolaj Malecki of Samsung
CVE-2011-2790 : miaubiz
CVE-2011-2792 : miaubiz
CVE-2011-2797 : miaubiz
CVE-2011-2799 : miaubiz
CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using
AddressSanitizer
CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2816 : Apple
CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2818 : Martin Barbella
CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google
CVE-2011-2823 : SkyLined of Google Chrome Security Team
CVE-2011-2827 : miaubiz
CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3232 : Aki Helin of OUSPG
CVE-2011-3234 : miaubiz
CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3244 : vkouchna
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of URLs
with an embedded username. This issue is addressed through improved
handling of URLs with an embedded username.
CVE-ID
CVE-2011-0242 : Jobert Abma of Online24
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of DOM
nodes.
CVE-ID
CVE-2011-1295 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A maliciously crafted website may be able to cause a
different URL to be shown in the address bar
Description: A URL spoofing issue existed in the handling of the DOM
history object.
CVE-ID
CVE-2011-1107 : Jordi Chancel
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A configuration issue existed in WebKit's use of
libxslt. Visiting a maliciously crafted website may lead to arbitrary
files being created with the privileges of the user, which may lead
to arbitrary code execution. This issue is addressed through improved
libxslt security settings.
CVE-ID
CVE-2011-1774 : Nicolas Gregoire of Agarri
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a malicious website and dragging content in the
page may lead to an information disclosure
Description: A cross-origin issue existed in WebKit's handling of
HTML5 drag and drop. This issue is addressed by disallowing drag and
drop across different origins.
CVE-ID
CVE-2011-0166 : Michal Zalewski of Google Inc.
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to an
information disclosure
Description: A cross-origin issue existed in the handling of Web
Workers.
CVE-ID
CVE-2011-1190 : Daniel Divricean of divricean.ro
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
window.open method.
CVE-ID
CVE-2011-2805 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of
inactive DOM windows.
CVE-ID
CVE-2011-3243 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
document.documentURI property.
CVE-ID
CVE-2011-2819 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A maliciously crafted website may be able to track the URLs
that a user visits within a frame
Description: A cross-origin issue existed in the handling of the
beforeload event.
CVE-ID
CVE-2011-2800 : Juho Nurminen
WiFi
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: WiFi credentials may be logged to a local file
Description: WiFi credentials including the passphrase and
encryption keys were logged to a file that was readable by
applications on the system. This is resolved by no longer logging
these credentials.
CVE-ID
CVE-2011-3434 : Laurent OUDOT of TEHTRI Security
Installation note:
This update is only available through iTunes, and will not appear
in your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone, iPod touch or iPad is docked, iTunes will present the
user with the option to install the update. We recommend applying
the update immediately if possible. Selecting Don't Install will
present the option the next time you connect your iPhone, iPod touch,
or iPad.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone, iPod touch, or iPad
is docked to your computer.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"5 (9A334)".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOldmtAAoJEGnF2JsdZQee/qMIAIPxmIiOqj+FMLFHZtPeC/Dp
3s4JliKOOgNnjXkxErfaNvYGmeVbDaUER5jdVrWccTauzlYmy8G4uK0An2GD2YiP
gB5AiCQXpONdBCi38QNdRqrYoYjc8Sa0nUp4r5uWPoiHoj5KfxvBpgygEL+zjHXS
fmnrONOCWhOYp0w4q6mdTg5BH2uJCbXscD/JjbmgHQI0Vs/iUZKSRyqFo2b0Mvze
NiSyzcj/4l62Cxx7xM9VbdrYL7Al2yyHfNYJQsZmoeDUlJQcdgEgEMXvOuhY3sFK
maxYr2oCp6Mtf53fplAeJIV4ijLynEWAKxTuTznAyW1k7oiGrDTfORSFKPEB9MQ=
=LCQZ
-----END PGP SIGNATURE-----
VAR-201106-0160 | CVE-2011-0209 | Apple Mac OS X of QuickTime Integer overflow vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted RIFF WAV file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within how the application parses a specially formatted RIFF WAV file. When parsing a fmt chunk within the file, the application will use a 32-bit field to calculate the size of a buffer to allocate. Before the allocation, the application will add 0x14 bytes to the result. Due to restrictions imposed on the implementation of this component by the language and it's platform, an integer overflow can be made to occur. This can lead to code execution under the context of the application. Apple Mac OS X is prone to an integer-overflow vulnerability that occurs in QuickTime. Failed exploit attempts will likely result in denial-of-service conditions.
The following versions are affected:
Mac OS X 10.6 through v10.6.7
Mac OS X Server 10.6 through v10.6.7
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ZDI-11-229: Apple QuickTime RIFF fmt Chunk Parsing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-229
June 29, 2011
-- CVE ID:
CVE-2011-0209
-- CVSS:
7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11430.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT4723
-- Disclosure Timeline:
2011-04-11 - Vulnerability reported to vendor
2011-06-29 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Luigi Auriemma
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
CVE-ID
CVE-2011-0245 : Subreption LLC working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted JPEG2000 image with QuickTime
may lead to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in
QuickTime's handling of JPEG2000 images.
CVE-ID
CVE-2011-0186 : Will Dormann of the CERT/CC
QuickTime
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of video data from another site
Description: A cross-origin issue existed in QuickTime plug-in's
handling of cross-site redirects. Visiting a maliciously crafted
website may lead to the disclosure of video data from another site.
This issue is addressed by preventing QuickTime from following cross-
site redirects.
CVE-ID
CVE-2011-0213 : Luigi Auriemma working with iDefense VCP
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in QuickTime's handling
of GIF images.
CVE-ID
CVE-2011-0246 : an anonymous contributor working with Beyond
Security's SecuriTeam Secure Disclosure program
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted H.264 movie file may lead to
an unexpected application termination or arbitrary code execution
Description: Multiple stack buffer overflows existed in the handling
of H.264 encoded movie files.
CVE-ID
CVE-2011-0247 : Roi Mallo and Sherab Giovannini working with
TippingPoint's Zero Day Initiative
QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website using Internet
Explorer may lead to an unexpected application termination or
arbitrary code execution
Description: A stack buffer overflow existed in the QuickTime
ActiveX control's handling of QTL files. Visiting a maliciously
crafted website using Internet Explorer may lead to an unexpected
application termination or arbitrary code execution.
CVE-ID
CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime 7.7 may be obtained from the Software Update
application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
For Mac OS X v10.5.8
The download file is named: "QuickTime77Leopard.dmg"
Its SHA-1 digest is: 0deb99cc44015af7c396750d2c9dd4cbd59fb355
For Windows 7 / Vista / XP SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: a99f61d67be6a6b42e11d17b0b4f25cd88b74dc9
QuickTime is incorporated into Mac OS X v10.6 and later.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
iQEcBAEBAgAGBQJOOZuHAAoJEGnF2JsdZQeeNWIH/A+KRxzYTBC5nCZQ6m/sRdU0
OrauYjVbXIj1LUgMS9+I0wW4Zg7xtGBEjYBnqiuNuajP5W2+Ts8mNe75ZlEFlNto
KFQI7NS/OsTrjCTR1m1sF2zvsyMKDOjviIy90+PDGKejC8c3Zu/Y8GSdZ++I4aEf
J2g7BqhBDW/RFOemPGrcvr/iwu3twdkiAHeLXFCcecNCKjSUfoxXDuPd/Ege/kS7
95wsNkLjypSEuLpcmjATSXp5X58nzbUCsrQ2doPzLy1/8oWiG9XsiZznmcYlLhHg
trYm+KIMdqBOQWI3uhG+3dG6l2xkJxdYNxHRHXFh78QH0NblHg9u3PmhELUBeXU=
=H+iO
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
5) An integer overflow error when processing ColorSync profiles
embedded in images can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code via a specially
crafted image.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0153 | CVE-2011-0202 | Apple Mac OS X of CoreGraphics Integer overflow vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Integer overflow in CoreGraphics in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted embedded Type 1 font in a PDF document. Apple Mac OS X is prone to an integer-overflow vulnerability that occurs in the CoreGraphics component.
Successful exploits may allow attackers to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
The following versions are affected:
Mac OS X 10.5.8
Mac OS X Server 10.5.8
Mac OS X 10.6 through v10.6.7
Mac OS X Server 10.6 through v10.6.7
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-07-20-1 Safari 5.1 and Safari 5.0.6
Safari 5.1 and Safari 5.0.6 are now available and address the
following:
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: In certain situations, Safari may treat a file as HTML,
even if it is served with the 'text/plain' content type. This may
lead to a cross-site scripting attack on sites that allow untrusted
users to post text files. This issue is addressed through improved
handling of 'text/plain' content.
CVE-ID
CVE-2010-1420 : Hidetake Jo working with Microsoft Vulnerability
Research (MSVR), Neal Poole of Matasano Security
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Authenticating to a maliciously crafted website may lead to
arbitrary code execution
Description: The NTLM authentication protocol is susceptible to a
replay attack referred to as credential reflection. Authenticating to
a maliciously crafted website may lead to arbitrary code execution.
To mitigate this issue, Safari has been updated to utilize protection
mechanisms recently added to Windows.
CVE-ID
CVE-2010-1383 : Takehiro Takahashi of IBM X-Force Research
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: A root certificate that is disabled may still be trusted
Description: CFNetwork did not properly validate that a certificate
was trusted for use by a SSL server. As a result, if the user had
marked a system root certificate as not trusted, Safari would still
accept certificates signed by that root. This issue is addressed
through improved certificate validation.
CVE-ID
CVE-2011-0214 : An anonymous reporter
ColorSync
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: An integer overflow existed in the handling of images
with an embedded ColorSync profile, which may lead to a heap buffer
overflow. Opening a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution.
CVE-ID
CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day
Initiative
CoreFoundation
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use the CoreFoundation framework may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: An off-by-one buffer overflow issue existed in the
handling of CFStrings. Viewing or downloading a document containing a
maliciously crafted embedded font may lead to arbitrary code
execution.
CVE-ID
CVE-2011-0202 : Cristian Draghici of Modulo Consulting, Felix Grobert
of the Google Security Team
International Components for Unicode
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow issue existed in ICU's handling of
uppercase strings.
CVE-ID
CVE-2011-0206 : David Bienvenu of Mozilla
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0204 : Dominic Chell of NGS Secure
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF
image may lead to an unexpected application termination or arbitrary
code execution.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A reentrancy issue existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0215 : Juan Pablo Lopez Yacubian working with iDefense VCP
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0204 : Dominic Chell of NGS Secure
libxslt
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of addresses on the heap
Description: libxslt's implementation of the generate-id() XPath
function disclosed the address of a heap buffer. Visiting a
maliciously crafted website may lead to the disclosure of addresses
on the heap. This issue is addressed by generating an ID based on the
difference between the addresses of two heap buffers.
CVE-ID
CVE-2011-0195 : Chris Evans of the Google Chrome Security Team
libxml
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's
handling of XML data.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team
Safari
Available for: Mac OS X v10.6.8 or later,
Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: If the "AutoFill web forms" feature is enabled, visiting a
maliciously crafted website and typing may lead to the disclosure of
information from the user's Address Book
Description: Safari's "AutoFill web forms" feature filled in non-
visible form fields, and the information was accessible by scripts on
the site before the user submitted the form. This issue is addressed
by displaying all fields that will be filled, and requiring the
user's consent before AutoFill information is available to the form. This applies when Java is enabled in Safari, and Java is
configured to run within the browser process. Fonts loaded by a Java
applet could affect the display of text content from other sites.
This issue is addressed by running Java applets in a separate
process.
CVE-ID
CVE-2010-1823 : David Weston of Microsoft and Microsoft Vulnerability
Research (MSVR), wushi of team509, and Yong Li of Research In Motion
Ltd
CVE-2011-0164 : Apple
CVE-2011-0218 : SkyLined of Google Chrome Security Team
CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS
Research Team, and Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0223 : Jose A. Vazquez of spa-s3c.blogspot.com working with
iDefense VCP
CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative
CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0234 : Rob King working with TippingPoint's Zero Day
Initiative, wushi of team509 working with TippingPoint's Zero Day
Initiative, wushi of team509 working with iDefense VCP
CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0237 : wushi of team509 working with iDefense VCP
CVE-2011-0238 : Adam Barth of Google Chrome Security Team
CVE-2011-0240 : wushi of team509 working with iDefense VCP
CVE-2011-0253 : Richard Keen
CVE-2011-0254 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0255 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc
CVE-2011-0983 : Martin Barbella
CVE-2011-1109 : Sergey Glazunov
CVE-2011-1114 : Martin Barbella
CVE-2011-1115 : Martin Barbella
CVE-2011-1117 : wushi of team509
CVE-2011-1121 : miaubiz
CVE-2011-1188 : Martin Barbella
CVE-2011-1203 : Sergey Glazunov
CVE-2011-1204 : Sergey Glazunov
CVE-2011-1288 : Andreas Kling of Nokia
CVE-2011-1293 : Sergey Glazunov
CVE-2011-1296 : Sergey Glazunov
CVE-2011-1449 : Marek Majkowski, wushi of team 509 working with
iDefense VCP
CVE-2011-1451 : Sergey Glazunov
CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-1457 : John Knottenbelt of Google
CVE-2011-1462 : wushi of team509
CVE-2011-1797 : wushi of team509
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A configuration issue existed in WebKit's use of
libxslt. Visiting a maliciously crafted website may lead to arbitrary
files being created with the privileges of the user, which may lead
to arbitrary code execution. This issue is addressed through improved
libxslt security settings. Visiting a maliciously crafted website may lead to an
information disclosure. Visiting a maliciously crafted website may
lead to a cross-site scripting attack. This issue is addressed
through improved handling of URLs with an embedded username. Visiting a maliciously crafted website may lead to a cross-
site scripting attack. A maliciously crafted website may have been able to
cause a different URL to be shown in the address bar. Subscribing to a maliciously crafted RSS feed and clicking on a
link within it may lead to arbitrary files being sent from the user's
system to a remote server. This update addresses the issue through
improved handling of URLs.
Applications that use WebKit, such a s mail clients, may connect to
an arbitrary DNS server upon processing HTML content. This update
addresses the issue by requiring applications to opt in to DNS
prefetching.
CVE-ID
CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd.
Safari 5.1 and Safari 5.0.6 address the same set of security
issues.
Safari 5.1 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/
Safari 5.0.6 is available via the Apple Software Update
application, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Safari for Mac OS X v10.6.8 and later
The download file is named: Safari5.1SnowLeopard.dmg
Its SHA-1 digest is: 2c3cef8e06c5aa586379b1a5fd5cf7b54e8acc24
Safari for Mac OS X v10.5.8
The download file is named: Safari5.0.6Leopard.dmg
Its SHA-1 digest is: ea970375d2116a7b74094a2a7669bebc306b6e6f
Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: d00b791c694b1ecfc22d6a1ec9aa21cc14fd8e36
Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: ccb3bb6b06468a430171d9f62708a1a6d917f45b
Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 1273e0ee742a294d65e4f25a9b3e36f79fb517c9
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJOJI45AAoJEGnF2JsdZQeezHQIALKZms5tzYgYxUSdxmo+DmYw
up9gAmEVcltZvCeVS1lUxfjqnRiGRSWyuou8Ynt9PfGQCz9GfLvzlrCHc5rsnKaD
MeYY1IH7lQc6aqmV0hwb4nUL5qJntP6G5Ai0E/0UiRQNC/ummS+qnmdsiFo78ODY
nKaB5cAWhqGHgOAPnUG0JwmxpYgR2HEtGYJSqlYykMwt1vnlAr5hHVNaUJcJ3Hlb
vesN6fB7zQMiJVo8+iJBixCvIYlbII5HnVAmD1ToyKgENg4Iguo46YBMVr8DPgF/
KD2s0+VF/O4utYVX0GiRGReVyq1PMvz/HI23ym8U3LjbezXD/AALQET0Q2hUEYQ=
=fOfF
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
23) An error in QuickTime when handling PICT image files can be
exploited to cause a buffer overflow and execute arbitrary code.
24) An error in QuickTime when handling JPEG image files can be
exploited to cause a buffer overflow and execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0152 | CVE-2011-0201 | Apple Mac OS X of CoreFoundation One gap in the framework (off-by-one) Error vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Off-by-one error in the CoreFoundation framework in Apple Mac OS X before 10.6.8 allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a CFString object that triggers a buffer overflow. Apple Mac OS X is prone to an off-by-one buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Mac OS X 10.6 through 10.6.7 and Mac OS X Server 10.6 through 10.6.7.
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-07-20-1 Safari 5.1 and Safari 5.0.6
Safari 5.1 and Safari 5.0.6 are now available and address the
following:
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: In certain situations, Safari may treat a file as HTML,
even if it is served with the 'text/plain' content type. This may
lead to a cross-site scripting attack on sites that allow untrusted
users to post text files. This issue is addressed through improved
handling of 'text/plain' content.
CVE-ID
CVE-2010-1420 : Hidetake Jo working with Microsoft Vulnerability
Research (MSVR), Neal Poole of Matasano Security
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Authenticating to a maliciously crafted website may lead to
arbitrary code execution
Description: The NTLM authentication protocol is susceptible to a
replay attack referred to as credential reflection. Authenticating to
a maliciously crafted website may lead to arbitrary code execution.
To mitigate this issue, Safari has been updated to utilize protection
mechanisms recently added to Windows.
CVE-ID
CVE-2010-1383 : Takehiro Takahashi of IBM X-Force Research
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: A root certificate that is disabled may still be trusted
Description: CFNetwork did not properly validate that a certificate
was trusted for use by a SSL server. As a result, if the user had
marked a system root certificate as not trusted, Safari would still
accept certificates signed by that root. This issue is addressed
through improved certificate validation.
CVE-ID
CVE-2011-0214 : An anonymous reporter
ColorSync
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: An integer overflow existed in the handling of images
with an embedded ColorSync profile, which may lead to a heap buffer
overflow. Opening a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution.
CVE-ID
CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day
Initiative
CoreFoundation
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use the CoreFoundation framework may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: An off-by-one buffer overflow issue existed in the
handling of CFStrings.
CVE-ID
CVE-2011-0201 : Harry Sintonen
CoreGraphics
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in the handling of
Type 1 fonts. Viewing or downloading a document containing a
maliciously crafted embedded font may lead to arbitrary code
execution.
CVE-ID
CVE-2011-0202 : Cristian Draghici of Modulo Consulting, Felix Grobert
of the Google Security Team
International Components for Unicode
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow issue existed in ICU's handling of
uppercase strings.
CVE-ID
CVE-2011-0206 : David Bienvenu of Mozilla
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0204 : Dominic Chell of NGS Secure
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF
image may lead to an unexpected application termination or arbitrary
code execution.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A reentrancy issue existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0215 : Juan Pablo Lopez Yacubian working with iDefense VCP
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0204 : Dominic Chell of NGS Secure
libxslt
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of addresses on the heap
Description: libxslt's implementation of the generate-id() XPath
function disclosed the address of a heap buffer. Visiting a
maliciously crafted website may lead to the disclosure of addresses
on the heap. This issue is addressed by generating an ID based on the
difference between the addresses of two heap buffers.
CVE-ID
CVE-2011-0195 : Chris Evans of the Google Chrome Security Team
libxml
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's
handling of XML data.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team
Safari
Available for: Mac OS X v10.6.8 or later,
Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: If the "AutoFill web forms" feature is enabled, visiting a
maliciously crafted website and typing may lead to the disclosure of
information from the user's Address Book
Description: Safari's "AutoFill web forms" feature filled in non-
visible form fields, and the information was accessible by scripts on
the site before the user submitted the form. This issue is addressed
by displaying all fields that will be filled, and requiring the
user's consent before AutoFill information is available to the form.
CVE-ID
CVE-2011-0217 : Florian Rienhardt of BSI, Alex Lambert, [Jeremiah
Grossman]
Safari
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: With a certain Java configuration, visiting a malicious
website may lead to unexpected text being displayed on other sites
Description: A cross origin issue existed in the handling of Java
Applets. This applies when Java is enabled in Safari, and Java is
configured to run within the browser process. Fonts loaded by a Java
applet could affect the display of text content from other sites.
This issue is addressed by running Java applets in a separate
process.
CVE-ID
CVE-2011-0219 : Joshua Smith of Kaon Interactive
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2010-1823 : David Weston of Microsoft and Microsoft Vulnerability
Research (MSVR), wushi of team509, and Yong Li of Research In Motion
Ltd
CVE-2011-0164 : Apple
CVE-2011-0218 : SkyLined of Google Chrome Security Team
CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS
Research Team, and Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0223 : Jose A. Vazquez of spa-s3c.blogspot.com working with
iDefense VCP
CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative
CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0234 : Rob King working with TippingPoint's Zero Day
Initiative, wushi of team509 working with TippingPoint's Zero Day
Initiative, wushi of team509 working with iDefense VCP
CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0237 : wushi of team509 working with iDefense VCP
CVE-2011-0238 : Adam Barth of Google Chrome Security Team
CVE-2011-0240 : wushi of team509 working with iDefense VCP
CVE-2011-0253 : Richard Keen
CVE-2011-0254 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0255 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc
CVE-2011-0983 : Martin Barbella
CVE-2011-1109 : Sergey Glazunov
CVE-2011-1114 : Martin Barbella
CVE-2011-1115 : Martin Barbella
CVE-2011-1117 : wushi of team509
CVE-2011-1121 : miaubiz
CVE-2011-1188 : Martin Barbella
CVE-2011-1203 : Sergey Glazunov
CVE-2011-1204 : Sergey Glazunov
CVE-2011-1288 : Andreas Kling of Nokia
CVE-2011-1293 : Sergey Glazunov
CVE-2011-1296 : Sergey Glazunov
CVE-2011-1449 : Marek Majkowski, wushi of team 509 working with
iDefense VCP
CVE-2011-1451 : Sergey Glazunov
CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-1457 : John Knottenbelt of Google
CVE-2011-1462 : wushi of team509
CVE-2011-1797 : wushi of team509
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A configuration issue existed in WebKit's use of
libxslt. Visiting a maliciously crafted website may lead to arbitrary
files being created with the privileges of the user, which may lead
to arbitrary code execution. This issue is addressed through improved
libxslt security settings. Visiting a maliciously crafted website may lead to an
information disclosure. Visiting a maliciously crafted website may
lead to a cross-site scripting attack. This issue is addressed
through improved handling of URLs with an embedded username. Visiting a maliciously crafted website may lead to a cross-
site scripting attack.
CVE-ID
CVE-2011-1295 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: A maliciously crafted website may be able to cause a
different URL to be shown in the address bar
Description: A URL spoofing issue existed in the handling of the DOM
history object. A maliciously crafted website may have been able to
cause a different URL to be shown in the address bar. Subscribing to a maliciously crafted RSS feed and clicking on a
link within it may lead to arbitrary files being sent from the user's
system to a remote server. This update addresses the issue through
improved handling of URLs.
Applications that use WebKit, such a s mail clients, may connect to
an arbitrary DNS server upon processing HTML content. This update
addresses the issue by requiring applications to opt in to DNS
prefetching.
CVE-ID
CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd.
Note: Safari 5.1 is included with OS X Lion.
Safari 5.1 and Safari 5.0.6 address the same set of security
issues.
Safari 5.1 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/
Safari 5.0.6 is available via the Apple Software Update
application, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Safari for Mac OS X v10.6.8 and later
The download file is named: Safari5.1SnowLeopard.dmg
Its SHA-1 digest is: 2c3cef8e06c5aa586379b1a5fd5cf7b54e8acc24
Safari for Mac OS X v10.5.8
The download file is named: Safari5.0.6Leopard.dmg
Its SHA-1 digest is: ea970375d2116a7b74094a2a7669bebc306b6e6f
Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: d00b791c694b1ecfc22d6a1ec9aa21cc14fd8e36
Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: ccb3bb6b06468a430171d9f62708a1a6d917f45b
Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 1273e0ee742a294d65e4f25a9b3e36f79fb517c9
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJOJI45AAoJEGnF2JsdZQeezHQIALKZms5tzYgYxUSdxmo+DmYw
up9gAmEVcltZvCeVS1lUxfjqnRiGRSWyuou8Ynt9PfGQCz9GfLvzlrCHc5rsnKaD
MeYY1IH7lQc6aqmV0hwb4nUL5qJntP6G5Ai0E/0UiRQNC/ummS+qnmdsiFo78ODY
nKaB5cAWhqGHgOAPnUG0JwmxpYgR2HEtGYJSqlYykMwt1vnlAr5hHVNaUJcJ3Hlb
vesN6fB7zQMiJVo8+iJBixCvIYlbII5HnVAmD1ToyKgENg4Iguo46YBMVr8DPgF/
KD2s0+VF/O4utYVX0GiRGReVyq1PMvz/HI23ym8U3LjbezXD/AALQET0Q2hUEYQ=
=fOfF
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0155 | CVE-2011-0204 | Apple Mac OS X of ImageIO Heap-based buffer overflow vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image. Apple Mac OS X is prone to a heap buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-07-20-1 Safari 5.1 and Safari 5.0.6
Safari 5.1 and Safari 5.0.6 are now available and address the
following:
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: In certain situations, Safari may treat a file as HTML,
even if it is served with the 'text/plain' content type. This may
lead to a cross-site scripting attack on sites that allow untrusted
users to post text files. This issue is addressed through improved
handling of 'text/plain' content.
CVE-ID
CVE-2010-1420 : Hidetake Jo working with Microsoft Vulnerability
Research (MSVR), Neal Poole of Matasano Security
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Authenticating to a maliciously crafted website may lead to
arbitrary code execution
Description: The NTLM authentication protocol is susceptible to a
replay attack referred to as credential reflection. Authenticating to
a maliciously crafted website may lead to arbitrary code execution.
To mitigate this issue, Safari has been updated to utilize protection
mechanisms recently added to Windows. This issue does not affect Mac
OS X systems.
CVE-ID
CVE-2010-1383 : Takehiro Takahashi of IBM X-Force Research
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: A root certificate that is disabled may still be trusted
Description: CFNetwork did not properly validate that a certificate
was trusted for use by a SSL server. As a result, if the user had
marked a system root certificate as not trusted, Safari would still
accept certificates signed by that root. This issue is addressed
through improved certificate validation. This issue does not affect
Mac OS X systems.
CVE-ID
CVE-2011-0214 : An anonymous reporter
ColorSync
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: An integer overflow existed in the handling of images
with an embedded ColorSync profile, which may lead to a heap buffer
overflow. Opening a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution. For Mac OS X v10.5 systems, this issue
is addressed in Security Update 2011-004.
CVE-ID
CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day
Initiative
CoreFoundation
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use the CoreFoundation framework may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: An off-by-one buffer overflow issue existed in the
handling of CFStrings. For Mac OS X v10.6 systems, this issue
is addressed in Mac OS X v10.6.8.
CVE-ID
CVE-2011-0201 : Harry Sintonen
CoreGraphics
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in the handling of
Type 1 fonts. Viewing or downloading a document containing a
maliciously crafted embedded font may lead to arbitrary code
execution. For Mac OS X v10.6 systems, this issue is addressed in Mac
OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in
Security Update 2011-004.
CVE-ID
CVE-2011-0202 : Cristian Draghici of Modulo Consulting, Felix Grobert
of the Google Security Team
International Components for Unicode
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow issue existed in ICU's handling of
uppercase strings. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
For Mac OS X v10.5 systems, this issue is addressed in Security
Update 2011-004.
CVE-ID
CVE-2011-0204 : Dominic Chell of NGS Secure
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF
image may lead to an unexpected application termination or arbitrary
code execution.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A reentrancy issue existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. This
issue does not affect Mac OS X systems.
CVE-ID
CVE-2011-0215 : Juan Pablo Lopez Yacubian working with iDefense VCP
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
For Mac OS X v10.5 systems, this issue is addressed in Security
Update 2011-004.
CVE-ID
CVE-2011-0204 : Dominic Chell of NGS Secure
libxslt
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of addresses on the heap
Description: libxslt's implementation of the generate-id() XPath
function disclosed the address of a heap buffer. Visiting a
maliciously crafted website may lead to the disclosure of addresses
on the heap. This issue is addressed by generating an ID based on the
difference between the addresses of two heap buffers. For Mac OS X
v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac
OS X v10.5 systems, this issue is addressed in Security Update
2011-004.
CVE-ID
CVE-2011-0195 : Chris Evans of the Google Chrome Security Team
libxml
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's
handling of XML data.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team
Safari
Available for: Mac OS X v10.6.8 or later,
Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: If the "AutoFill web forms" feature is enabled, visiting a
maliciously crafted website and typing may lead to the disclosure of
information from the user's Address Book
Description: Safari's "AutoFill web forms" feature filled in non-
visible form fields, and the information was accessible by scripts on
the site before the user submitted the form. This issue is addressed
by displaying all fields that will be filled, and requiring the
user's consent before AutoFill information is available to the form.
CVE-ID
CVE-2011-0217 : Florian Rienhardt of BSI, Alex Lambert, [Jeremiah
Grossman]
Safari
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: With a certain Java configuration, visiting a malicious
website may lead to unexpected text being displayed on other sites
Description: A cross origin issue existed in the handling of Java
Applets. This applies when Java is enabled in Safari, and Java is
configured to run within the browser process. Fonts loaded by a Java
applet could affect the display of text content from other sites.
This issue is addressed by running Java applets in a separate
process.
CVE-ID
CVE-2011-0219 : Joshua Smith of Kaon Interactive
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2010-1823 : David Weston of Microsoft and Microsoft Vulnerability
Research (MSVR), wushi of team509, and Yong Li of Research In Motion
Ltd
CVE-2011-0164 : Apple
CVE-2011-0218 : SkyLined of Google Chrome Security Team
CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS
Research Team, and Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0223 : Jose A. Vazquez of spa-s3c.blogspot.com working with
iDefense VCP
CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative
CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0234 : Rob King working with TippingPoint's Zero Day
Initiative, wushi of team509 working with TippingPoint's Zero Day
Initiative, wushi of team509 working with iDefense VCP
CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0237 : wushi of team509 working with iDefense VCP
CVE-2011-0238 : Adam Barth of Google Chrome Security Team
CVE-2011-0240 : wushi of team509 working with iDefense VCP
CVE-2011-0253 : Richard Keen
CVE-2011-0254 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0255 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc
CVE-2011-0983 : Martin Barbella
CVE-2011-1109 : Sergey Glazunov
CVE-2011-1114 : Martin Barbella
CVE-2011-1115 : Martin Barbella
CVE-2011-1117 : wushi of team509
CVE-2011-1121 : miaubiz
CVE-2011-1188 : Martin Barbella
CVE-2011-1203 : Sergey Glazunov
CVE-2011-1204 : Sergey Glazunov
CVE-2011-1288 : Andreas Kling of Nokia
CVE-2011-1293 : Sergey Glazunov
CVE-2011-1296 : Sergey Glazunov
CVE-2011-1449 : Marek Majkowski, wushi of team 509 working with
iDefense VCP
CVE-2011-1451 : Sergey Glazunov
CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-1457 : John Knottenbelt of Google
CVE-2011-1462 : wushi of team509
CVE-2011-1797 : wushi of team509
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A configuration issue existed in WebKit's use of
libxslt. Visiting a maliciously crafted website may lead to arbitrary
files being created with the privileges of the user, which may lead
to arbitrary code execution. This issue is addressed through improved
libxslt security settings.
CVE-ID
CVE-2011-1774 : Nicolas Gregoire of Agarri
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
information disclosure
Description: A cross-origin issue existed in the handling of Web
Workers. Visiting a maliciously crafted website may lead to an
information disclosure.
CVE-ID
CVE-2011-1190 : Daniel Divricean of divricean.ro
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of URLs
with an embedded username. Visiting a maliciously crafted website may
lead to a cross-site scripting attack. This issue is addressed
through improved handling of URLs with an embedded username.
CVE-ID
CVE-2011-0242 : Jobert Abma of Online24
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of DOM
nodes. Visiting a maliciously crafted website may lead to a cross-
site scripting attack.
CVE-ID
CVE-2011-1295 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: A maliciously crafted website may be able to cause a
different URL to be shown in the address bar
Description: A URL spoofing issue existed in the handling of the DOM
history object. A maliciously crafted website may have been able to
cause a different URL to be shown in the address bar.
CVE-ID
CVE-2011-1107 : Jordi Chancel
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Subscribing to a maliciously crafted RSS feed and clicking
on a link within it may lead to an information disclosure
Description: A canonicalization issue existed in the handling of
URLs. Subscribing to a maliciously crafted RSS feed and clicking on a
link within it may lead to arbitrary files being sent from the user's
system to a remote server. This update addresses the issue through
improved handling of URLs.
CVE-ID
CVE-2011-0244 : Jason Hullinger
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Applications that use WebKit, such as mail clients, may
connect to an arbitrary DNS server upon processing HTML content
Description: DNS prefetching was enabled by default in WebKit.
Applications that use WebKit, such a s mail clients, may connect to
an arbitrary DNS server upon processing HTML content. This update
addresses the issue by requiring applications to opt in to DNS
prefetching.
CVE-ID
CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd.
Note: Safari 5.1 is included with OS X Lion.
Safari 5.1 and Safari 5.0.6 address the same set of security
issues. Safari 5.1 is provided for Mac OS X v10.6,
and Windows systems. Safari 5.0.6 is provided for
Mac OS X v10.5 systems.
Safari 5.1 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/
Safari 5.0.6 is available via the Apple Software Update
application, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Safari for Mac OS X v10.6.8 and later
The download file is named: Safari5.1SnowLeopard.dmg
Its SHA-1 digest is: 2c3cef8e06c5aa586379b1a5fd5cf7b54e8acc24
Safari for Mac OS X v10.5.8
The download file is named: Safari5.0.6Leopard.dmg
Its SHA-1 digest is: ea970375d2116a7b74094a2a7669bebc306b6e6f
Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: d00b791c694b1ecfc22d6a1ec9aa21cc14fd8e36
Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: ccb3bb6b06468a430171d9f62708a1a6d917f45b
Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 1273e0ee742a294d65e4f25a9b3e36f79fb517c9
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJOJI45AAoJEGnF2JsdZQeezHQIALKZms5tzYgYxUSdxmo+DmYw
up9gAmEVcltZvCeVS1lUxfjqnRiGRSWyuou8Ynt9PfGQCz9GfLvzlrCHc5rsnKaD
MeYY1IH7lQc6aqmV0hwb4nUL5qJntP6G5Ai0E/0UiRQNC/ummS+qnmdsiFo78ODY
nKaB5cAWhqGHgOAPnUG0JwmxpYgR2HEtGYJSqlYykMwt1vnlAr5hHVNaUJcJ3Hlb
vesN6fB7zQMiJVo8+iJBixCvIYlbII5HnVAmD1ToyKgENg4Iguo46YBMVr8DPgF/
KD2s0+VF/O4utYVX0GiRGReVyq1PMvz/HI23ym8U3LjbezXD/AALQET0Q2hUEYQ=
=fOfF
-----END PGP SIGNATURE-----
. The announcement of the patch can be found here:
http://support.apple.com/kb/HT4723
NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.
NGS Secure Research
http://www.ngssecure.com
.
Description: Multiple memory corruption issues existed in WebKit. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0157 | CVE-2011-0206 | Apple Mac OS X of ICU Vulnerable to buffer overflow |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in International Components for Unicode (ICU) in Apple Mac OS X before 10.6.8 allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving uppercase strings. Apple Mac OS X is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Mac OS X 10.6 through 10.6.7 and Mac OS X Server 10.6 through 10.6.7.
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. This may
lead to a cross-site scripting attack on sites that allow untrusted
users to post text files.
To mitigate this issue, Safari has been updated to utilize protection
mechanisms recently added to Windows. This issue is addressed by generating an ID based on the
difference between the addresses of two heap buffers. This issue is addressed
by displaying all fields that will be filled, and requiring the
user's consent before AutoFill information is available to the form.
CVE-ID
CVE-2011-0217 : Florian Rienhardt of BSI, Alex Lambert, [Jeremiah
Grossman]
Safari
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: With a certain Java configuration, visiting a malicious
website may lead to unexpected text being displayed on other sites
Description: A cross origin issue existed in the handling of Java
Applets. This applies when Java is enabled in Safari, and Java is
configured to run within the browser process. Fonts loaded by a Java
applet could affect the display of text content from other sites. A maliciously crafted website may have been able to
cause a different URL to be shown in the address bar.
Applications that use WebKit, such a s mail clients, may connect to
an arbitrary DNS server upon processing HTML content. This update
addresses the issue by requiring applications to opt in to DNS
prefetching.
CVE-ID
CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd.
Note: Safari 5.1 is included with OS X Lion.
Safari 5.1 and Safari 5.0.6 address the same set of security
issues. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
12) A NULL pointer dereference error within the kernel when handling
IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
23) An error in QuickTime when handling PICT image files can be
exploited to cause a buffer overflow and execute arbitrary code.
24) An error in QuickTime when handling JPEG image files can be
exploited to cause a buffer overflow and execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-10-12-1 iOS 5 Software Update
iOS 5 Software Update is now available and addresses the following:
CalDAV
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information from a CalDAV
calendar server
Description: CalDAV did not check that the SSL certificate presented
by the server was trusted.
CVE-ID
CVE-2011-3253 : Leszek Tasiemski of nSense
Calendar
Available for: iOS 4.2.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 4.2.0 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 4.2.0 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted calendar invitation may inject
script in the local domain
Description: A script injection issue existed in Calendar's handling
of invitation notes. This issue is addressed through improved
escaping of special characters in invitation notes. This issues does
not affect devices prior to iOS 4.2.0.
CVE-ID
CVE-2011-3254 : Rick Deacon
CFNetwork
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: User's AppleID password may be logged to a local file
Description: A user's AppleID password and username were logged to a
file that was readable by applications on the system. This is
resolved by no longer logging these credentials.
CVE-ID
CVE-2011-3255 : Peter Quade of qdevelop
CFNetwork
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of HTTP
cookies. When accessing a maliciously crafted HTTP or HTTPS URL,
CFNetwork could incorrectly send the cookies for a domain to a server
outside that domain.
CVE-ID
CVE-2011-3246 : Erling Ellingsen of Facebook
CoreFoundation
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted website or e-mail message may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in CoreFoundation's
handling of string tokenization.
CVE-ID
CVE-2011-0259 : Apple
CoreGraphics
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a document containing a maliciously crafted font may
lead to arbitrary code execution
Description: Multiple memory corruption existed in freetype, the
most serious of which may lead to arbitrary code execution when
processing a maliciously crafted font.
CVE-ID
CVE-2011-3256 : Apple
CoreMedia
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to the
disclosure of video data from another site
Description: A cross-origin issue existed in CoreMedia's handling of
cross-site redirects. This issue is addressed through improved origin
tracking.
CVE-ID
CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability
Research (MSVR)
Data Access
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An exchange mail cookie management issue could incorrectly
cause data synchronization across different accounts
Description: When multiple mail exchange accounts are configured
which connect to the same server, a session could potentially receive
a valid cookie corresponding to a different account. This issue is
addressed by ensuring that cookies are separated across different
accounts.
CVE-ID
CVE-2011-3257 : Bob Sielken of IBM
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: Fraudulent certificates were issued by multiple
certificate authorities operated by DigiNotar. This issue is
addressed by removing DigiNotar from the list of trusted root
certificates, from the list of Extended Validation (EV) certificate
authorities, and by configuring default system trust settings so that
DigiNotar's certificates, including those issued by other
authorities, are not trusted.
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Support for X.509 certificates with MD5 hashes may expose
users to spoofing and information disclosure as attacks improve
Description: Certificates signed using the MD5 hash algorithm were
accepted by iOS. This algorithm has known cryptographic weaknesses.
Further research or a misconfigured certificate authority could have
allowed the creation of X.509 certificates with attacker controlled
values that would have been trusted by the system. This would have
exposed X.509 based protocols to spoofing, man in the middle attacks,
and information disclosure. This update disables support for an X.509
certificate with an MD5 hash for any use other than as a trusted root
certificate.
CVE-ID
CVE-2011-3427
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker could decrypt part of a SSL connection
Description: Only the SSLv3 and TLS 1.0 versions of SSL were
supported. These versions are subject to a protocol weakness when
using block ciphers. A man-in-the-middle attacker could have injected
invalid data, causing the connection to close but revealing some
information about the previous data. If the same connection was
attempted repeatedly the attacker may eventually have been able to
decrypt the data being sent, such as a password. This issue is
addressed by adding support for TLS 1.2.
CVE-ID
CVE-2011-3389
Home screen
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Switching between applications may lead to the disclosure of
sensitive application information
Description: When switching between applications with the four-
finger app switching gesture, the display could have revealed the
previous application state. This issue is addressed by ensuring that
the system properly calls the applicationWillResignActive: method
when transitioning between applications.
CVE-ID
CVE-2011-3431 : Abe White of Hedonic Software Inc.
ImageIO
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted TIFF image may result in an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libTIFF's handling of
CCITT Group 4 encoded TIFF images.
CVE-ID
CVE-2011-0192 : Apple
ImageIO
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF images.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
International Components for Unicode
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow issue existed in ICU's generation of
collation keys for long strings of mostly uppercase letters.
CVE-ID
CVE-2011-0206 : David Bienvenu of Mozilla
Kernel
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A remote attacker may cause a device reset
Description: The kernel failed to promptly reclaim memory from
incomplete TCP connections. An attacker with the ability to connect
to a listening service on an iOS device could exhaust system
resources.
CVE-ID
CVE-2011-3259 : Wouter van der Veer of Topicus I&I, and Josh Enders
Kernel
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A local user may be able to cause a system reset
Description: A null dereference issue existed in the handling of
IPV6 socket options.
CVE-ID
CVE-2011-1132 : Thomas Clement of Intego
Keyboards
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A user may be able to determine information about the last
character of a password
Description: The keyboard used to type the last character of a
password was briefly displayed the next time the keyboard was used.
CVE-ID
CVE-2011-3245 : Paul Mousdicas
libxml
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's
handling of XML data.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted Word file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in OfficeImport's handling of
Microsoft Word documents.
CVE-ID
CVE-2011-3260 : Tobias Klein working with Verisign iDefense Labs
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in OfficeImport's handling
of Excel files.
CVE-ID
CVE-2011-3261 : Tobias Klein of www.trapkit.de
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Downloading a maliciously crafted Microsoft Office file may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in OfficeImport's
handling of Microsoft Office files.
CVE-ID
CVE-2011-0208 : Tobias Klein working with iDefense VCP
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Downloading a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in OfficeImport's
handling of Excel files.
CVE-ID
CVE-2011-0184 : Tobias Klein working with iDefense VCP
Safari
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Opening maliciously crafted files on certain websites may
lead to a cross-site scripting attack
Description: iOS did not support the 'attachment' value for the HTTP
Content-Disposition header. This header is used by many websites to
serve files that were uploaded to the site by a third-party, such as
attachments in web-based e-mail applications. Any script in files
served with this header value would run as if the file had been
served inline, with full access to other resources on the origin
server. This issue is addressed by loading attachments in an isolated
security origin with no access to resources on other sites.
CVE-ID
CVE-2011-3426 : Christian Matthies working with iDefense VCP,
Yoshinori Oota from Business Architects Inc working with JP/CERT
Settings
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with physical access to a device may be able to
recover the restrictions passcode
Description: The parental restrictions functionality enforces UI
restrictions. Configuring parental restrictions is protected by a
passcode, which was previously stored in plaintext on disk. This
issue is addressed by securely storing the parental restrictions
passcode in the system keychain.
CVE-ID
CVE-2011-3429 : an anonymous reporter
Settings
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Misleading UI
Description: Configurations and settings applied via configuration
profiles did not appear to function properly under any non-English
language. Settings could be improperly displayed as a result. This
issue is addressed by fixing a localization error.
CVE-ID
CVE-2011-3430 : Florian Kreitmaier of Siemens CERT
UIKit Alerts
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a malicious website may cause an unexpected device
hang
Description: An excessive maximum text layout length permitted
malicious websites to cause iOS to hang when drawing acceptance
dialogs for very long tel: URIs. This issue is addressed by using a
more reasonable maximum URI size.
CVE-ID
CVE-2011-3432 : Simon Young of Anglia Ruskin University
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2011-0218 : SkyLined of Google Chrome Security Team
CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS
Research Team, and Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative
CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0234 : Rob King working with TippingPoint's Zero Day
Initiative, wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0238 : Adam Barth of Google Chrome Security Team
CVE-2011-0254 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0255 : An anonymous reporter working with TippingPoint's
Zero Day Initiative
CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc
CVE-2011-0983 : Martin Barbella
CVE-2011-1109 : Sergey Glazunov
CVE-2011-1114 : Martin Barbella
CVE-2011-1115 : Martin Barbella
CVE-2011-1117 : wushi of team509
CVE-2011-1121 : miaubiz
CVE-2011-1188 : Martin Barbella
CVE-2011-1203 : Sergey Glazunov
CVE-2011-1204 : Sergey Glazunov
CVE-2011-1288 : Andreas Kling of Nokia
CVE-2011-1293 : Sergey Glazunov
CVE-2011-1296 : Sergey Glazunov
CVE-2011-1449 : Marek Majkowski
CVE-2011-1451 : Sergey Glazunov
CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-1457 : John Knottenbelt of Google
CVE-2011-1462 : wushi of team509
CVE-2011-1797 : wushi of team509
CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team
CVE-2011-2341 : Apple
CVE-2011-2351 : miaubiz
CVE-2011-2352 : Apple
CVE-2011-2354 : Apple
CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome
Security Team using AddressSanitizer
CVE-2011-2359 : miaubiz
CVE-2011-2788 : Mikolaj Malecki of Samsung
CVE-2011-2790 : miaubiz
CVE-2011-2792 : miaubiz
CVE-2011-2797 : miaubiz
CVE-2011-2799 : miaubiz
CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using
AddressSanitizer
CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2816 : Apple
CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2818 : Martin Barbella
CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google
CVE-2011-2823 : SkyLined of Google Chrome Security Team
CVE-2011-2827 : miaubiz
CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3232 : Aki Helin of OUSPG
CVE-2011-3234 : miaubiz
CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3244 : vkouchna
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of URLs
with an embedded username. This issue is addressed through improved
handling of URLs with an embedded username.
CVE-ID
CVE-2011-0242 : Jobert Abma of Online24
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of DOM
nodes.
CVE-ID
CVE-2011-1295 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A maliciously crafted website may be able to cause a
different URL to be shown in the address bar
Description: A URL spoofing issue existed in the handling of the DOM
history object.
CVE-ID
CVE-2011-1107 : Jordi Chancel
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A configuration issue existed in WebKit's use of
libxslt. Visiting a maliciously crafted website may lead to arbitrary
files being created with the privileges of the user, which may lead
to arbitrary code execution. This issue is addressed through improved
libxslt security settings.
CVE-ID
CVE-2011-1774 : Nicolas Gregoire of Agarri
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a malicious website and dragging content in the
page may lead to an information disclosure
Description: A cross-origin issue existed in WebKit's handling of
HTML5 drag and drop. This issue is addressed by disallowing drag and
drop across different origins.
CVE-ID
CVE-2011-0166 : Michal Zalewski of Google Inc.
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to an
information disclosure
Description: A cross-origin issue existed in the handling of Web
Workers.
CVE-ID
CVE-2011-1190 : Daniel Divricean of divricean.ro
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
window.open method.
CVE-ID
CVE-2011-2805 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of
inactive DOM windows.
CVE-ID
CVE-2011-3243 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
document.documentURI property.
CVE-ID
CVE-2011-2819 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A maliciously crafted website may be able to track the URLs
that a user visits within a frame
Description: A cross-origin issue existed in the handling of the
beforeload event.
CVE-ID
CVE-2011-2800 : Juho Nurminen
WiFi
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: WiFi credentials may be logged to a local file
Description: WiFi credentials including the passphrase and
encryption keys were logged to a file that was readable by
applications on the system. This is resolved by no longer logging
these credentials.
CVE-ID
CVE-2011-3434 : Laurent OUDOT of TEHTRI Security
Installation note:
This update is only available through iTunes, and will not appear
in your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone, iPod touch or iPad is docked, iTunes will present the
user with the option to install the update. We recommend applying
the update immediately if possible. Selecting Don't Install will
present the option the next time you connect your iPhone, iPod touch,
or iPad.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone, iPod touch, or iPad
is docked to your computer.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"5 (9A334)".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOldmtAAoJEGnF2JsdZQee/qMIAIPxmIiOqj+FMLFHZtPeC/Dp
3s4JliKOOgNnjXkxErfaNvYGmeVbDaUER5jdVrWccTauzlYmy8G4uK0An2GD2YiP
gB5AiCQXpONdBCi38QNdRqrYoYjc8Sa0nUp4r5uWPoiHoj5KfxvBpgygEL+zjHXS
fmnrONOCWhOYp0w4q6mdTg5BH2uJCbXscD/JjbmgHQI0Vs/iUZKSRyqFo2b0Mvze
NiSyzcj/4l62Cxx7xM9VbdrYL7Al2yyHfNYJQsZmoeDUlJQcdgEgEMXvOuhY3sFK
maxYr2oCp6Mtf53fplAeJIV4ijLynEWAKxTuTznAyW1k7oiGrDTfORSFKPEB9MQ=
=LCQZ
-----END PGP SIGNATURE-----
VAR-201106-0018 | CVE-2011-1132 | Apple Mac OS X of kernel of IPv6 Service disruption in implementation (Null Pointer dereference and reboot ) Vulnerabilities |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
The IPv6 implementation in the kernel in Apple Mac OS X before 10.6.8 allows local users to cause a denial of service (NULL pointer dereference and reboot) via vectors involving socket options. Apple Mac OS X is prone to a local denial-of-service vulnerability.
Local attackers can exploit this issue to cause a system reset, denying service to legitimate users.
This issue affects Mac OS X 10.6 to 10.6.7 and Mac OS X Server 10.6 to 10.6.7.
NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
RELEASE DATE:
2011-06-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be
exploited to trigger an out-of-bounds memory access and cause a
system reset.
2) An error within App Store may lead to a user's AppleID password
being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
4) An error within Certificate Trust Policy when handling an Extended
Validation (EV) certificate with no OCSP URL can be exploited to
disclose certain sensitive information via Man-in-the-Middle (MitM)
attacks.
5) An integer overflow error when processing ColorSync profiles
embedded in images can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code via a specially
crafted image.
6) An off-by-one error within the CoreFoundation framework when
handling CFStrings can be exploited to execute arbitrary code.
7) An integer overflow error in CoreGraphics when handling PDF files
containing Type 1 fonts can be exploited to cause a buffer overflow
via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a
recursive directory listing and disclose the list of otherwise
restricted files.
9) An error in ImageIO within the handling of TIFF files can be
exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be
exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when
handling certain uppercase strings can be exploited to cause a buffer
overflow.
13) An error within Libsystem when using the glob(3) API can be
exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
15) An error exists within MobileMe when determining a user's email
aliases. This can be exploited to disclose a user's MobileMe email
aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled
version of MySQL.
For more information:
SA41048
SA41716
17) Some vulnerabilities are caused due to a vulnerable bundled
version of OpenSSL.
For more information:
SA37291
SA38807
SA42243
SA42473
SA43227
18) A vulnerability is caused due to a vulnerable bundled version of
GNU patch.
For more information:
SA43677
19) An unspecified error in QuickLook within the processing of
Microsoft Office files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
20) An integer overflow error in QuickTime when handling RIFF WAV
files can be exploited to execute arbitrary code.
21) An error within QuickTime when processing sample tables in
QuickTime movie files can be exploited to corrupt memory, which may
allow execution of arbitrary code.
22) An integer overflow error in QuickTime when handling certain
movie files can be exploited to execute arbitrary code.
23) An error in QuickTime when handling PICT image files can be
exploited to cause a buffer overflow and execute arbitrary code.
24) An error in QuickTime when handling JPEG image files can be
exploited to cause a buffer overflow and execute arbitrary code.
25) Some vulnerabilities are caused due to a vulnerable bundled
version of Samba.
For more information:
SA41354
SA43512
26) An error in servermgrd when handling XML-RPC requests can be
exploited to disclose arbitrary files from the local resources.
27) A vulnerability is caused due to a vulnerable bundled version of
subversion.
For more information:
SA43603
SOLUTION:
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry
Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
5) binaryproof via ZDI
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
8) team karlkani
9) Dominic Chell, NGS Secure
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
19)Tobias Klein via iDefense
20, 22) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
1, 26) Reported by the vendor
ORIGINAL ADVISORY:
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------