Sign-up

VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201107-0256 CVE-2011-2956 AzeoTech DAQFactory Denial of service vulnerability

Related entries in the VARIoT exploits database: VAR-E-201106-0001		 CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal. ( System restart or shutdown ) There is a vulnerability that becomes a condition.Service disruption via a signal by a third party ( System restart or shutdown ) There is a possibility of being put into a state. AzeoTech DAQFactory is a complete system solution that embraces data acquisition, process control and data analysis. AzeoTech DAQFactory has a denial of service vulnerability that a malicious attacker can use to cause a denial of service. AzeoTech DAQFactory is prone to a denial-of-service vulnerability. Versions prior to DAQFactory 5.85 are vulnerable. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: AzeoTech DAQFactory Unspecified Denial of Service Vulnerability SECUNIA ADVISORY ID: SA45633 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45633/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45633 RELEASE DATE: 2011-08-23 DISCUSS ADVISORY: http://secunia.com/advisories/45633/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45633/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45633 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in AzeoTech DAQFactory, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error related to certain network features and can be exploited to cause a crash. SOLUTION: Update to version 5.85 build 1842. PROVIDED AND/OR DISCOVERED BY: nSense via ICS-CERT. ORIGINAL ADVISORY: AzeoTech: http://www.azeotech.com/revisionhistory.php ISC-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-122-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201107-0125 CVE-2011-2192 Haxx libcurl Trust Management Issue Vulnerability CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests. cURL/libcURL is prone to a vulnerability that may allow attackers to spoof clients' security credentials. Remote attackers can exploit this issue to impersonate a client on any server that uses the same GSSAPI mechanism. This issue affects cURL/libcURL versions 7.10.6 through 7.21.6. This is obviously a very sensitive operation, which should only be done when the user explicitly so directs. For the oldstable distribution (lenny), this problem has been fixed in version 7.18.2-8lenny5. For the stable distribution (squeeze), this problem has been fixed in version 7.21.0-2. For the testing distribution (wheezy), this problem has been fixed in version 7.21.6-2. For the unstable distribution (sid), this problem has been fixed in version 7.21.6-2. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . Summary: Updated curl packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: cURL provides the libcurl library and a command line tool for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. (CVE-2011-2192) Users of curl should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libcurl must be restarted for the update to take effect. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 711454 - CVE-2011-2192 curl: Improper delegation of client credentials during GSS negotiation 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/curl-7.12.1-17.el4.src.rpm i386: curl-7.12.1-17.el4.i386.rpm curl-debuginfo-7.12.1-17.el4.i386.rpm curl-devel-7.12.1-17.el4.i386.rpm ia64: curl-7.12.1-17.el4.i386.rpm curl-7.12.1-17.el4.ia64.rpm curl-debuginfo-7.12.1-17.el4.i386.rpm curl-debuginfo-7.12.1-17.el4.ia64.rpm curl-devel-7.12.1-17.el4.ia64.rpm ppc: curl-7.12.1-17.el4.ppc.rpm curl-7.12.1-17.el4.ppc64.rpm curl-debuginfo-7.12.1-17.el4.ppc.rpm curl-debuginfo-7.12.1-17.el4.ppc64.rpm curl-devel-7.12.1-17.el4.ppc.rpm s390: curl-7.12.1-17.el4.s390.rpm curl-debuginfo-7.12.1-17.el4.s390.rpm curl-devel-7.12.1-17.el4.s390.rpm s390x: curl-7.12.1-17.el4.s390.rpm curl-7.12.1-17.el4.s390x.rpm curl-debuginfo-7.12.1-17.el4.s390.rpm curl-debuginfo-7.12.1-17.el4.s390x.rpm curl-devel-7.12.1-17.el4.s390x.rpm x86_64: curl-7.12.1-17.el4.i386.rpm curl-7.12.1-17.el4.x86_64.rpm curl-debuginfo-7.12.1-17.el4.i386.rpm curl-debuginfo-7.12.1-17.el4.x86_64.rpm curl-devel-7.12.1-17.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/curl-7.12.1-17.el4.src.rpm i386: curl-7.12.1-17.el4.i386.rpm curl-debuginfo-7.12.1-17.el4.i386.rpm curl-devel-7.12.1-17.el4.i386.rpm x86_64: curl-7.12.1-17.el4.i386.rpm curl-7.12.1-17.el4.x86_64.rpm curl-debuginfo-7.12.1-17.el4.i386.rpm curl-debuginfo-7.12.1-17.el4.x86_64.rpm curl-devel-7.12.1-17.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/curl-7.12.1-17.el4.src.rpm i386: curl-7.12.1-17.el4.i386.rpm curl-debuginfo-7.12.1-17.el4.i386.rpm curl-devel-7.12.1-17.el4.i386.rpm ia64: curl-7.12.1-17.el4.i386.rpm curl-7.12.1-17.el4.ia64.rpm curl-debuginfo-7.12.1-17.el4.i386.rpm curl-debuginfo-7.12.1-17.el4.ia64.rpm curl-devel-7.12.1-17.el4.ia64.rpm x86_64: curl-7.12.1-17.el4.i386.rpm curl-7.12.1-17.el4.x86_64.rpm curl-debuginfo-7.12.1-17.el4.i386.rpm curl-debuginfo-7.12.1-17.el4.x86_64.rpm curl-devel-7.12.1-17.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/curl-7.12.1-17.el4.src.rpm i386: curl-7.12.1-17.el4.i386.rpm curl-debuginfo-7.12.1-17.el4.i386.rpm curl-devel-7.12.1-17.el4.i386.rpm ia64: curl-7.12.1-17.el4.i386.rpm curl-7.12.1-17.el4.ia64.rpm curl-debuginfo-7.12.1-17.el4.i386.rpm curl-debuginfo-7.12.1-17.el4.ia64.rpm curl-devel-7.12.1-17.el4.ia64.rpm x86_64: curl-7.12.1-17.el4.i386.rpm curl-7.12.1-17.el4.x86_64.rpm curl-debuginfo-7.12.1-17.el4.i386.rpm curl-debuginfo-7.12.1-17.el4.x86_64.rpm curl-devel-7.12.1-17.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/curl-7.15.5-9.el5_6.3.src.rpm i386: curl-7.15.5-9.el5_6.3.i386.rpm curl-debuginfo-7.15.5-9.el5_6.3.i386.rpm x86_64: curl-7.15.5-9.el5_6.3.i386.rpm curl-7.15.5-9.el5_6.3.x86_64.rpm curl-debuginfo-7.15.5-9.el5_6.3.i386.rpm curl-debuginfo-7.15.5-9.el5_6.3.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/curl-7.15.5-9.el5_6.3.src.rpm i386: curl-debuginfo-7.15.5-9.el5_6.3.i386.rpm curl-devel-7.15.5-9.el5_6.3.i386.rpm x86_64: curl-debuginfo-7.15.5-9.el5_6.3.i386.rpm curl-debuginfo-7.15.5-9.el5_6.3.x86_64.rpm curl-devel-7.15.5-9.el5_6.3.i386.rpm curl-devel-7.15.5-9.el5_6.3.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/curl-7.15.5-9.el5_6.3.src.rpm i386: curl-7.15.5-9.el5_6.3.i386.rpm curl-debuginfo-7.15.5-9.el5_6.3.i386.rpm curl-devel-7.15.5-9.el5_6.3.i386.rpm ia64: curl-7.15.5-9.el5_6.3.ia64.rpm curl-debuginfo-7.15.5-9.el5_6.3.ia64.rpm curl-devel-7.15.5-9.el5_6.3.ia64.rpm ppc: curl-7.15.5-9.el5_6.3.ppc.rpm curl-7.15.5-9.el5_6.3.ppc64.rpm curl-debuginfo-7.15.5-9.el5_6.3.ppc.rpm curl-debuginfo-7.15.5-9.el5_6.3.ppc64.rpm curl-devel-7.15.5-9.el5_6.3.ppc.rpm curl-devel-7.15.5-9.el5_6.3.ppc64.rpm s390x: curl-7.15.5-9.el5_6.3.s390.rpm curl-7.15.5-9.el5_6.3.s390x.rpm curl-debuginfo-7.15.5-9.el5_6.3.s390.rpm curl-debuginfo-7.15.5-9.el5_6.3.s390x.rpm curl-devel-7.15.5-9.el5_6.3.s390.rpm curl-devel-7.15.5-9.el5_6.3.s390x.rpm x86_64: curl-7.15.5-9.el5_6.3.i386.rpm curl-7.15.5-9.el5_6.3.x86_64.rpm curl-debuginfo-7.15.5-9.el5_6.3.i386.rpm curl-debuginfo-7.15.5-9.el5_6.3.x86_64.rpm curl-devel-7.15.5-9.el5_6.3.i386.rpm curl-devel-7.15.5-9.el5_6.3.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/curl-7.19.7-26.el6_1.1.src.rpm i386: curl-7.19.7-26.el6_1.1.i686.rpm curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm libcurl-7.19.7-26.el6_1.1.i686.rpm x86_64: curl-7.19.7-26.el6_1.1.x86_64.rpm curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm curl-debuginfo-7.19.7-26.el6_1.1.x86_64.rpm libcurl-7.19.7-26.el6_1.1.i686.rpm libcurl-7.19.7-26.el6_1.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/curl-7.19.7-26.el6_1.1.src.rpm i386: curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm libcurl-devel-7.19.7-26.el6_1.1.i686.rpm x86_64: curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm curl-debuginfo-7.19.7-26.el6_1.1.x86_64.rpm libcurl-devel-7.19.7-26.el6_1.1.i686.rpm libcurl-devel-7.19.7-26.el6_1.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/curl-7.19.7-26.el6_1.1.src.rpm x86_64: curl-7.19.7-26.el6_1.1.x86_64.rpm curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm curl-debuginfo-7.19.7-26.el6_1.1.x86_64.rpm libcurl-7.19.7-26.el6_1.1.i686.rpm libcurl-7.19.7-26.el6_1.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/curl-7.19.7-26.el6_1.1.src.rpm x86_64: curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm curl-debuginfo-7.19.7-26.el6_1.1.x86_64.rpm libcurl-devel-7.19.7-26.el6_1.1.i686.rpm libcurl-devel-7.19.7-26.el6_1.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/curl-7.19.7-26.el6_1.1.src.rpm i386: curl-7.19.7-26.el6_1.1.i686.rpm curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm libcurl-7.19.7-26.el6_1.1.i686.rpm libcurl-devel-7.19.7-26.el6_1.1.i686.rpm ppc64: curl-7.19.7-26.el6_1.1.ppc64.rpm curl-debuginfo-7.19.7-26.el6_1.1.ppc.rpm curl-debuginfo-7.19.7-26.el6_1.1.ppc64.rpm libcurl-7.19.7-26.el6_1.1.ppc.rpm libcurl-7.19.7-26.el6_1.1.ppc64.rpm libcurl-devel-7.19.7-26.el6_1.1.ppc.rpm libcurl-devel-7.19.7-26.el6_1.1.ppc64.rpm s390x: curl-7.19.7-26.el6_1.1.s390x.rpm curl-debuginfo-7.19.7-26.el6_1.1.s390.rpm curl-debuginfo-7.19.7-26.el6_1.1.s390x.rpm libcurl-7.19.7-26.el6_1.1.s390.rpm libcurl-7.19.7-26.el6_1.1.s390x.rpm libcurl-devel-7.19.7-26.el6_1.1.s390.rpm libcurl-devel-7.19.7-26.el6_1.1.s390x.rpm x86_64: curl-7.19.7-26.el6_1.1.x86_64.rpm curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm curl-debuginfo-7.19.7-26.el6_1.1.x86_64.rpm libcurl-7.19.7-26.el6_1.1.i686.rpm libcurl-7.19.7-26.el6_1.1.x86_64.rpm libcurl-devel-7.19.7-26.el6_1.1.i686.rpm libcurl-devel-7.19.7-26.el6_1.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/curl-7.19.7-26.el6_1.1.src.rpm i386: curl-7.19.7-26.el6_1.1.i686.rpm curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm libcurl-7.19.7-26.el6_1.1.i686.rpm libcurl-devel-7.19.7-26.el6_1.1.i686.rpm x86_64: curl-7.19.7-26.el6_1.1.x86_64.rpm curl-debuginfo-7.19.7-26.el6_1.1.i686.rpm curl-debuginfo-7.19.7-26.el6_1.1.x86_64.rpm libcurl-7.19.7-26.el6_1.1.i686.rpm libcurl-7.19.7-26.el6_1.1.x86_64.rpm libcurl-devel-7.19.7-26.el6_1.1.i686.rpm libcurl-devel-7.19.7-26.el6_1.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-2192.html https://access.redhat.com/security/updates/classification/#moderate http://curl.haxx.se/docs/adv_20110623.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-02-01-1 OS X Lion v10.7.3 and Security Update 2012-001 OS X Lion v10.7.3 and Security Update 2012-001 is now available and addresses the following: Address Book Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: An attacker in a privileged network position may intercept CardDAV data Description: Address Book supports Secure Sockets Layer (SSL) for accessing CardDAV. A downgrade issue caused Address Book to attempt an unencrypted connection if an encrypted connection failed. An attacker in a privileged network position could abuse this behavior to intercept CardDAV data. This issue is addressed by not downgrading to an unencrypted connection without user approval. CVE-ID CVE-2011-3444 : Bernard Desruisseaux of Oracle Corporation Apache Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Multiple vulnerabilities in Apache Description: Apache is updated to version 2.2.21 to address several vulnerabilities, the most serious of which may lead to a denial of service. Further information is available via the Apache web site at http://httpd.apache.org/ CVE-ID CVE-2011-3348 Apache Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. Apache disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by providing a configuration parameter to control the countermeasure and enabling it by default. CVE-ID CVE-2011-3389 CFNetwork Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information Description: An issue existed in CFNetwork's handling of malformed URLs. When accessing a maliciously crafted URL, CFNetwork could send the request to an incorrect origin server. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2011-3246 : Erling Ellingsen of Facebook CFNetwork Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information Description: An issue existed in CFNetwork's handling of malformed URLs. When accessing a maliciously crafted URL, CFNetwork could send unexpected request headers. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2011-3447 : Erling Ellingsen of Facebook ColorSync Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. This issue does not affect OS X Lion systems. CVE-ID CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day Initiative CoreAudio Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of AAC encoded audio streams. This issue does not affect OS X Lion systems. CVE-ID CVE-2011-3252 : Luigi Auriemma working with TippingPoint's Zero Day Initiative CoreMedia Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in CoreMedia's handling of H.264 encoded movie files. CVE-ID CVE-2011-3448 : Scott Stender of iSEC Partners CoreText Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of font files. CVE-ID CVE-2011-3449 : Will Dormann of the CERT/CC CoreUI Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Visiting a malicious website may lead to an unexpected application termination or arbitrary code execution Description: An unbounded stack allocation issue existed in the handling of long URLs. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2011-3450 : Ben Syverson curl Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: A remote server may be able to impersonate clients via GSSAPI requests Description: When doing GSSAPI authentication, libcurl unconditionally performs credential delegation. This issue is addressed by disabling GSSAPI credential delegation. CVE-ID CVE-2011-2192 Data Security Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. DigiCert Malaysia has issued certificates with weak keys that it is unable to revoke. An attacker with a privileged network position could intercept user credentials or other sensitive information intended for a site with a certificate issued by DigiCert Malaysia. This issue is addressed by configuring default system trust settings so that DigiCert Malaysia's certificates are not trusted. We would like to acknowledge Bruce Morton of Entrust, Inc. dovecot Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. Dovecot disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by enabling the countermeasure. CVE-ID CVE-2011-3389 : Apple filecmds Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Decompressing a maliciously crafted compressed file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the 'uncompress' command line tool. CVE-ID CVE-2011-2895 ImageIO Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF files. This issue does not affect OS X Lion systems. CVE-ID CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies ImageIO Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of ThunderScan encoded TIFF images. This issue is address by updating libtiff to version 3.9.5. CVE-ID CVE-2011-1167 ImageIO Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Multiple vulnerabilities in libpng 1.5.4 Description: libpng is updated to version 1.5.5 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html CVE-ID CVE-2011-3328 Internet Sharing Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: A Wi-Fi network created by Internet Sharing may lose security settings after a system update Description: After updating to a version of OS X Lion prior to 10.7.3, the Wi-Fi configuration used by Internet Sharing may revert to factory defaults, which disables the WEP password. This issue only affects systems with Internet Sharing enabled and sharing the connection to Wi-Fi. This issue is addressed by preserving the Wi-Fi configuration during a system update. CVE-ID CVE-2011-3452 : an anonymous researcher Libinfo Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information Description: An issue existed in Libinfo's handling of hostname lookup requests. Libinfo could return incorrect results for a maliciously crafted hostname. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2011-3441 : Erling Ellingsen of Facebook libresolv Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Applications that use OS X's libresolv library may be vulnerable to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the parsing of DNS resource records, which may lead to heap memory corruption. CVE-ID CVE-2011-3453 : Ilja van Sprundel of IOActive libsecurity Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Some EV certificates may be trusted even if the corresponding root has been marked as untrusted Description: The certificate code trusted a root certificate to sign EV certificates if it was on the list of known EV issuers, even if the user had marked it as 'Never Trust' in Keychain. The root would not be trusted to sign non-EV certificates. CVE-ID CVE-2011-3422 : Alastair Houghton OpenGL Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Applications that use OS X's OpenGL implementation may be vulnerable to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in the handling of GLSL compilation. CVE-ID CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and Marc Schoenefeld of the Red Hat Security Response Team PHP Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Multiple vulnerabilities in PHP 5.3.6 Description: PHP is updated to version 5.3.8 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP web site at http://www.php.net CVE-ID CVE-2011-1148 CVE-2011-1657 CVE-2011-1938 CVE-2011-2202 CVE-2011-2483 CVE-2011-3182 CVE-2011-3189 CVE-2011-3267 CVE-2011-3268 PHP Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in FreeType's handling of Type 1 fonts. Further information is available via the FreeType site at http://www.freetype.org/ CVE-ID CVE-2011-3256 : Apple PHP Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Multiple vulnerabilities in libpng 1.5.4 Description: libpng is updated to version 1.5.5 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html CVE-ID CVE-2011-3328 QuickTime Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Opening a maliciously crafted MP4 encoded file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue existed in the handling of MP4 encoded files. CVE-ID CVE-2011-3458 : Luigi Auriemma and pa_kt both working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A signedness issue existed in the handling of font tables embedded in QuickTime movie files. CVE-ID CVE-2011-3248 : Luigi Auriemma working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An off by one buffer overflow existed in the handling of rdrf atoms in QuickTime movie files. CVE-ID CVE-2011-3459 : Luigi Auriemma working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Viewing a maliciously crafted JPEG2000 image file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of JPEG2000 files. CVE-ID CVE-2011-3250 : Luigi Auriemma working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of PNG files. CVE-ID CVE-2011-3460 : Luigi Auriemma working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of FLC encoded movie files CVE-ID CVE-2011-3249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative SquirrelMail Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Multiple vulnerabilities in SquirrelMail Description: SquirrelMail is updated to version 1.4.22 to address several vulnerabilities, the most serious of which is a cross-site scripting issue. This issue does not affect OS X Lion systems. Further information is available via the SquirrelMail web site at http://www.SquirrelMail.org/ CVE-ID CVE-2010-1637 CVE-2010-2813 CVE-2010-4554 CVE-2010-4555 CVE-2011-2023 Subversion Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Accessing a Subversion repository may lead to the disclosure of sensitive information Description: Subversion is updated to version 1.6.17 to address multiple vulnerabilities, the most serious of which may lead to the disclosure of sensitive information. Further information is available via the Subversion web site at http://subversion.tigris.org/ CVE-ID CVE-2011-1752 CVE-2011-1783 CVE-2011-1921 Time Machine Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: A remote attacker may access new backups created by the user's system Description: The user may designate a remote AFP volume or Time Capsule to be used for Time Machine backups. Time Machine did not verify that the same device was being used for subsequent backup operations. An attacker who is able to spoof the remote volume could gain access to new backups created by the user's system. This issue is addressed by verifying the unique identifier associated with a disk for backup operations. CVE-ID CVE-2011-3462 : Michael Roitzsch of the Technische Universitat Dresden Tomcat Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Multiple vulnerabilities in Tomcat 6.0.32 Description: Tomcat is updated to version 6.0.33 to address multiple vulnerabilities, the most serious of which may lead to the disclosure of sensitive information. Tomcat is only provided on Mac OS X Server systems. This issue does not affect OS X Lion systems. Further information is available via the Tomcat site at http://tomcat.apache.org/ CVE-ID CVE-2011-2204 WebDAV Sharing Available for: OS X Lion Server v10.7 to v10.7.2 Impact: Local users may obtain system privileges Description: An issue existed in WebDAV Sharing's handling of user authentication. A user with a valid account on the server or one of its bound directories could cause the execution of arbitrary code with system privileges. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2011-3463 : Gordon Davisson of Crywolf Webmail Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Viewing a maliciously crafted e-mail message may lead to the disclosure of message content Description: A cross-site scripting vulnerability existed in the handling of mail messages. This issue is addressed by updating Roundcube Webmail to version 0.6. This issue does not affect systems prior to OS X Lion. Further information is available via the Roundcube site at http://trac.roundcube.net/ CVE-ID CVE-2011-2937 X11 Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in FreeType's handling of Type 1 fonts. Further information is available via the FreeType site at http://www.freetype.org/ CVE-ID CVE-2011-3256 : Apple OS X Lion v10.7.3 and Security Update 2012-001 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2021-001 or OS X v10.7.3. For OS X Lion v10.7.2 The download file is named: MacOSXUpd10.7.3.dmg Its SHA-1 digest is: 7102fe8f9f47286c45dfa35f6e84e7f730493a7c For OS X Lion v10.7 and v10.7.1 The download file is named: MacOSXUpdCombo10.7.3.dmg Its SHA-1 digest is: 07dfce300f6801eb63d9ac13e0bec84e1862a16c For OS X Lion Server v10.7.2 The download file is named: MacOSXServerUpd10.7.3.dmg Its SHA-1 digest is: 55a9571635d4ec088c142d68132d0d69fcb8867d For OS X Lion Server v10.7 and v10.7.1 The download file is named: MacOSXServerUpdCombo10.7.3.dmg Its SHA-1 digest is: 2c87824f09734499ea166ea0617a3ac21ecf832b For Mac OS X v10.6.8 The download file is named: SecUpd2012-001Snow.dmg Its SHA-1 digest is: 40875ee8cb609bbaefc8f421a9c34cc353db42b8 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2012-001.dmg Its SHA-1 digest is: 53b3ca5548001a9920aeabed4a034c6e4657fe20 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJPKYxNAAoJEGnF2JsdZQeeLiIIAMLhH2ipDFrhCsw/n4VDeF1V P6jSkGXC9tBBVMvw1Xq4c2ok4SI34bDfMlURAVR+dde/h6nIZR24aLQVoDLjJuIp RrO2dm1nQeozLJSx2NbxhVh54BucJdKp4xS1GkDNxkqcdh04RE9hRURXdKagnfGy 9P8QQPOQmKAiWos/LYhCPDInMfrpVNvEVwP8MCDP15g6hylN4De/Oyt7ZshPshSf MnAFObfBTGX5KioVqTyfdlBkKUfdXHJux61QEFHn8eadX6+/6IuKbUvK9B0icc8E pvbjOxQatFRps0KNWeIsKQc5i6iQoJhocAiIy6Y6LCuZQuSXCImY2RWXkVYzbWo= =c1eU -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03280632 Version: 1 HPSBMU02764 SSRT100827 rev.1 - HP System Management Homepage (SMH) Running on Linux and Windows, Remote Cross Site Request Forgery (CSRF), Denial of Service (DoS), Execution of Arbitrary Code, Other Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-04-16 Last Updated: 2012-04-16 Potential Security Impact: Remote cross site request forgery (CSRF), Denial of Service (DoS), execution of arbitrary code, other vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely and locally resulting in cross site request forgery (CSRF), Denial of Service (DoS), execution of arbitrary code, and other vulnerabilities. HP System Management Homepage (SMH) before v7.0 running on Linux and Windows. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2009-0037 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2010-0734 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2010-1452 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2010-1623 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2010-2068 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2010-2791 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2010-3436 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2010-4409 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2010-4645 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-0014 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-0195 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2011-0419 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-1148 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-1153 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-1464 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-1467 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-1468 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-1470 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-1471 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-1928 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-1938 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-1945 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6 CVE-2011-2192 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2011-2202 (AV:N/AC:L/Au:N/C:N/I:P/A:P) 6.4 CVE-2011-2483 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2011-3182 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-3189 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2011-3192 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2011-3267 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-3268 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-3207 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2011-3210 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-3348 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-3368 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2011-3639 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2011-3846 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2011-4317 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2012-0135 (AV:N/AC:M/Au:S/C:N/I:N/A:P) 3.5 CVE-2012-1993 (AV:L/AC:L/Au:S/C:P/I:P/A:N) 3.2 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Sow Ching Shiong coordinating with Secunia for reporting CVE-2011-3846 to security-alert@hp.com. RESOLUTION HP has provided HP System Management Homepage v7.0 or subsequent to resolve the vulnerabilities. SMH v7.0 is available here: http://h18000.www1.hp.com/products/servers/management/agents/index.html HISTORY Version:1 (rev.1) 16 April 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Packages for 2009.0 are provided as of the Extended Maintenance Program. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ---------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2012-0001 Synopsis: VMware ESXi and ESX updates to third party library and ESX Service Console Issue date: 2012-01-30 Updated on: 2012-01-30 (initial advisory) CVE numbers: --- COS Kernel --- CVE-2011-0726, CVE-2011-1078, CVE-2011-1079, CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494, CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649, CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182, CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745, CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022, CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525, CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495, CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 --- COS cURL --- CVE-2011-2192 --- COS rpm --- CVE-2010-2059, CVE-2011-3378 --- COS samba --- CVE-2010-0547, CVE-2010-0787, CVE-2011-1678, CVE-2011-2522, CVE-2011-2694 --- COS python --- CVE-2009-3720, CVE-2010-3493, CVE-2011-1015, CVE-2011-1521 --- python library --- CVE-2009-3560, CVE-2009-3720, CVE-2010-1634, CVE-2010-2089, CVE-2011-1521 ---------------------------------------------------------------------- 1. Summary VMware ESXi and ESX updates to third party library and ESX Service Console address several security issues. 2. Relevant releases ESXi 4.1 without patch ESXi410-201201401-SG ESX 4.1 without patches ESX410-201201401-SG, ESX410-201201402-SG, ESX410-201201404-SG, ESX410-201201405-SG, ESX410-201201406-SG, ESX410-201201407-SG 3. Problem Description a. ESX third party update for Service Console kernel The ESX Service Console Operating System (COS) kernel is updated to kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the COS kernel. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079, CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494, CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649, CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182, CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745, CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022, CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525, CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495, CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201201401-SG ESX 4.0 ESX patch pending ESX 3.5 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. b. ESX third party update for Service Console cURL RPM The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9 resolving a security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2192 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201201402-SG ESX 4.0 ESX patch pending ESX 3.5 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. c. ESX third party update for Service Console nspr and nss RPMs The ESX Service Console (COS) nspr and nss RPMs are updated to nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving a security issues. A Certificate Authority (CA) issued fraudulent SSL certificates and Netscape Portable Runtime (NSPR) and Network Security Services (NSS) contain the built-in tokens of this fraudulent Certificate Authority. This update renders all SSL certificates signed by the fraudulent CA as untrusted for all uses. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201201404-SG ESX 4.0 ESX patch pending ESX 3.5 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. d. ESX third party update for Service Console rpm RPMs The ESX Service Console Operating System (COS) rpm packages are updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2, rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2 which fixes multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-2059 and CVE-2011-3378 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201201406-SG ESX 4.0 ESX patch pending ESX 3.5 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. e. ESX third party update for Service Console samba RPMs The ESX Service Console Operating System (COS) samba packages are updated to samba-client-3.0.33-3.29.el5_7.4, samba-common-3.0.33-3.29.el5_7.4 and libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security issues in the Samba client. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678, CVE-2011-2522 and CVE-2011-2694 to these issues. Note that ESX does not include the Samba Web Administration Tool (SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and CVE-2011-2694. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201201407-SG ESX 4.0 ESX patch pending ESX 3.5 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. f. ESX third party update for Service Console python package The ESX Service Console (COS) python package is updated to 2.4.3-44 which fixes multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and CVE-2011-1521 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201201405-SG ESX 4.0 ESX patch pending ESX 3.5 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. g. ESXi update to third party component python The python third party library is updated to python 2.5.6 which fixes multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634, CVE-2010-2089, and CVE-2011-1521 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi 5.0 ESXi patch pending ESXi 4.1 ESXi ESXi410-201201401-SG ESXi 4.0 ESXi patch pending ESXi 3.5 ESXi patch pending ESX 4.1 ESX not affected ESX 4.0 ESX not affected ESX 3.5 ESX not affected * hosted products are VMware Workstation, Player, ACE, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware ESXi 4.1 --------------- ESXi410-201201401 http://downloads.vmware.com/go/selfsupport-download md5sum: BDF86F10A973346E26C9C2CD4C424E88 sha1sum: CC0B92869A9AAE4F5E0E5B81BEE109BCD7DA780F http://kb.vmware.com/kb/2009143 ESXi410-201201401 contains ESXi410-201201401-SG VMware ESX 4.1 -------------- ESX410-201201001 http://downloads.vmware.com/go/selfsupport-download md5sum: 16DF9ACD3E74BCABC2494BC23AD0927F sha1sum: 1066AE1436E1A75BA3D541AB65296CFB9AB7A5CC http://kb.vmware.com/kb/2009142 ESX410-201201001 contains ESX410-201201401-SG, ESX410-201201402-SG, ESX410-201201404-SG, ESX410-201201405-SG, ESX410-201201406-SG and ESX410-201201407-SG 5. References CVE numbers --- COS Kernel --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0726 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1078 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1080 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1170 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1171 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1172 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1494 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1495 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1577 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1763 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4649 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0695 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0711 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1044 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1573 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1593 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1745 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2022 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2213 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2492 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2525 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2482 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2495 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2519 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2901 --- COS cURL --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2192 --- COS rpm --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378 --- COS samba --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0787 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1678 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2694 --- COS python --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3493 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521 --- python library --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2089 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521 ---------------------------------------------------------------------- 6. Change log 2012-01-30 VMSA-2012-0001 Initial security advisory in conjunction with the release of patches for ESX 4.1 and ESXi 4.1 on 2012-01-30. ---------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2012 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFPJ5DIDEcm8Vbi9kMRAnzCAKCmaAoDp49d61Mr1emzh/U0N8vbgACdFZk8 f2pLxi537s+ew4dvnYNWlJ8= =OAh4 -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: cURL: Multiple vulnerabilities Date: March 06, 2012 Bugs: #308645, #373235, #400799 ID: 201203-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in cURL, the worst of which might allow remote execution of arbitrary code. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/curl < 7.24.0 >= 7.24.0 Description =========== Multiple vulnerabilities have been found in cURL: * When zlib is enabled, the amount of data sent to an application for automatic decompression is not restricted (CVE-2010-0734). * When SSL is enabled, cURL improperly disables the OpenSSL workaround to mitigate an information disclosure vulnerability in the SSL and TLS protocols (CVE-2011-3389). * libcurl does not properly verify file paths for escape control characters in IMAP, POP3 or SMTP URLs (CVE-2012-0036). Impact ====== A remote attacker could entice a user or automated process to open a specially crafted file or URL using cURL, possibly resulting in the remote execution of arbitrary code, a Denial of Service condition, disclosure of sensitive information, or unwanted actions performed via the IMAP, POP3 or SMTP protocols. Workaround ========== There is no known workaround at this time. Resolution ========== All cURL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/curl-7.24.0" References ========== [ 1 ] CVE-2010-0734 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0734 [ 2 ] CVE-2011-2192 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2192 [ 3 ] CVE-2011-3389 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389 [ 4 ] CVE-2012-0036 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0036 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201106-0163 CVE-2011-0212 Apple Mac OS X of servermgrd Vulnerable to reading arbitrary files CVSS V2: 6.4
CVSS V3: -
Severity: MEDIUM
servermgrd in Apple Mac OS X before 10.6.8 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service (CPU and memory consumption), via an XML-RPC request containing an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue. Apple Mac OS X is prone to an information-disclosure vulnerability in 'servermgrd'. A remote attacker can exploit this issue to retrieve arbitrary files from the vulnerable computer. Information obtained may aid in further attacks. NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 5) An integer overflow error when processing ColorSync profiles embedded in images can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code via a specially crafted image. 6) An off-by-one error within the CoreFoundation framework when handling CFStrings can be exploited to execute arbitrary code. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 23) An error in QuickTime when handling PICT image files can be exploited to cause a buffer overflow and execute arbitrary code. 24) An error in QuickTime when handling JPEG image files can be exploited to cause a buffer overflow and execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0164 CVE-2011-0213 Apple Mac OS X of QuickTime Vulnerable to buffer overflow CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Buffer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG file. Apple Mac OS X is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects Mac OS X 10.6 through 10.6.7 and Mac OS X Server 10.6 through 10.6.7. NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. Viewing a maliciously crafted pict file may lead to an unexpected application termination or arbitrary code execution. Viewing a maliciously crafted JPEG2000 image with QuickTime may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0186 : Will Dormann of the CERT/CC QuickTime Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to the disclosure of video data from another site Description: A cross-origin issue existed in QuickTime plug-in's handling of cross-site redirects. Visiting a maliciously crafted website may lead to the disclosure of video data from another site. This issue is addressed by preventing QuickTime from following cross- site redirects. Playing a maliciously crafted WAV file may lead to an unexpected application termination or arbitrary code execution. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Viewing a maliciously crafted JPEG file may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0213 : Luigi Auriemma working with iDefense VCP QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in QuickTime's handling of GIF images. Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0246 : an anonymous contributor working with Beyond Security's SecuriTeam Secure Disclosure program QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution Description: Multiple stack buffer overflows existed in the handling of H.264 encoded movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0247 : Roi Mallo and Sherab Giovannini working with TippingPoint's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in the QuickTime ActiveX control's handling of QTL files. Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative QuickTime 7.7 may be obtained from the Software Update application, or from the QuickTime Downloads site: http://www.apple.com/quicktime/download/ For Mac OS X v10.5.8 The download file is named: "QuickTime77Leopard.dmg" Its SHA-1 digest is: 0deb99cc44015af7c396750d2c9dd4cbd59fb355 For Windows 7 / Vista / XP SP3 The download file is named: "QuickTimeInstaller.exe" Its SHA-1 digest is: a99f61d67be6a6b42e11d17b0b4f25cd88b74dc9 QuickTime is incorporated into Mac OS X v10.6 and later. QuickTime 7.7 is not presented to systems running Mac OS X v10.6 or later. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iQEcBAEBAgAGBQJOOZuHAAoJEGnF2JsdZQeeNWIH/A+KRxzYTBC5nCZQ6m/sRdU0 OrauYjVbXIj1LUgMS9+I0wW4Zg7xtGBEjYBnqiuNuajP5W2+Ts8mNe75ZlEFlNto KFQI7NS/OsTrjCTR1m1sF2zvsyMKDOjviIy90+PDGKejC8c3Zu/Y8GSdZ++I4aEf J2g7BqhBDW/RFOemPGrcvr/iwu3twdkiAHeLXFCcecNCKjSUfoxXDuPd/Ege/kS7 95wsNkLjypSEuLpcmjATSXp5X58nzbUCsrQ2doPzLy1/8oWiG9XsiZznmcYlLhHg trYm+KIMdqBOQWI3uhG+3dG6l2xkJxdYNxHRHXFh78QH0NblHg9u3PmhELUBeXU= =H+iO -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0158 CVE-2011-0207 Apple Mac OS X of MobileMe Vulnerable to obtaining important alias information CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The MobileMe component in Apple Mac OS X before 10.6.8 uses a cleartext HTTP session for the Mail application to read e-mail aliases, which allows remote attackers to obtain potentially sensitive alias information by sniffing the network. Apple Mac OS X is prone to an information-disclosure vulnerability in MobileMe. A man-in-the-middle attacker may be able to exploit this issue to retrieve MobileMe email aliases. Information obtained may aid in further attacks. NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. A remote attacker could sniff this network for potentially sensitive alias information. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 5) An integer overflow error when processing ColorSync profiles embedded in images can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code via a specially crafted image. 6) An off-by-one error within the CoreFoundation framework when handling CFStrings can be exploited to execute arbitrary code. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 23) An error in QuickTime when handling PICT image files can be exploited to cause a buffer overflow and execute arbitrary code. 24) An error in QuickTime when handling JPEG image files can be exploited to cause a buffer overflow and execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0162 CVE-2011-0211 Apple Mac OS X of QuickTime Vulnerable to arbitrary code execution CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the way Quicktime handles Apple Lossless Audio Codec streams. While parsing the sample description for the 'alac' codec an integer wrap can occur that results in the allocation of a memory buffer that is smaller than intended. When Quicktime writes to this buffer it causes a memory corruption that can lead to remote code execution under the context of the current user. Apple Mac OS X is prone to an integer-overflow vulnerability that occurs in QuickTime. Failed exploit attempts will likely result in denial-of-service conditions. The following versions are affected: Mac OS X 10.6 through v10.6.7 Mac OS X Server 10.6 through v10.6.7 NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. Viewing a maliciously crafted pict file may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0186 : Will Dormann of the CERT/CC QuickTime Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to the disclosure of video data from another site Description: A cross-origin issue existed in QuickTime plug-in's handling of cross-site redirects. Visiting a maliciously crafted website may lead to the disclosure of video data from another site. This issue is addressed by preventing QuickTime from following cross- site redirects. Playing a maliciously crafted WAV file may lead to an unexpected application termination or arbitrary code execution. Viewing a maliciously crafted JPEG file may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0213 : Luigi Auriemma working with iDefense VCP QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in QuickTime's handling of GIF images. Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0246 : an anonymous contributor working with Beyond Security's SecuriTeam Secure Disclosure program QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution Description: Multiple stack buffer overflows existed in the handling of H.264 encoded movie files. CVE-ID CVE-2011-0247 : Roi Mallo and Sherab Giovannini working with TippingPoint's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in the QuickTime ActiveX control's handling of QTL files. Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative QuickTime 7.7 may be obtained from the Software Update application, or from the QuickTime Downloads site: http://www.apple.com/quicktime/download/ For Mac OS X v10.5.8 The download file is named: "QuickTime77Leopard.dmg" Its SHA-1 digest is: 0deb99cc44015af7c396750d2c9dd4cbd59fb355 For Windows 7 / Vista / XP SP3 The download file is named: "QuickTimeInstaller.exe" Its SHA-1 digest is: a99f61d67be6a6b42e11d17b0b4f25cd88b74dc9 QuickTime is incorporated into Mac OS X v10.6 and later. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iQEcBAEBAgAGBQJOOZuHAAoJEGnF2JsdZQeeNWIH/A+KRxzYTBC5nCZQ6m/sRdU0 OrauYjVbXIj1LUgMS9+I0wW4Zg7xtGBEjYBnqiuNuajP5W2+Ts8mNe75ZlEFlNto KFQI7NS/OsTrjCTR1m1sF2zvsyMKDOjviIy90+PDGKejC8c3Zu/Y8GSdZ++I4aEf J2g7BqhBDW/RFOemPGrcvr/iwu3twdkiAHeLXFCcecNCKjSUfoxXDuPd/Ege/kS7 95wsNkLjypSEuLpcmjATSXp5X58nzbUCsrQ2doPzLy1/8oWiG9XsiZznmcYlLhHg trYm+KIMdqBOQWI3uhG+3dG6l2xkJxdYNxHRHXFh78QH0NblHg9u3PmhELUBeXU= =H+iO -----END PGP SIGNATURE----- . ZDI-11-230: Apple Quicktime Apple Lossless Audio Codec Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-230 June 29, 2011 -- CVE ID: CVE-2011-0211 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11428. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4723 -- Disclosure Timeline: 2011-04-11 - Vulnerability reported to vendor 2011-06-29 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Luigi Auriemma * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0156 CVE-2011-0205 Apple Mac OS X of ImageIO Heap-based buffer overflow vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG2000 image. Apple Mac OS X is prone to a heap buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. NOTE: This vulnerability does not affect Mac OS X 10.6. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. NOTE: This vulnerability only affects Mac OS X 10.6. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0161 CVE-2011-0210 Apple Mac OS X of QuickTime Vulnerable to arbitrary code execution CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted sample tables in a movie file. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. Viewing a maliciously crafted pict file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7 systems. Viewing a maliciously crafted JPEG2000 image with QuickTime may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.7. This issue does not affect Mac OS X v10.7 systems. Visiting a maliciously crafted website may lead to the disclosure of video data from another site. This issue is addressed by preventing QuickTime from following cross- site redirects. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.7. This issue does not affect Mac OS X v10.7 systems. Playing a maliciously crafted WAV file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7 systems. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7 systems. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7 systems. CVE-ID CVE-2011-0211 : Luigi Auriemma working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted JPEG file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in QuickTime's handling of JPEG files. Viewing a maliciously crafted JPEG file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. This issue does not affect Mac OS X v10.7 systems. CVE-ID CVE-2011-0213 : Luigi Auriemma working with iDefense VCP QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in QuickTime's handling of GIF images. Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems. CVE-ID CVE-2011-0246 : an anonymous contributor working with Beyond Security's SecuriTeam Secure Disclosure program QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution Description: Multiple stack buffer overflows existed in the handling of H.264 encoded movie files. Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution. These issues do not affect Mac OS X systems. CVE-ID CVE-2011-0247 : Roi Mallo and Sherab Giovannini working with TippingPoint's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in the QuickTime ActiveX control's handling of QTL files. Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X v10.7 systems. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X v10.7 systems. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X v10.7 systems. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X v10.7 systems. CVE-ID CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative QuickTime 7.7 may be obtained from the Software Update application, or from the QuickTime Downloads site: http://www.apple.com/quicktime/download/ For Mac OS X v10.5.8 The download file is named: "QuickTime77Leopard.dmg" Its SHA-1 digest is: 0deb99cc44015af7c396750d2c9dd4cbd59fb355 For Windows 7 / Vista / XP SP3 The download file is named: "QuickTimeInstaller.exe" Its SHA-1 digest is: a99f61d67be6a6b42e11d17b0b4f25cd88b74dc9 QuickTime is incorporated into Mac OS X v10.6 and later. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iQEcBAEBAgAGBQJOOZuHAAoJEGnF2JsdZQeeNWIH/A+KRxzYTBC5nCZQ6m/sRdU0 OrauYjVbXIj1LUgMS9+I0wW4Zg7xtGBEjYBnqiuNuajP5W2+Ts8mNe75ZlEFlNto KFQI7NS/OsTrjCTR1m1sF2zvsyMKDOjviIy90+PDGKejC8c3Zu/Y8GSdZ++I4aEf J2g7BqhBDW/RFOemPGrcvr/iwu3twdkiAHeLXFCcecNCKjSUfoxXDuPd/Ege/kS7 95wsNkLjypSEuLpcmjATSXp5X58nzbUCsrQ2doPzLy1/8oWiG9XsiZznmcYlLhHg trYm+KIMdqBOQWI3uhG+3dG6l2xkJxdYNxHRHXFh78QH0NblHg9u3PmhELUBeXU= =H+iO -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 5) An integer overflow error when processing ColorSync profiles embedded in images can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code via a specially crafted image. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0154 CVE-2011-0203 Apple Mac OS X of FTP Server Absolute path traversal vulnerability in components CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Absolute path traversal vulnerability in xftpd in the FTP Server component in Apple Mac OS X before 10.6.8 allows remote attackers to list arbitrary directories by using the root directory as the starting point of a recursive listing. An attacker can exploit this issue to list files from directories outside of the FTP root directory. Successful exploits may lead to other attacks. This issue affects Apple Mac OS X server 10.6 through 10.6.7. NOTE: This issue was previously covered in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities ) but has been assigned its own record to better document it. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 5) An integer overflow error when processing ColorSync profiles embedded in images can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code via a specially crafted image. 6) An off-by-one error within the CoreFoundation framework when handling CFStrings can be exploited to execute arbitrary code. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 23) An error in QuickTime when handling PICT image files can be exploited to cause a buffer overflow and execute arbitrary code. 24) An error in QuickTime when handling JPEG image files can be exploited to cause a buffer overflow and execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0150 CVE-2011-0199 Apple Mac OS X  of  Certificate Trust Policy  in the component  SSL  Vulnerability to forge servers CVSS V2: 5.8
CVSS V3: 5.9
Severity: MEDIUM
The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle attackers to spoof an SSL server via a revoked certificate. An attacker can exploit this issue to bypass security restrictions and use a revoked certificate. This may allow attackers to gain access to sensitive information or perform other attacks. NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 5) An integer overflow error when processing ColorSync profiles embedded in images can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code via a specially crafted image. 6) An off-by-one error within the CoreFoundation framework when handling CFStrings can be exploited to execute arbitrary code. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 23) An error in QuickTime when handling PICT image files can be exploited to cause a buffer overflow and execute arbitrary code. 24) An error in QuickTime when handling JPEG image files can be exploited to cause a buffer overflow and execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0149 CVE-2011-0198 Apple Mac OS X of Apple Type Services Heap-based buffer overflow vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code via a crafted embedded TrueType font. Apple Mac OS X is prone to a heap buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects Mac OS X 10.6 through 10.6.7 and Mac OS X Server 10.6 through 10.6.7. NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 23) An error in QuickTime when handling PICT image files can be exploited to cause a buffer overflow and execute arbitrary code. 24) An error in QuickTime when handling JPEG image files can be exploited to cause a buffer overflow and execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0148 CVE-2011-0197 Apple Mac OS X of App Store Vulnerability in which important information is obtained CVSS V2: 2.1
CVSS V3: -
Severity: LOW
App Store in Apple Mac OS X before 10.6.8 creates a log entry containing a user's AppleID password, which might allow local users to obtain sensitive information by reading a log file, as demonstrated by a log file that has non-default permissions. Apple Mac OS X is prone to an information-disclosure vulnerability. A local attacker may be able to exploit this issue to retrieve potentially sensitive information. Information obtained may aid in further attacks. NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 5) An integer overflow error when processing ColorSync profiles embedded in images can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code via a specially crafted image. 6) An off-by-one error within the CoreFoundation framework when handling CFStrings can be exploited to execute arbitrary code. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 23) An error in QuickTime when handling PICT image files can be exploited to cause a buffer overflow and execute arbitrary code. 24) An error in QuickTime when handling JPEG image files can be exploited to cause a buffer overflow and execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0147 CVE-2011-0196 Apple Mac OS X of AirPort Service disruption in (out-of-bounds read And reboot ) Vulnerabilities CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
AirPort in Apple Mac OS X 10.5.8 allows remote attackers to cause a denial of service (out-of-bounds read and reboot) via Wi-Fi frames on the local wireless network. Apple Mac OS X is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the system to reset, denying service to legitimate users. The following versions are affected: Mac OS X 10.5.8 Mac OS X Server 10.5.8 NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 5) An integer overflow error when processing ColorSync profiles embedded in images can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code via a specially crafted image. 6) An off-by-one error within the CoreFoundation framework when handling CFStrings can be exploited to execute arbitrary code. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 23) An error in QuickTime when handling PICT image files can be exploited to cause a buffer overflow and execute arbitrary code. 24) An error in QuickTime when handling JPEG image files can be exploited to cause a buffer overflow and execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0159 CVE-2011-0208 Apple Mac OS X of QuickLook Vulnerable to arbitrary code execution CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
QuickLook in Apple Mac OS X 10.6 before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Microsoft Office document. Apple Mac OS X is prone to a memory-corruption vulnerability when handling Microsoft Office files. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 5) An integer overflow error when processing ColorSync profiles embedded in images can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code via a specially crafted image. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 23) An error in QuickTime when handling PICT image files can be exploited to cause a buffer overflow and execute arbitrary code. 24) An error in QuickTime when handling JPEG image files can be exploited to cause a buffer overflow and execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-10-12-1 iOS 5 Software Update iOS 5 Software Update is now available and addresses the following: CalDAV Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information from a CalDAV calendar server Description: CalDAV did not check that the SSL certificate presented by the server was trusted. CVE-ID CVE-2011-3253 : Leszek Tasiemski of nSense Calendar Available for: iOS 4.2.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 4.2.0 through 4.3.5 for iPod touch (3rd generation) and later, iOS 4.2.0 through 4.3.5 for iPad Impact: Viewing a maliciously crafted calendar invitation may inject script in the local domain Description: A script injection issue existed in Calendar's handling of invitation notes. This issue is addressed through improved escaping of special characters in invitation notes. This issues does not affect devices prior to iOS 4.2.0. CVE-ID CVE-2011-3254 : Rick Deacon CFNetwork Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: User's AppleID password may be logged to a local file Description: A user's AppleID password and username were logged to a file that was readable by applications on the system. This is resolved by no longer logging these credentials. CVE-ID CVE-2011-3255 : Peter Quade of qdevelop CFNetwork Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information Description: An issue existed in CFNetwork's handling of HTTP cookies. When accessing a maliciously crafted HTTP or HTTPS URL, CFNetwork could incorrectly send the cookies for a domain to a server outside that domain. CVE-ID CVE-2011-3246 : Erling Ellingsen of Facebook CoreFoundation Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in CoreFoundation's handling of string tokenization. CVE-ID CVE-2011-0259 : Apple CoreGraphics Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Viewing a document containing a maliciously crafted font may lead to arbitrary code execution Description: Multiple memory corruption existed in freetype, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. CVE-ID CVE-2011-3256 : Apple CoreMedia Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to the disclosure of video data from another site Description: A cross-origin issue existed in CoreMedia's handling of cross-site redirects. This issue is addressed through improved origin tracking. CVE-ID CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR) Data Access Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: An exchange mail cookie management issue could incorrectly cause data synchronization across different accounts Description: When multiple mail exchange accounts are configured which connect to the same server, a session could potentially receive a valid cookie corresponding to a different account. This issue is addressed by ensuring that cookies are separated across different accounts. CVE-ID CVE-2011-3257 : Bob Sielken of IBM Data Security Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted. Data Security Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Support for X.509 certificates with MD5 hashes may expose users to spoofing and information disclosure as attacks improve Description: Certificates signed using the MD5 hash algorithm were accepted by iOS. This algorithm has known cryptographic weaknesses. Further research or a misconfigured certificate authority could have allowed the creation of X.509 certificates with attacker controlled values that would have been trusted by the system. This would have exposed X.509 based protocols to spoofing, man in the middle attacks, and information disclosure. This update disables support for an X.509 certificate with an MD5 hash for any use other than as a trusted root certificate. CVE-ID CVE-2011-3427 Data Security Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: An attacker could decrypt part of a SSL connection Description: Only the SSLv3 and TLS 1.0 versions of SSL were supported. These versions are subject to a protocol weakness when using block ciphers. A man-in-the-middle attacker could have injected invalid data, causing the connection to close but revealing some information about the previous data. If the same connection was attempted repeatedly the attacker may eventually have been able to decrypt the data being sent, such as a password. This issue is addressed by adding support for TLS 1.2. CVE-ID CVE-2011-3389 Home screen Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Switching between applications may lead to the disclosure of sensitive application information Description: When switching between applications with the four- finger app switching gesture, the display could have revealed the previous application state. This issue is addressed by ensuring that the system properly calls the applicationWillResignActive: method when transitioning between applications. CVE-ID CVE-2011-3431 : Abe White of Hedonic Software Inc. ImageIO Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libTIFF's handling of CCITT Group 4 encoded TIFF images. CVE-ID CVE-2011-0192 : Apple ImageIO Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF images. CVE-ID CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies International Components for Unicode Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A buffer overflow issue existed in ICU's generation of collation keys for long strings of mostly uppercase letters. CVE-ID CVE-2011-0206 : David Bienvenu of Mozilla Kernel Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: A remote attacker may cause a device reset Description: The kernel failed to promptly reclaim memory from incomplete TCP connections. An attacker with the ability to connect to a listening service on an iOS device could exhaust system resources. CVE-ID CVE-2011-3259 : Wouter van der Veer of Topicus I&I, and Josh Enders Kernel Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: A local user may be able to cause a system reset Description: A null dereference issue existed in the handling of IPV6 socket options. CVE-ID CVE-2011-1132 : Thomas Clement of Intego Keyboards Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: A user may be able to determine information about the last character of a password Description: The keyboard used to type the last character of a password was briefly displayed the next time the keyboard was used. CVE-ID CVE-2011-3245 : Paul Mousdicas libxml Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A one-byte heap buffer overflow existed in libxml's handling of XML data. CVE-ID CVE-2011-0216 : Billy Rios of the Google Security Team OfficeImport Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Viewing a maliciously crafted Word file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in OfficeImport's handling of Microsoft Word documents. CVE-ID CVE-2011-3260 : Tobias Klein working with Verisign iDefense Labs OfficeImport Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Viewing a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution Description: A double free issue existed in OfficeImport's handling of Excel files. CVE-ID CVE-2011-3261 : Tobias Klein of www.trapkit.de OfficeImport Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in OfficeImport's handling of Microsoft Office files. CVE-ID CVE-2011-0208 : Tobias Klein working with iDefense VCP OfficeImport Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Downloading a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in OfficeImport's handling of Excel files. CVE-ID CVE-2011-0184 : Tobias Klein working with iDefense VCP Safari Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Opening maliciously crafted files on certain websites may lead to a cross-site scripting attack Description: iOS did not support the 'attachment' value for the HTTP Content-Disposition header. This header is used by many websites to serve files that were uploaded to the site by a third-party, such as attachments in web-based e-mail applications. Any script in files served with this header value would run as if the file had been served inline, with full access to other resources on the origin server. This issue is addressed by loading attachments in an isolated security origin with no access to resources on other sites. CVE-ID CVE-2011-3426 : Christian Matthies working with iDefense VCP, Yoshinori Oota from Business Architects Inc working with JP/CERT Settings Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: An attacker with physical access to a device may be able to recover the restrictions passcode Description: The parental restrictions functionality enforces UI restrictions. Configuring parental restrictions is protected by a passcode, which was previously stored in plaintext on disk. This issue is addressed by securely storing the parental restrictions passcode in the system keychain. CVE-ID CVE-2011-3429 : an anonymous reporter Settings Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Misleading UI Description: Configurations and settings applied via configuration profiles did not appear to function properly under any non-English language. Settings could be improperly displayed as a result. This issue is addressed by fixing a localization error. CVE-ID CVE-2011-3430 : Florian Kreitmaier of Siemens CERT UIKit Alerts Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a malicious website may cause an unexpected device hang Description: An excessive maximum text layout length permitted malicious websites to cause iOS to hang when drawing acceptance dialogs for very long tel: URIs. This issue is addressed by using a more reasonable maximum URI size. CVE-ID CVE-2011-3432 : Simon Young of Anglia Ruskin University WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. CVE-ID CVE-2011-0218 : SkyLined of Google Chrome Security Team CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS Research Team, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-0234 : Rob King working with TippingPoint's Zero Day Initiative, wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0238 : Adam Barth of Google Chrome Security Team CVE-2011-0254 : An anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0255 : An anonymous reporter working with TippingPoint's Zero Day Initiative CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc CVE-2011-0983 : Martin Barbella CVE-2011-1109 : Sergey Glazunov CVE-2011-1114 : Martin Barbella CVE-2011-1115 : Martin Barbella CVE-2011-1117 : wushi of team509 CVE-2011-1121 : miaubiz CVE-2011-1188 : Martin Barbella CVE-2011-1203 : Sergey Glazunov CVE-2011-1204 : Sergey Glazunov CVE-2011-1288 : Andreas Kling of Nokia CVE-2011-1293 : Sergey Glazunov CVE-2011-1296 : Sergey Glazunov CVE-2011-1449 : Marek Majkowski CVE-2011-1451 : Sergey Glazunov CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-1457 : John Knottenbelt of Google CVE-2011-1462 : wushi of team509 CVE-2011-1797 : wushi of team509 CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team CVE-2011-2341 : Apple CVE-2011-2351 : miaubiz CVE-2011-2352 : Apple CVE-2011-2354 : Apple CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2011-2359 : miaubiz CVE-2011-2788 : Mikolaj Malecki of Samsung CVE-2011-2790 : miaubiz CVE-2011-2792 : miaubiz CVE-2011-2797 : miaubiz CVE-2011-2799 : miaubiz CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using AddressSanitizer CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2816 : Apple CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2818 : Martin Barbella CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google CVE-2011-2823 : SkyLined of Google Chrome Security Team CVE-2011-2827 : miaubiz CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-3232 : Aki Helin of OUSPG CVE-2011-3234 : miaubiz CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the Chromium development community, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the Chromium development community, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-3244 : vkouchna WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of URLs with an embedded username. This issue is addressed through improved handling of URLs with an embedded username. CVE-ID CVE-2011-0242 : Jobert Abma of Online24 WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of DOM nodes. CVE-ID CVE-2011-1295 : Sergey Glazunov WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: A maliciously crafted website may be able to cause a different URL to be shown in the address bar Description: A URL spoofing issue existed in the handling of the DOM history object. CVE-ID CVE-2011-1107 : Jordi Chancel WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A configuration issue existed in WebKit's use of libxslt. Visiting a maliciously crafted website may lead to arbitrary files being created with the privileges of the user, which may lead to arbitrary code execution. This issue is addressed through improved libxslt security settings. CVE-ID CVE-2011-1774 : Nicolas Gregoire of Agarri WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a malicious website and dragging content in the page may lead to an information disclosure Description: A cross-origin issue existed in WebKit's handling of HTML5 drag and drop. This issue is addressed by disallowing drag and drop across different origins. CVE-ID CVE-2011-0166 : Michal Zalewski of Google Inc. WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to an information disclosure Description: A cross-origin issue existed in the handling of Web Workers. CVE-ID CVE-2011-1190 : Daniel Divricean of divricean.ro WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of the window.open method. CVE-ID CVE-2011-2805 : Sergey Glazunov WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of inactive DOM windows. CVE-ID CVE-2011-3243 : Sergey Glazunov WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of the document.documentURI property. CVE-ID CVE-2011-2819 : Sergey Glazunov WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: A maliciously crafted website may be able to track the URLs that a user visits within a frame Description: A cross-origin issue existed in the handling of the beforeload event. CVE-ID CVE-2011-2800 : Juho Nurminen WiFi Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: WiFi credentials may be logged to a local file Description: WiFi credentials including the passphrase and encryption keys were logged to a file that was readable by applications on the system. This is resolved by no longer logging these credentials. CVE-ID CVE-2011-3434 : Laurent OUDOT of TEHTRI Security Installation note: This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone, iPod touch or iPad is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iPhone, iPod touch, or iPad. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the Check for Updates button within iTunes. After doing this, the update can be applied when your iPhone, iPod touch, or iPad is docked to your computer. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "5 (9A334)". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJOldmtAAoJEGnF2JsdZQee/qMIAIPxmIiOqj+FMLFHZtPeC/Dp 3s4JliKOOgNnjXkxErfaNvYGmeVbDaUER5jdVrWccTauzlYmy8G4uK0An2GD2YiP gB5AiCQXpONdBCi38QNdRqrYoYjc8Sa0nUp4r5uWPoiHoj5KfxvBpgygEL+zjHXS fmnrONOCWhOYp0w4q6mdTg5BH2uJCbXscD/JjbmgHQI0Vs/iUZKSRyqFo2b0Mvze NiSyzcj/4l62Cxx7xM9VbdrYL7Al2yyHfNYJQsZmoeDUlJQcdgEgEMXvOuhY3sFK maxYr2oCp6Mtf53fplAeJIV4ijLynEWAKxTuTznAyW1k7oiGrDTfORSFKPEB9MQ= =LCQZ -----END PGP SIGNATURE-----
VAR-201106-0160 CVE-2011-0209 Apple Mac OS X of QuickTime Integer overflow vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted RIFF WAV file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within how the application parses a specially formatted RIFF WAV file. When parsing a fmt chunk within the file, the application will use a 32-bit field to calculate the size of a buffer to allocate. Before the allocation, the application will add 0x14 bytes to the result. Due to restrictions imposed on the implementation of this component by the language and it's platform, an integer overflow can be made to occur. This can lead to code execution under the context of the application. Apple Mac OS X is prone to an integer-overflow vulnerability that occurs in QuickTime. Failed exploit attempts will likely result in denial-of-service conditions. The following versions are affected: Mac OS X 10.6 through v10.6.7 Mac OS X Server 10.6 through v10.6.7 NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ZDI-11-229: Apple QuickTime RIFF fmt Chunk Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-229 June 29, 2011 -- CVE ID: CVE-2011-0209 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11430. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4723 -- Disclosure Timeline: 2011-04-11 - Vulnerability reported to vendor 2011-06-29 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Luigi Auriemma -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . CVE-ID CVE-2011-0245 : Subreption LLC working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted JPEG2000 image with QuickTime may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in QuickTime's handling of JPEG2000 images. CVE-ID CVE-2011-0186 : Will Dormann of the CERT/CC QuickTime Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to the disclosure of video data from another site Description: A cross-origin issue existed in QuickTime plug-in's handling of cross-site redirects. Visiting a maliciously crafted website may lead to the disclosure of video data from another site. This issue is addressed by preventing QuickTime from following cross- site redirects. CVE-ID CVE-2011-0213 : Luigi Auriemma working with iDefense VCP QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in QuickTime's handling of GIF images. CVE-ID CVE-2011-0246 : an anonymous contributor working with Beyond Security's SecuriTeam Secure Disclosure program QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution Description: Multiple stack buffer overflows existed in the handling of H.264 encoded movie files. CVE-ID CVE-2011-0247 : Roi Mallo and Sherab Giovannini working with TippingPoint's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in the QuickTime ActiveX control's handling of QTL files. Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative QuickTime 7.7 may be obtained from the Software Update application, or from the QuickTime Downloads site: http://www.apple.com/quicktime/download/ For Mac OS X v10.5.8 The download file is named: "QuickTime77Leopard.dmg" Its SHA-1 digest is: 0deb99cc44015af7c396750d2c9dd4cbd59fb355 For Windows 7 / Vista / XP SP3 The download file is named: "QuickTimeInstaller.exe" Its SHA-1 digest is: a99f61d67be6a6b42e11d17b0b4f25cd88b74dc9 QuickTime is incorporated into Mac OS X v10.6 and later. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iQEcBAEBAgAGBQJOOZuHAAoJEGnF2JsdZQeeNWIH/A+KRxzYTBC5nCZQ6m/sRdU0 OrauYjVbXIj1LUgMS9+I0wW4Zg7xtGBEjYBnqiuNuajP5W2+Ts8mNe75ZlEFlNto KFQI7NS/OsTrjCTR1m1sF2zvsyMKDOjviIy90+PDGKejC8c3Zu/Y8GSdZ++I4aEf J2g7BqhBDW/RFOemPGrcvr/iwu3twdkiAHeLXFCcecNCKjSUfoxXDuPd/Ege/kS7 95wsNkLjypSEuLpcmjATSXp5X58nzbUCsrQ2doPzLy1/8oWiG9XsiZznmcYlLhHg trYm+KIMdqBOQWI3uhG+3dG6l2xkJxdYNxHRHXFh78QH0NblHg9u3PmhELUBeXU= =H+iO -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 5) An integer overflow error when processing ColorSync profiles embedded in images can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code via a specially crafted image. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0153 CVE-2011-0202 Apple Mac OS X of CoreGraphics Integer overflow vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Integer overflow in CoreGraphics in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted embedded Type 1 font in a PDF document. Apple Mac OS X is prone to an integer-overflow vulnerability that occurs in the CoreGraphics component. Successful exploits may allow attackers to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The following versions are affected: Mac OS X 10.5.8 Mac OS X Server 10.5.8 Mac OS X 10.6 through v10.6.7 Mac OS X Server 10.6 through v10.6.7 NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-07-20-1 Safari 5.1 and Safari 5.0.6 Safari 5.1 and Safari 5.0.6 are now available and address the following: CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: In certain situations, Safari may treat a file as HTML, even if it is served with the 'text/plain' content type. This may lead to a cross-site scripting attack on sites that allow untrusted users to post text files. This issue is addressed through improved handling of 'text/plain' content. CVE-ID CVE-2010-1420 : Hidetake Jo working with Microsoft Vulnerability Research (MSVR), Neal Poole of Matasano Security CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: Authenticating to a maliciously crafted website may lead to arbitrary code execution Description: The NTLM authentication protocol is susceptible to a replay attack referred to as credential reflection. Authenticating to a maliciously crafted website may lead to arbitrary code execution. To mitigate this issue, Safari has been updated to utilize protection mechanisms recently added to Windows. CVE-ID CVE-2010-1383 : Takehiro Takahashi of IBM X-Force Research CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: A root certificate that is disabled may still be trusted Description: CFNetwork did not properly validate that a certificate was trusted for use by a SSL server. As a result, if the user had marked a system root certificate as not trusted, Safari would still accept certificates signed by that root. This issue is addressed through improved certificate validation. CVE-ID CVE-2011-0214 : An anonymous reporter ColorSync Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day Initiative CoreFoundation Available for: Windows 7, Vista, XP SP2 or later Impact: Applications that use the CoreFoundation framework may be vulnerable to an unexpected application termination or arbitrary code execution Description: An off-by-one buffer overflow issue existed in the handling of CFStrings. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. CVE-ID CVE-2011-0202 : Cristian Draghici of Modulo Consulting, Felix Grobert of the Google Security Team International Components for Unicode Available for: Windows 7, Vista, XP SP2 or later Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A buffer overflow issue existed in ICU's handling of uppercase strings. CVE-ID CVE-2011-0206 : David Bienvenu of Mozilla ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0204 : Dominic Chell of NGS Secure ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A reentrancy issue existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0215 : Juan Pablo Lopez Yacubian working with iDefense VCP ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0204 : Dominic Chell of NGS Secure libxslt Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap Description: libxslt's implementation of the generate-id() XPath function disclosed the address of a heap buffer. Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap. This issue is addressed by generating an ID based on the difference between the addresses of two heap buffers. CVE-ID CVE-2011-0195 : Chris Evans of the Google Chrome Security Team libxml Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A one-byte heap buffer overflow existed in libxml's handling of XML data. CVE-ID CVE-2011-0216 : Billy Rios of the Google Security Team Safari Available for: Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: If the "AutoFill web forms" feature is enabled, visiting a maliciously crafted website and typing may lead to the disclosure of information from the user's Address Book Description: Safari's "AutoFill web forms" feature filled in non- visible form fields, and the information was accessible by scripts on the site before the user submitted the form. This issue is addressed by displaying all fields that will be filled, and requiring the user's consent before AutoFill information is available to the form. This applies when Java is enabled in Safari, and Java is configured to run within the browser process. Fonts loaded by a Java applet could affect the display of text content from other sites. This issue is addressed by running Java applets in a separate process. CVE-ID CVE-2010-1823 : David Weston of Microsoft and Microsoft Vulnerability Research (MSVR), wushi of team509, and Yong Li of Research In Motion Ltd CVE-2011-0164 : Apple CVE-2011-0218 : SkyLined of Google Chrome Security Team CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS Research Team, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0223 : Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-0234 : Rob King working with TippingPoint's Zero Day Initiative, wushi of team509 working with TippingPoint's Zero Day Initiative, wushi of team509 working with iDefense VCP CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0237 : wushi of team509 working with iDefense VCP CVE-2011-0238 : Adam Barth of Google Chrome Security Team CVE-2011-0240 : wushi of team509 working with iDefense VCP CVE-2011-0253 : Richard Keen CVE-2011-0254 : An anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0255 : An anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc CVE-2011-0983 : Martin Barbella CVE-2011-1109 : Sergey Glazunov CVE-2011-1114 : Martin Barbella CVE-2011-1115 : Martin Barbella CVE-2011-1117 : wushi of team509 CVE-2011-1121 : miaubiz CVE-2011-1188 : Martin Barbella CVE-2011-1203 : Sergey Glazunov CVE-2011-1204 : Sergey Glazunov CVE-2011-1288 : Andreas Kling of Nokia CVE-2011-1293 : Sergey Glazunov CVE-2011-1296 : Sergey Glazunov CVE-2011-1449 : Marek Majkowski, wushi of team 509 working with iDefense VCP CVE-2011-1451 : Sergey Glazunov CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-1457 : John Knottenbelt of Google CVE-2011-1462 : wushi of team509 CVE-2011-1797 : wushi of team509 WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A configuration issue existed in WebKit's use of libxslt. Visiting a maliciously crafted website may lead to arbitrary files being created with the privileges of the user, which may lead to arbitrary code execution. This issue is addressed through improved libxslt security settings. Visiting a maliciously crafted website may lead to an information disclosure. Visiting a maliciously crafted website may lead to a cross-site scripting attack. This issue is addressed through improved handling of URLs with an embedded username. Visiting a maliciously crafted website may lead to a cross- site scripting attack. A maliciously crafted website may have been able to cause a different URL to be shown in the address bar. Subscribing to a maliciously crafted RSS feed and clicking on a link within it may lead to arbitrary files being sent from the user's system to a remote server. This update addresses the issue through improved handling of URLs. Applications that use WebKit, such a s mail clients, may connect to an arbitrary DNS server upon processing HTML content. This update addresses the issue by requiring applications to opt in to DNS prefetching. CVE-ID CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd. Safari 5.1 and Safari 5.0.6 address the same set of security issues. Safari 5.1 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/ Safari 5.0.6 is available via the Apple Software Update application, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Safari for Mac OS X v10.6.8 and later The download file is named: Safari5.1SnowLeopard.dmg Its SHA-1 digest is: 2c3cef8e06c5aa586379b1a5fd5cf7b54e8acc24 Safari for Mac OS X v10.5.8 The download file is named: Safari5.0.6Leopard.dmg Its SHA-1 digest is: ea970375d2116a7b74094a2a7669bebc306b6e6f Safari for Windows 7, Vista or XP The download file is named: SafariSetup.exe Its SHA-1 digest is: d00b791c694b1ecfc22d6a1ec9aa21cc14fd8e36 Safari for Windows 7, Vista or XP from the Microsoft Choice Screen The download file is named: Safari_Setup.exe Its SHA-1 digest is: ccb3bb6b06468a430171d9f62708a1a6d917f45b Safari+QuickTime for Windows 7, Vista or XP The file is named: SafariQuickTimeSetup.exe Its SHA-1 digest is: 1273e0ee742a294d65e4f25a9b3e36f79fb517c9 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJOJI45AAoJEGnF2JsdZQeezHQIALKZms5tzYgYxUSdxmo+DmYw up9gAmEVcltZvCeVS1lUxfjqnRiGRSWyuou8Ynt9PfGQCz9GfLvzlrCHc5rsnKaD MeYY1IH7lQc6aqmV0hwb4nUL5qJntP6G5Ai0E/0UiRQNC/ummS+qnmdsiFo78ODY nKaB5cAWhqGHgOAPnUG0JwmxpYgR2HEtGYJSqlYykMwt1vnlAr5hHVNaUJcJ3Hlb vesN6fB7zQMiJVo8+iJBixCvIYlbII5HnVAmD1ToyKgENg4Iguo46YBMVr8DPgF/ KD2s0+VF/O4utYVX0GiRGReVyq1PMvz/HI23ym8U3LjbezXD/AALQET0Q2hUEYQ= =fOfF -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 23) An error in QuickTime when handling PICT image files can be exploited to cause a buffer overflow and execute arbitrary code. 24) An error in QuickTime when handling JPEG image files can be exploited to cause a buffer overflow and execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0152 CVE-2011-0201 Apple Mac OS X of CoreFoundation One gap in the framework (off-by-one) Error vulnerability CVSS V2: 7.5
CVSS V3: -
Severity: HIGH
Off-by-one error in the CoreFoundation framework in Apple Mac OS X before 10.6.8 allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a CFString object that triggers a buffer overflow. Apple Mac OS X is prone to an off-by-one buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects Mac OS X 10.6 through 10.6.7 and Mac OS X Server 10.6 through 10.6.7. NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-07-20-1 Safari 5.1 and Safari 5.0.6 Safari 5.1 and Safari 5.0.6 are now available and address the following: CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: In certain situations, Safari may treat a file as HTML, even if it is served with the 'text/plain' content type. This may lead to a cross-site scripting attack on sites that allow untrusted users to post text files. This issue is addressed through improved handling of 'text/plain' content. CVE-ID CVE-2010-1420 : Hidetake Jo working with Microsoft Vulnerability Research (MSVR), Neal Poole of Matasano Security CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: Authenticating to a maliciously crafted website may lead to arbitrary code execution Description: The NTLM authentication protocol is susceptible to a replay attack referred to as credential reflection. Authenticating to a maliciously crafted website may lead to arbitrary code execution. To mitigate this issue, Safari has been updated to utilize protection mechanisms recently added to Windows. CVE-ID CVE-2010-1383 : Takehiro Takahashi of IBM X-Force Research CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: A root certificate that is disabled may still be trusted Description: CFNetwork did not properly validate that a certificate was trusted for use by a SSL server. As a result, if the user had marked a system root certificate as not trusted, Safari would still accept certificates signed by that root. This issue is addressed through improved certificate validation. CVE-ID CVE-2011-0214 : An anonymous reporter ColorSync Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day Initiative CoreFoundation Available for: Windows 7, Vista, XP SP2 or later Impact: Applications that use the CoreFoundation framework may be vulnerable to an unexpected application termination or arbitrary code execution Description: An off-by-one buffer overflow issue existed in the handling of CFStrings. CVE-ID CVE-2011-0201 : Harry Sintonen CoreGraphics Available for: Windows 7, Vista, XP SP2 or later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in the handling of Type 1 fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. CVE-ID CVE-2011-0202 : Cristian Draghici of Modulo Consulting, Felix Grobert of the Google Security Team International Components for Unicode Available for: Windows 7, Vista, XP SP2 or later Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A buffer overflow issue existed in ICU's handling of uppercase strings. CVE-ID CVE-2011-0206 : David Bienvenu of Mozilla ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0204 : Dominic Chell of NGS Secure ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A reentrancy issue existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0215 : Juan Pablo Lopez Yacubian working with iDefense VCP ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0204 : Dominic Chell of NGS Secure libxslt Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap Description: libxslt's implementation of the generate-id() XPath function disclosed the address of a heap buffer. Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap. This issue is addressed by generating an ID based on the difference between the addresses of two heap buffers. CVE-ID CVE-2011-0195 : Chris Evans of the Google Chrome Security Team libxml Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A one-byte heap buffer overflow existed in libxml's handling of XML data. CVE-ID CVE-2011-0216 : Billy Rios of the Google Security Team Safari Available for: Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: If the "AutoFill web forms" feature is enabled, visiting a maliciously crafted website and typing may lead to the disclosure of information from the user's Address Book Description: Safari's "AutoFill web forms" feature filled in non- visible form fields, and the information was accessible by scripts on the site before the user submitted the form. This issue is addressed by displaying all fields that will be filled, and requiring the user's consent before AutoFill information is available to the form. CVE-ID CVE-2011-0217 : Florian Rienhardt of BSI, Alex Lambert, [Jeremiah Grossman] Safari Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: With a certain Java configuration, visiting a malicious website may lead to unexpected text being displayed on other sites Description: A cross origin issue existed in the handling of Java Applets. This applies when Java is enabled in Safari, and Java is configured to run within the browser process. Fonts loaded by a Java applet could affect the display of text content from other sites. This issue is addressed by running Java applets in a separate process. CVE-ID CVE-2011-0219 : Joshua Smith of Kaon Interactive WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. CVE-ID CVE-2010-1823 : David Weston of Microsoft and Microsoft Vulnerability Research (MSVR), wushi of team509, and Yong Li of Research In Motion Ltd CVE-2011-0164 : Apple CVE-2011-0218 : SkyLined of Google Chrome Security Team CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS Research Team, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0223 : Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-0234 : Rob King working with TippingPoint's Zero Day Initiative, wushi of team509 working with TippingPoint's Zero Day Initiative, wushi of team509 working with iDefense VCP CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0237 : wushi of team509 working with iDefense VCP CVE-2011-0238 : Adam Barth of Google Chrome Security Team CVE-2011-0240 : wushi of team509 working with iDefense VCP CVE-2011-0253 : Richard Keen CVE-2011-0254 : An anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0255 : An anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc CVE-2011-0983 : Martin Barbella CVE-2011-1109 : Sergey Glazunov CVE-2011-1114 : Martin Barbella CVE-2011-1115 : Martin Barbella CVE-2011-1117 : wushi of team509 CVE-2011-1121 : miaubiz CVE-2011-1188 : Martin Barbella CVE-2011-1203 : Sergey Glazunov CVE-2011-1204 : Sergey Glazunov CVE-2011-1288 : Andreas Kling of Nokia CVE-2011-1293 : Sergey Glazunov CVE-2011-1296 : Sergey Glazunov CVE-2011-1449 : Marek Majkowski, wushi of team 509 working with iDefense VCP CVE-2011-1451 : Sergey Glazunov CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-1457 : John Knottenbelt of Google CVE-2011-1462 : wushi of team509 CVE-2011-1797 : wushi of team509 WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A configuration issue existed in WebKit's use of libxslt. Visiting a maliciously crafted website may lead to arbitrary files being created with the privileges of the user, which may lead to arbitrary code execution. This issue is addressed through improved libxslt security settings. Visiting a maliciously crafted website may lead to an information disclosure. Visiting a maliciously crafted website may lead to a cross-site scripting attack. This issue is addressed through improved handling of URLs with an embedded username. Visiting a maliciously crafted website may lead to a cross- site scripting attack. CVE-ID CVE-2011-1295 : Sergey Glazunov WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: A maliciously crafted website may be able to cause a different URL to be shown in the address bar Description: A URL spoofing issue existed in the handling of the DOM history object. A maliciously crafted website may have been able to cause a different URL to be shown in the address bar. Subscribing to a maliciously crafted RSS feed and clicking on a link within it may lead to arbitrary files being sent from the user's system to a remote server. This update addresses the issue through improved handling of URLs. Applications that use WebKit, such a s mail clients, may connect to an arbitrary DNS server upon processing HTML content. This update addresses the issue by requiring applications to opt in to DNS prefetching. CVE-ID CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd. Note: Safari 5.1 is included with OS X Lion. Safari 5.1 and Safari 5.0.6 address the same set of security issues. Safari 5.1 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/ Safari 5.0.6 is available via the Apple Software Update application, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Safari for Mac OS X v10.6.8 and later The download file is named: Safari5.1SnowLeopard.dmg Its SHA-1 digest is: 2c3cef8e06c5aa586379b1a5fd5cf7b54e8acc24 Safari for Mac OS X v10.5.8 The download file is named: Safari5.0.6Leopard.dmg Its SHA-1 digest is: ea970375d2116a7b74094a2a7669bebc306b6e6f Safari for Windows 7, Vista or XP The download file is named: SafariSetup.exe Its SHA-1 digest is: d00b791c694b1ecfc22d6a1ec9aa21cc14fd8e36 Safari for Windows 7, Vista or XP from the Microsoft Choice Screen The download file is named: Safari_Setup.exe Its SHA-1 digest is: ccb3bb6b06468a430171d9f62708a1a6d917f45b Safari+QuickTime for Windows 7, Vista or XP The file is named: SafariQuickTimeSetup.exe Its SHA-1 digest is: 1273e0ee742a294d65e4f25a9b3e36f79fb517c9 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJOJI45AAoJEGnF2JsdZQeezHQIALKZms5tzYgYxUSdxmo+DmYw up9gAmEVcltZvCeVS1lUxfjqnRiGRSWyuou8Ynt9PfGQCz9GfLvzlrCHc5rsnKaD MeYY1IH7lQc6aqmV0hwb4nUL5qJntP6G5Ai0E/0UiRQNC/ummS+qnmdsiFo78ODY nKaB5cAWhqGHgOAPnUG0JwmxpYgR2HEtGYJSqlYykMwt1vnlAr5hHVNaUJcJ3Hlb vesN6fB7zQMiJVo8+iJBixCvIYlbII5HnVAmD1ToyKgENg4Iguo46YBMVr8DPgF/ KD2s0+VF/O4utYVX0GiRGReVyq1PMvz/HI23ym8U3LjbezXD/AALQET0Q2hUEYQ= =fOfF -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0155 CVE-2011-0204 Apple Mac OS X of ImageIO Heap-based buffer overflow vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image. Apple Mac OS X is prone to a heap buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-07-20-1 Safari 5.1 and Safari 5.0.6 Safari 5.1 and Safari 5.0.6 are now available and address the following: CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: In certain situations, Safari may treat a file as HTML, even if it is served with the 'text/plain' content type. This may lead to a cross-site scripting attack on sites that allow untrusted users to post text files. This issue is addressed through improved handling of 'text/plain' content. CVE-ID CVE-2010-1420 : Hidetake Jo working with Microsoft Vulnerability Research (MSVR), Neal Poole of Matasano Security CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: Authenticating to a maliciously crafted website may lead to arbitrary code execution Description: The NTLM authentication protocol is susceptible to a replay attack referred to as credential reflection. Authenticating to a maliciously crafted website may lead to arbitrary code execution. To mitigate this issue, Safari has been updated to utilize protection mechanisms recently added to Windows. This issue does not affect Mac OS X systems. CVE-ID CVE-2010-1383 : Takehiro Takahashi of IBM X-Force Research CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: A root certificate that is disabled may still be trusted Description: CFNetwork did not properly validate that a certificate was trusted for use by a SSL server. As a result, if the user had marked a system root certificate as not trusted, Safari would still accept certificates signed by that root. This issue is addressed through improved certificate validation. This issue does not affect Mac OS X systems. CVE-ID CVE-2011-0214 : An anonymous reporter ColorSync Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day Initiative CoreFoundation Available for: Windows 7, Vista, XP SP2 or later Impact: Applications that use the CoreFoundation framework may be vulnerable to an unexpected application termination or arbitrary code execution Description: An off-by-one buffer overflow issue existed in the handling of CFStrings. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. CVE-ID CVE-2011-0201 : Harry Sintonen CoreGraphics Available for: Windows 7, Vista, XP SP2 or later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in the handling of Type 1 fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0202 : Cristian Draghici of Modulo Consulting, Felix Grobert of the Google Security Team International Components for Unicode Available for: Windows 7, Vista, XP SP2 or later Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A buffer overflow issue existed in ICU's handling of uppercase strings. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0204 : Dominic Chell of NGS Secure ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A reentrancy issue existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems. CVE-ID CVE-2011-0215 : Juan Pablo Lopez Yacubian working with iDefense VCP ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0204 : Dominic Chell of NGS Secure libxslt Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap Description: libxslt's implementation of the generate-id() XPath function disclosed the address of a heap buffer. Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap. This issue is addressed by generating an ID based on the difference between the addresses of two heap buffers. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0195 : Chris Evans of the Google Chrome Security Team libxml Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A one-byte heap buffer overflow existed in libxml's handling of XML data. CVE-ID CVE-2011-0216 : Billy Rios of the Google Security Team Safari Available for: Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: If the "AutoFill web forms" feature is enabled, visiting a maliciously crafted website and typing may lead to the disclosure of information from the user's Address Book Description: Safari's "AutoFill web forms" feature filled in non- visible form fields, and the information was accessible by scripts on the site before the user submitted the form. This issue is addressed by displaying all fields that will be filled, and requiring the user's consent before AutoFill information is available to the form. CVE-ID CVE-2011-0217 : Florian Rienhardt of BSI, Alex Lambert, [Jeremiah Grossman] Safari Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: With a certain Java configuration, visiting a malicious website may lead to unexpected text being displayed on other sites Description: A cross origin issue existed in the handling of Java Applets. This applies when Java is enabled in Safari, and Java is configured to run within the browser process. Fonts loaded by a Java applet could affect the display of text content from other sites. This issue is addressed by running Java applets in a separate process. CVE-ID CVE-2011-0219 : Joshua Smith of Kaon Interactive WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. CVE-ID CVE-2010-1823 : David Weston of Microsoft and Microsoft Vulnerability Research (MSVR), wushi of team509, and Yong Li of Research In Motion Ltd CVE-2011-0164 : Apple CVE-2011-0218 : SkyLined of Google Chrome Security Team CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS Research Team, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0223 : Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-0234 : Rob King working with TippingPoint's Zero Day Initiative, wushi of team509 working with TippingPoint's Zero Day Initiative, wushi of team509 working with iDefense VCP CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0237 : wushi of team509 working with iDefense VCP CVE-2011-0238 : Adam Barth of Google Chrome Security Team CVE-2011-0240 : wushi of team509 working with iDefense VCP CVE-2011-0253 : Richard Keen CVE-2011-0254 : An anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0255 : An anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc CVE-2011-0983 : Martin Barbella CVE-2011-1109 : Sergey Glazunov CVE-2011-1114 : Martin Barbella CVE-2011-1115 : Martin Barbella CVE-2011-1117 : wushi of team509 CVE-2011-1121 : miaubiz CVE-2011-1188 : Martin Barbella CVE-2011-1203 : Sergey Glazunov CVE-2011-1204 : Sergey Glazunov CVE-2011-1288 : Andreas Kling of Nokia CVE-2011-1293 : Sergey Glazunov CVE-2011-1296 : Sergey Glazunov CVE-2011-1449 : Marek Majkowski, wushi of team 509 working with iDefense VCP CVE-2011-1451 : Sergey Glazunov CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-1457 : John Knottenbelt of Google CVE-2011-1462 : wushi of team509 CVE-2011-1797 : wushi of team509 WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A configuration issue existed in WebKit's use of libxslt. Visiting a maliciously crafted website may lead to arbitrary files being created with the privileges of the user, which may lead to arbitrary code execution. This issue is addressed through improved libxslt security settings. CVE-ID CVE-2011-1774 : Nicolas Gregoire of Agarri WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an information disclosure Description: A cross-origin issue existed in the handling of Web Workers. Visiting a maliciously crafted website may lead to an information disclosure. CVE-ID CVE-2011-1190 : Daniel Divricean of divricean.ro WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of URLs with an embedded username. Visiting a maliciously crafted website may lead to a cross-site scripting attack. This issue is addressed through improved handling of URLs with an embedded username. CVE-ID CVE-2011-0242 : Jobert Abma of Online24 WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of DOM nodes. Visiting a maliciously crafted website may lead to a cross- site scripting attack. CVE-ID CVE-2011-1295 : Sergey Glazunov WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: A maliciously crafted website may be able to cause a different URL to be shown in the address bar Description: A URL spoofing issue existed in the handling of the DOM history object. A maliciously crafted website may have been able to cause a different URL to be shown in the address bar. CVE-ID CVE-2011-1107 : Jordi Chancel WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Subscribing to a maliciously crafted RSS feed and clicking on a link within it may lead to an information disclosure Description: A canonicalization issue existed in the handling of URLs. Subscribing to a maliciously crafted RSS feed and clicking on a link within it may lead to arbitrary files being sent from the user's system to a remote server. This update addresses the issue through improved handling of URLs. CVE-ID CVE-2011-0244 : Jason Hullinger WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Applications that use WebKit, such as mail clients, may connect to an arbitrary DNS server upon processing HTML content Description: DNS prefetching was enabled by default in WebKit. Applications that use WebKit, such a s mail clients, may connect to an arbitrary DNS server upon processing HTML content. This update addresses the issue by requiring applications to opt in to DNS prefetching. CVE-ID CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd. Note: Safari 5.1 is included with OS X Lion. Safari 5.1 and Safari 5.0.6 address the same set of security issues. Safari 5.1 is provided for Mac OS X v10.6, and Windows systems. Safari 5.0.6 is provided for Mac OS X v10.5 systems. Safari 5.1 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/ Safari 5.0.6 is available via the Apple Software Update application, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Safari for Mac OS X v10.6.8 and later The download file is named: Safari5.1SnowLeopard.dmg Its SHA-1 digest is: 2c3cef8e06c5aa586379b1a5fd5cf7b54e8acc24 Safari for Mac OS X v10.5.8 The download file is named: Safari5.0.6Leopard.dmg Its SHA-1 digest is: ea970375d2116a7b74094a2a7669bebc306b6e6f Safari for Windows 7, Vista or XP The download file is named: SafariSetup.exe Its SHA-1 digest is: d00b791c694b1ecfc22d6a1ec9aa21cc14fd8e36 Safari for Windows 7, Vista or XP from the Microsoft Choice Screen The download file is named: Safari_Setup.exe Its SHA-1 digest is: ccb3bb6b06468a430171d9f62708a1a6d917f45b Safari+QuickTime for Windows 7, Vista or XP The file is named: SafariQuickTimeSetup.exe Its SHA-1 digest is: 1273e0ee742a294d65e4f25a9b3e36f79fb517c9 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJOJI45AAoJEGnF2JsdZQeezHQIALKZms5tzYgYxUSdxmo+DmYw up9gAmEVcltZvCeVS1lUxfjqnRiGRSWyuou8Ynt9PfGQCz9GfLvzlrCHc5rsnKaD MeYY1IH7lQc6aqmV0hwb4nUL5qJntP6G5Ai0E/0UiRQNC/ummS+qnmdsiFo78ODY nKaB5cAWhqGHgOAPnUG0JwmxpYgR2HEtGYJSqlYykMwt1vnlAr5hHVNaUJcJ3Hlb vesN6fB7zQMiJVo8+iJBixCvIYlbII5HnVAmD1ToyKgENg4Iguo46YBMVr8DPgF/ KD2s0+VF/O4utYVX0GiRGReVyq1PMvz/HI23ym8U3LjbezXD/AALQET0Q2hUEYQ= =fOfF -----END PGP SIGNATURE----- . The announcement of the patch can be found here: http://support.apple.com/kb/HT4723 NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure. NGS Secure Research http://www.ngssecure.com . Description: Multiple memory corruption issues existed in WebKit. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201106-0157 CVE-2011-0206 Apple Mac OS X of ICU Vulnerable to buffer overflow CVSS V2: 7.5
CVSS V3: -
Severity: HIGH
Buffer overflow in International Components for Unicode (ICU) in Apple Mac OS X before 10.6.8 allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving uppercase strings. Apple Mac OS X is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects Mac OS X 10.6 through 10.6.7 and Mac OS X Server 10.6 through 10.6.7. NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. This may lead to a cross-site scripting attack on sites that allow untrusted users to post text files. To mitigate this issue, Safari has been updated to utilize protection mechanisms recently added to Windows. This issue is addressed by generating an ID based on the difference between the addresses of two heap buffers. This issue is addressed by displaying all fields that will be filled, and requiring the user's consent before AutoFill information is available to the form. CVE-ID CVE-2011-0217 : Florian Rienhardt of BSI, Alex Lambert, [Jeremiah Grossman] Safari Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: With a certain Java configuration, visiting a malicious website may lead to unexpected text being displayed on other sites Description: A cross origin issue existed in the handling of Java Applets. This applies when Java is enabled in Safari, and Java is configured to run within the browser process. Fonts loaded by a Java applet could affect the display of text content from other sites. A maliciously crafted website may have been able to cause a different URL to be shown in the address bar. Applications that use WebKit, such a s mail clients, may connect to an arbitrary DNS server upon processing HTML content. This update addresses the issue by requiring applications to opt in to DNS prefetching. CVE-ID CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd. Note: Safari 5.1 is included with OS X Lion. Safari 5.1 and Safari 5.0.6 address the same set of security issues. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 23) An error in QuickTime when handling PICT image files can be exploited to cause a buffer overflow and execute arbitrary code. 24) An error in QuickTime when handling JPEG image files can be exploited to cause a buffer overflow and execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-10-12-1 iOS 5 Software Update iOS 5 Software Update is now available and addresses the following: CalDAV Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information from a CalDAV calendar server Description: CalDAV did not check that the SSL certificate presented by the server was trusted. CVE-ID CVE-2011-3253 : Leszek Tasiemski of nSense Calendar Available for: iOS 4.2.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 4.2.0 through 4.3.5 for iPod touch (3rd generation) and later, iOS 4.2.0 through 4.3.5 for iPad Impact: Viewing a maliciously crafted calendar invitation may inject script in the local domain Description: A script injection issue existed in Calendar's handling of invitation notes. This issue is addressed through improved escaping of special characters in invitation notes. This issues does not affect devices prior to iOS 4.2.0. CVE-ID CVE-2011-3254 : Rick Deacon CFNetwork Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: User's AppleID password may be logged to a local file Description: A user's AppleID password and username were logged to a file that was readable by applications on the system. This is resolved by no longer logging these credentials. CVE-ID CVE-2011-3255 : Peter Quade of qdevelop CFNetwork Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information Description: An issue existed in CFNetwork's handling of HTTP cookies. When accessing a maliciously crafted HTTP or HTTPS URL, CFNetwork could incorrectly send the cookies for a domain to a server outside that domain. CVE-ID CVE-2011-3246 : Erling Ellingsen of Facebook CoreFoundation Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in CoreFoundation's handling of string tokenization. CVE-ID CVE-2011-0259 : Apple CoreGraphics Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Viewing a document containing a maliciously crafted font may lead to arbitrary code execution Description: Multiple memory corruption existed in freetype, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. CVE-ID CVE-2011-3256 : Apple CoreMedia Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to the disclosure of video data from another site Description: A cross-origin issue existed in CoreMedia's handling of cross-site redirects. This issue is addressed through improved origin tracking. CVE-ID CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR) Data Access Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: An exchange mail cookie management issue could incorrectly cause data synchronization across different accounts Description: When multiple mail exchange accounts are configured which connect to the same server, a session could potentially receive a valid cookie corresponding to a different account. This issue is addressed by ensuring that cookies are separated across different accounts. CVE-ID CVE-2011-3257 : Bob Sielken of IBM Data Security Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted. Data Security Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Support for X.509 certificates with MD5 hashes may expose users to spoofing and information disclosure as attacks improve Description: Certificates signed using the MD5 hash algorithm were accepted by iOS. This algorithm has known cryptographic weaknesses. Further research or a misconfigured certificate authority could have allowed the creation of X.509 certificates with attacker controlled values that would have been trusted by the system. This would have exposed X.509 based protocols to spoofing, man in the middle attacks, and information disclosure. This update disables support for an X.509 certificate with an MD5 hash for any use other than as a trusted root certificate. CVE-ID CVE-2011-3427 Data Security Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: An attacker could decrypt part of a SSL connection Description: Only the SSLv3 and TLS 1.0 versions of SSL were supported. These versions are subject to a protocol weakness when using block ciphers. A man-in-the-middle attacker could have injected invalid data, causing the connection to close but revealing some information about the previous data. If the same connection was attempted repeatedly the attacker may eventually have been able to decrypt the data being sent, such as a password. This issue is addressed by adding support for TLS 1.2. CVE-ID CVE-2011-3389 Home screen Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Switching between applications may lead to the disclosure of sensitive application information Description: When switching between applications with the four- finger app switching gesture, the display could have revealed the previous application state. This issue is addressed by ensuring that the system properly calls the applicationWillResignActive: method when transitioning between applications. CVE-ID CVE-2011-3431 : Abe White of Hedonic Software Inc. ImageIO Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libTIFF's handling of CCITT Group 4 encoded TIFF images. CVE-ID CVE-2011-0192 : Apple ImageIO Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF images. CVE-ID CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies International Components for Unicode Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A buffer overflow issue existed in ICU's generation of collation keys for long strings of mostly uppercase letters. CVE-ID CVE-2011-0206 : David Bienvenu of Mozilla Kernel Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: A remote attacker may cause a device reset Description: The kernel failed to promptly reclaim memory from incomplete TCP connections. An attacker with the ability to connect to a listening service on an iOS device could exhaust system resources. CVE-ID CVE-2011-3259 : Wouter van der Veer of Topicus I&I, and Josh Enders Kernel Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: A local user may be able to cause a system reset Description: A null dereference issue existed in the handling of IPV6 socket options. CVE-ID CVE-2011-1132 : Thomas Clement of Intego Keyboards Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: A user may be able to determine information about the last character of a password Description: The keyboard used to type the last character of a password was briefly displayed the next time the keyboard was used. CVE-ID CVE-2011-3245 : Paul Mousdicas libxml Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A one-byte heap buffer overflow existed in libxml's handling of XML data. CVE-ID CVE-2011-0216 : Billy Rios of the Google Security Team OfficeImport Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Viewing a maliciously crafted Word file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in OfficeImport's handling of Microsoft Word documents. CVE-ID CVE-2011-3260 : Tobias Klein working with Verisign iDefense Labs OfficeImport Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Viewing a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution Description: A double free issue existed in OfficeImport's handling of Excel files. CVE-ID CVE-2011-3261 : Tobias Klein of www.trapkit.de OfficeImport Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in OfficeImport's handling of Microsoft Office files. CVE-ID CVE-2011-0208 : Tobias Klein working with iDefense VCP OfficeImport Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Downloading a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in OfficeImport's handling of Excel files. CVE-ID CVE-2011-0184 : Tobias Klein working with iDefense VCP Safari Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Opening maliciously crafted files on certain websites may lead to a cross-site scripting attack Description: iOS did not support the 'attachment' value for the HTTP Content-Disposition header. This header is used by many websites to serve files that were uploaded to the site by a third-party, such as attachments in web-based e-mail applications. Any script in files served with this header value would run as if the file had been served inline, with full access to other resources on the origin server. This issue is addressed by loading attachments in an isolated security origin with no access to resources on other sites. CVE-ID CVE-2011-3426 : Christian Matthies working with iDefense VCP, Yoshinori Oota from Business Architects Inc working with JP/CERT Settings Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: An attacker with physical access to a device may be able to recover the restrictions passcode Description: The parental restrictions functionality enforces UI restrictions. Configuring parental restrictions is protected by a passcode, which was previously stored in plaintext on disk. This issue is addressed by securely storing the parental restrictions passcode in the system keychain. CVE-ID CVE-2011-3429 : an anonymous reporter Settings Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Misleading UI Description: Configurations and settings applied via configuration profiles did not appear to function properly under any non-English language. Settings could be improperly displayed as a result. This issue is addressed by fixing a localization error. CVE-ID CVE-2011-3430 : Florian Kreitmaier of Siemens CERT UIKit Alerts Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a malicious website may cause an unexpected device hang Description: An excessive maximum text layout length permitted malicious websites to cause iOS to hang when drawing acceptance dialogs for very long tel: URIs. This issue is addressed by using a more reasonable maximum URI size. CVE-ID CVE-2011-3432 : Simon Young of Anglia Ruskin University WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. CVE-ID CVE-2011-0218 : SkyLined of Google Chrome Security Team CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS Research Team, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-0234 : Rob King working with TippingPoint's Zero Day Initiative, wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0238 : Adam Barth of Google Chrome Security Team CVE-2011-0254 : An anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0255 : An anonymous reporter working with TippingPoint's Zero Day Initiative CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc CVE-2011-0983 : Martin Barbella CVE-2011-1109 : Sergey Glazunov CVE-2011-1114 : Martin Barbella CVE-2011-1115 : Martin Barbella CVE-2011-1117 : wushi of team509 CVE-2011-1121 : miaubiz CVE-2011-1188 : Martin Barbella CVE-2011-1203 : Sergey Glazunov CVE-2011-1204 : Sergey Glazunov CVE-2011-1288 : Andreas Kling of Nokia CVE-2011-1293 : Sergey Glazunov CVE-2011-1296 : Sergey Glazunov CVE-2011-1449 : Marek Majkowski CVE-2011-1451 : Sergey Glazunov CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-1457 : John Knottenbelt of Google CVE-2011-1462 : wushi of team509 CVE-2011-1797 : wushi of team509 CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team CVE-2011-2341 : Apple CVE-2011-2351 : miaubiz CVE-2011-2352 : Apple CVE-2011-2354 : Apple CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2011-2359 : miaubiz CVE-2011-2788 : Mikolaj Malecki of Samsung CVE-2011-2790 : miaubiz CVE-2011-2792 : miaubiz CVE-2011-2797 : miaubiz CVE-2011-2799 : miaubiz CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using AddressSanitizer CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2816 : Apple CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2818 : Martin Barbella CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google CVE-2011-2823 : SkyLined of Google Chrome Security Team CVE-2011-2827 : miaubiz CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-3232 : Aki Helin of OUSPG CVE-2011-3234 : miaubiz CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the Chromium development community, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the Chromium development community, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-3244 : vkouchna WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of URLs with an embedded username. This issue is addressed through improved handling of URLs with an embedded username. CVE-ID CVE-2011-0242 : Jobert Abma of Online24 WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of DOM nodes. CVE-ID CVE-2011-1295 : Sergey Glazunov WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: A maliciously crafted website may be able to cause a different URL to be shown in the address bar Description: A URL spoofing issue existed in the handling of the DOM history object. CVE-ID CVE-2011-1107 : Jordi Chancel WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A configuration issue existed in WebKit's use of libxslt. Visiting a maliciously crafted website may lead to arbitrary files being created with the privileges of the user, which may lead to arbitrary code execution. This issue is addressed through improved libxslt security settings. CVE-ID CVE-2011-1774 : Nicolas Gregoire of Agarri WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a malicious website and dragging content in the page may lead to an information disclosure Description: A cross-origin issue existed in WebKit's handling of HTML5 drag and drop. This issue is addressed by disallowing drag and drop across different origins. CVE-ID CVE-2011-0166 : Michal Zalewski of Google Inc. WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to an information disclosure Description: A cross-origin issue existed in the handling of Web Workers. CVE-ID CVE-2011-1190 : Daniel Divricean of divricean.ro WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of the window.open method. CVE-ID CVE-2011-2805 : Sergey Glazunov WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of inactive DOM windows. CVE-ID CVE-2011-3243 : Sergey Glazunov WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of the document.documentURI property. CVE-ID CVE-2011-2819 : Sergey Glazunov WebKit Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: A maliciously crafted website may be able to track the URLs that a user visits within a frame Description: A cross-origin issue existed in the handling of the beforeload event. CVE-ID CVE-2011-2800 : Juho Nurminen WiFi Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad Impact: WiFi credentials may be logged to a local file Description: WiFi credentials including the passphrase and encryption keys were logged to a file that was readable by applications on the system. This is resolved by no longer logging these credentials. CVE-ID CVE-2011-3434 : Laurent OUDOT of TEHTRI Security Installation note: This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone, iPod touch or iPad is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iPhone, iPod touch, or iPad. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the Check for Updates button within iTunes. After doing this, the update can be applied when your iPhone, iPod touch, or iPad is docked to your computer. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "5 (9A334)". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJOldmtAAoJEGnF2JsdZQee/qMIAIPxmIiOqj+FMLFHZtPeC/Dp 3s4JliKOOgNnjXkxErfaNvYGmeVbDaUER5jdVrWccTauzlYmy8G4uK0An2GD2YiP gB5AiCQXpONdBCi38QNdRqrYoYjc8Sa0nUp4r5uWPoiHoj5KfxvBpgygEL+zjHXS fmnrONOCWhOYp0w4q6mdTg5BH2uJCbXscD/JjbmgHQI0Vs/iUZKSRyqFo2b0Mvze NiSyzcj/4l62Cxx7xM9VbdrYL7Al2yyHfNYJQsZmoeDUlJQcdgEgEMXvOuhY3sFK maxYr2oCp6Mtf53fplAeJIV4ijLynEWAKxTuTznAyW1k7oiGrDTfORSFKPEB9MQ= =LCQZ -----END PGP SIGNATURE-----
VAR-201106-0018 CVE-2011-1132 Apple Mac OS X of kernel of IPv6 Service disruption in implementation (Null Pointer dereference and reboot ) Vulnerabilities CVSS V2: 4.9
CVSS V3: -
Severity: MEDIUM
The IPv6 implementation in the kernel in Apple Mac OS X before 10.6.8 allows local users to cause a denial of service (NULL pointer dereference and reboot) via vectors involving socket options. Apple Mac OS X is prone to a local denial-of-service vulnerability. Local attackers can exploit this issue to cause a system reset, denying service to legitimate users. This issue affects Mac OS X 10.6 to 10.6.7 and Mac OS X Server 10.6 to 10.6.7. NOTE: This issue was previously discussed in BID 48412 (Apple Mac OS X Prior to 10.6.8 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45054 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45054/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 RELEASE DATE: 2011-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/45054/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45054/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45054 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset. 2) An error within App Store may lead to a user's AppleID password being logged to a local file. 3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks. 5) An integer overflow error when processing ColorSync profiles embedded in images can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code via a specially crafted image. 6) An off-by-one error within the CoreFoundation framework when handling CFStrings can be exploited to execute arbitrary code. 7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file. 8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files. 9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow. 10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow. 11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow. 13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption. 14) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks. 16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL. For more information: SA41048 SA41716 17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL. For more information: SA37291 SA38807 SA42243 SA42473 SA43227 18) A vulnerability is caused due to a vulnerable bundled version of GNU patch. For more information: SA43677 19) An unspecified error in QuickLook within the processing of Microsoft Office files can be exploited to corrupt memory, which may allow execution of arbitrary code. 20) An integer overflow error in QuickTime when handling RIFF WAV files can be exploited to execute arbitrary code. 21) An error within QuickTime when processing sample tables in QuickTime movie files can be exploited to corrupt memory, which may allow execution of arbitrary code. 22) An integer overflow error in QuickTime when handling certain movie files can be exploited to execute arbitrary code. 23) An error in QuickTime when handling PICT image files can be exploited to cause a buffer overflow and execute arbitrary code. 24) An error in QuickTime when handling JPEG image files can be exploited to cause a buffer overflow and execute arbitrary code. 25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba. For more information: SA41354 SA43512 26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources. 27) A vulnerability is caused due to a vulnerable bundled version of subversion. For more information: SA43603 SOLUTION: Update to version 10.6.8 or apply Security Update 2011-004. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Paul Nelson 3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen 4) Chris Hawk and Wan-Teh Chang, Google 5) binaryproof via ZDI 6) Harry Sintonen 7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 8) team karlkani 9) Dominic Chell, NGS Secure 10) Harry Sintonen 11) David Bienvenu, Mozilla 12) Thomas Clement, Intego 13) Maksymilian Arciemowicz 14) Chris Evans, Google Chrome Security Team 15) Aaron Sigel, vtty.com 19)Tobias Klein via iDefense 20, 22) Luigi Auriemma via ZDI 21) Honggang Ren, Fortinet's FortiGuard Labs 23) Subreption LLC via ZDI 24) Luigi Auriemma via iDefense 1, 26) Reported by the vendor ORIGINAL ADVISORY: Apple Security Update 2011-004: http://support.apple.com/kb/HT4723 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------