VARIoT IoT vulnerabilities database
| VAR-201110-0325 | CVE-2011-3242 | Mac OS X Run on Apple Safari User tracking vulnerability in the private browsing feature |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Private Browsing feature in Apple Safari before 5.1.1 on Mac OS X does not properly recognize the Always value of the Block Cookies setting, which makes it easier for remote web servers to track users via a cookie. WebKit is prone to a security-bypass vulnerability. This issue occurs when private browsing mode is enabled.
Attackers can exploit this issue to bypass security restrictions.
NOTE: This issue was previously discussed in BID 50089 (Apple Safari Prior to 5.1.1 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. There is a logic error in Safari's handling of cookies in Private Browsing mode, which sets cookies even if \"Block cookies\" is set to \"Always\"
| VAR-201110-0322 | CVE-2011-3257 | Apple iOS of Data Access Vulnerabilities that prevent access restrictions on components |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The Data Access component in Apple iOS before 5 does not properly handle the existence of multiple user accounts on the same mail server, which allows local users to bypass intended access restrictions in opportunistic circumstances by leveraging a different account's cookie. Apple iOS is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information due to an incorrect mail cookie synchronization. This may allow the attacker to obtain credentials or other sensitive information. Information harvested may aid in further attacks.
The following Apple systems are vulnerable:
iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later
iOS 3.2 through 4.3.5 for iPad
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0324 | CVE-2011-3260 | Apple iOS of OfficeImport Vulnerable to buffer overflow |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Buffer overflow in OfficeImport in Apple iOS before 5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Microsoft Word document. Apple iOS for iPhone, iPod touch, and iPad is prone to a buffer-overflow vulnerability.
Successfully exploiting this issue may allow attackers to execute arbitrary code. Failed exploit attempts may cause denial-of-service conditions.
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. The OfficeImport framework is used by several
applications, including MobileMail and MobileSafari. Both of these
applications are attack vectors for this vulnerability. For more
information, see the vendor's site found at the following link.
http://www.apple.com/iphone/softwareupdate/
II.
The vulnerability occurs when parsing a Word file with a maliciously
constructed record. Specific values within this record can trigger a
memory corruption vulnerability and result in values from the file being
used as function pointers.
III. To exploit this
vulnerability, an attacker has several attack vectors. The most
dangerous vector is through MobileSafari, which will automatically open
and parse Office files embedded in Web pages. This behavior is similar
to Microsoft Office 2000, in that it enables drive-by style attacks
without any user interaction beyond visiting a Web page (no file open
dialog is displayed, the file is simply opened). Additionally, an
attacker can e-mail a targeted user and attach a malicious file. The
user will then have to view the e-mail and attachment with MobileMail to
trigger the vulnerability.
IV. DETECTION
iOS versions prior to 5 are vulnerable.
V. WORKAROUND
iDefense is currently unaware of any workarounds for this issue.
VI. VENDOR RESPONSE
Apple has released a fix which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.
http://lists.apple.com/archives/Security-announce/2011/Oct/msg00001.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2011-3260 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
10/27/2010 Initial Vendor Notification
10/27/2010 Vendor Reply
10/12/2011 Coordinated Public Disclosure
IX.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2011 Verisign
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information
| VAR-201110-0320 | CVE-2011-3255 | Apple iOS of CFNetwork Vulnerability in which important information is obtained |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
CFNetwork in Apple iOS before 5 stores AppleID credentials in an unspecified file, which makes it easier for remote attackers to obtain sensitive information via a crafted application. Apple iOS is prone to an information-disclosure vulnerability.
A local attacker can exploit this issue to retrieve a local user's password. Information obtained may aid in further attacks.
The following Apple systems are vulnerable:
iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0319 | CVE-2011-3254 | Apple iOS Calendar cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Calendar in Apple iOS before 5 allows remote attackers to inject arbitrary web script or HTML via an invitation note.
An attacker may leverage this issue to execute arbitrary script code in the local domain. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
The following Apple systems are vulnerable:
iOS 4.2.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 4.2.0 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 4.2.0 through 4.3.5 for iPad
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0301 | CVE-2011-3437 | Apple Mac OS X of Apple Type Services (ATS) Integer sign error vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Integer signedness error in Apple Type Services (ATS) in Apple Mac OS X 10.7 before 10.7.2 allows remote attackers to execute arbitrary code via a crafted embedded Type 1 font in a document.
The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity.
Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed attacks will cause denial-of-service conditions.
OS X versions 10.7.x prior to 10.7.2 are affected.
NOTE: This issue was previously discussed in BID 50085 (Apple Mac OS X Prior to 10.7.2 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple has
released updates to address these vulnerabilities.
I. Apple has released updates to address these
vulnerabilities.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code,
cause a denial of service, or gain unauthorized access to your
files or system.
III. This advisory describes any known issues related to the
updates and the specific impacts for each vulnerability.
Administrators are encouraged to note these issues and impacts and
test for any potentially adverse effects before wide-scale
deployment.
IV. Please send
email to <cert@cert.org> with "TA11-286A Feedback VU#421739" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
October 13, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTpb8zj/GkGVXE7GMAQI21Af/SHWzIangqPW9vtuG/MQWSBMy9nG4wIZS
DUEAWBEMPTKF3fLrIy6TVpRLN3q/q4dCYXzM4lec4IzKvEbV/bUyg15xEfYdxB0v
s/vARGNwf7tjSbjo+PaHLuSZ1HLn/GLO3CXaf+ut/Kb8y9Fsir5klMgrCX/N0JkY
dLoV9R6zGs1aQzmF9ULB1IQ2/lUkg6CGnyARh0prfhRFwKfu7NZXb8yz5ex68q6V
NF6j9l+XK0Cl4K7R+0ESD4e47jLCg6iN175O8VzrlxiRvBRAyTaFycdMB4uSkmii
xu8SqU2QFhsIJy8J+i1Bb6kuWkaxAnUbxO4tRrmXoqTXl9m0CtpnWA==
=3Wp2
-----END PGP SIGNATURE-----
| VAR-201110-0318 | CVE-2011-3253 | Apple iOS of CalDAV Vulnerability in which important information is obtained |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
CalDAV in Apple iOS before 5 does not validate X.509 certificates for SSL sessions, which allows man-in-the-middle attackers to spoof calendar servers and obtain sensitive information via an arbitrary certificate. Apple iOS is prone to an information-disclosure vulnerability that affects the calendar synchronization feature.
Attackers can exploit this issue to obtain sensitive information from CalDAV communications.
An attacker can exploit this issue through man-in-the-middle attacks by impersonating a trusted server. This may allow the attacker to obtain credentials or other sensitive information or give users a false sense of security. Information harvested may aid in further attacks.
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. nSense Vulnerability Research Security Advisory NSENSE-2011-006
---------------------------------------------------------------
t2'11 infosec conference special release
http://www.t2.fi
---------------------------------------------------------------
Affected Vendor: Apple Inc.
Affected Product: CalDAV (iOS 3.0 through 4.3.5 for iPhone 3GS
and iPhone 4, iOS 3.1 through 4.3.5 for iPod
touch (3rd generation) and later, iOS 3.2
through 4.3.5 for iPad)
Platform: iOS
Impact: Sensitive information interception
Vendor response: New version released
CVE: CVE-2011-3253
Credit: Leszek / nSense
Release date: 12 Oct 2011
Technical details
---------------------------------------------------------------
The calendar synchronization feature of iOS fails to validate
the SSL certificate provided by the server. Therefore, CalDAV
communication can be intercepted by a basic man in the middle
attack. As every request contains a HTTP basic authentication
header, which contains base64-encoded credentials, it is
possible to intercept email account credentials by an attacker
that is suitably positioned (e.g. the same LAN, WLAN) or is
able to tamper with DNS records pointing to the CalDAV server.
The application accepts the untrusted certificate without any
warning or prompt, so the attack will go unnoticed by the user.
Timeline:
20110407 nSense informed the vendor about the vulnerability
20110409 Vendor started to investigate the issue
20110415 nSense sent a status update request to the vendor
20110415 Vendor provided a status update
20110420 nSense asked the vendor for further information
20110502 nSense resent the previous questions
20110502 Vendor confirmed the vulnerability
20110525 nSense asked the vendor about the patch schedule
20110527 Vendor responded
20110527 nSense asked the vendor for further information
20110531 Vendor responded, unable to provide a date
20110601 nSense asked the vendor for clarification
20110603 Vendor responded
20110603 nSense resent the previous question
20110607 nSense commented the issue, asked the vendor for
clarification
20110705 nSense asked the vendor for clarification
20110726 nSense asked the vendor whether 4.3.5 fixed the
issue
20110727 Vendor responded. Issue not fixed.
20110728 nSense asked the vendor for further details
20110917 Vendor asked for credit information
20110917 nSense responded
20111002 Vendor confirmed release date
20111012 Vendor releases fixed version of the software
20111012 Vendor releases public advisory
Solution:
Apple security updates are available via the Software Update
mechanism: http://support.apple.com/kb/HT1338
Apple security updates are also available for manual download
via: http://www.apple.com/support/downloads/
More information from Apple Inc.:
http://support.apple.com/kb/HT1222
Links:
http://www.nsense.fi http://www.nsense.dk
$$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s.
$$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$
$$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$
$$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$
$$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P
D r i v e n b y t h e c h a l l e n g e _
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201110-0300 | CVE-2011-3436 | Apple Mac OS of Open Directory Vulnerable to bypassing password change restrictions |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
Open Directory in Apple Mac OS X 10.7 before 10.7.2 does not require a user to provide the current password before changing this password, which allows remote attackers to bypass intended password-change restrictions by leveraging an unattended workstation. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2011-006.
The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity.
These issues affect OS X prior to 10.7.2.
An attacker can exploit this issue to change a user's password, aiding further attacks. Apple has
released updates to address these vulnerabilities.
I. Apple has released updates to address these
vulnerabilities.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code,
cause a denial of service, or gain unauthorized access to your
files or system.
III. This advisory describes any known issues related to the
updates and the specific impacts for each vulnerability.
Administrators are encouraged to note these issues and impacts and
test for any potentially adverse effects before wide-scale
deployment.
IV. Please send
email to <cert@cert.org> with "TA11-286A Feedback VU#421739" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
October 13, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTpb8zj/GkGVXE7GMAQI21Af/SHWzIangqPW9vtuG/MQWSBMy9nG4wIZS
DUEAWBEMPTKF3fLrIy6TVpRLN3q/q4dCYXzM4lec4IzKvEbV/bUyg15xEfYdxB0v
s/vARGNwf7tjSbjo+PaHLuSZ1HLn/GLO3CXaf+ut/Kb8y9Fsir5klMgrCX/N0JkY
dLoV9R6zGs1aQzmF9ULB1IQ2/lUkg6CGnyARh0prfhRFwKfu7NZXb8yz5ex68q6V
NF6j9l+XK0Cl4K7R+0ESD4e47jLCg6iN175O8VzrlxiRvBRAyTaFycdMB4uSkmii
xu8SqU2QFhsIJy8J+i1Bb6kuWkaxAnUbxO4tRrmXoqTXl9m0CtpnWA==
=3Wp2
-----END PGP SIGNATURE-----
| VAR-201110-0299 | CVE-2011-3435 | Apple Mac OS X Vulnerabilities in browsing password data in Open Directory |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Open Directory in Apple Mac OS X 10.7 before 10.7.2 allows local users to read the password data of arbitrary users via unspecified vectors.
The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity.
These issues affect OS X prior to 10.7.2. Apple Mac OS X is prone to an information-disclosure vulnerability.
A local attacker can exploit this issue to retrieve a local user's password from the vulnerable computer. Information obtained may aid in further attacks.
Apple Mac OS X Lion 10.7 and 10.7.1 are vulnerable.
NOTE: This issue was previously discussed in BID 50085 (Apple Mac OS X Prior to 10.7.2 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple has
released updates to address these vulnerabilities.
I. Apple has released updates to address these
vulnerabilities.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code,
cause a denial of service, or gain unauthorized access to your
files or system.
III. This advisory describes any known issues related to the
updates and the specific impacts for each vulnerability.
Administrators are encouraged to note these issues and impacts and
test for any potentially adverse effects before wide-scale
deployment.
IV. Please send
email to <cert@cert.org> with "TA11-286A Feedback VU#421739" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
October 13, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTpb8zj/GkGVXE7GMAQI21Af/SHWzIangqPW9vtuG/MQWSBMy9nG4wIZS
DUEAWBEMPTKF3fLrIy6TVpRLN3q/q4dCYXzM4lec4IzKvEbV/bUyg15xEfYdxB0v
s/vARGNwf7tjSbjo+PaHLuSZ1HLn/GLO3CXaf+ut/Kb8y9Fsir5klMgrCX/N0JkY
dLoV9R6zGs1aQzmF9ULB1IQ2/lUkg6CGnyARh0prfhRFwKfu7NZXb8yz5ex68q6V
NF6j9l+XK0Cl4K7R+0ESD4e47jLCg6iN175O8VzrlxiRvBRAyTaFycdMB4uSkmii
xu8SqU2QFhsIJy8J+i1Bb6kuWkaxAnUbxO4tRrmXoqTXl9m0CtpnWA==
=3Wp2
-----END PGP SIGNATURE-----
| VAR-201110-0298 | CVE-2011-3434 | Apple iOS of WiFi Vulnerabilities that can capture important information in components |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The WiFi component in Apple iOS before 5 stores WiFi credentials in an unspecified file, which makes it easier for remote attackers to obtain sensitive information via a crafted application. Apple iOS is prone to an information-disclosure vulnerability.
A local attacker can exploit this issue to retrieve WiFi credentials. Information obtained may aid in further attacks.
The following Apple systems are vulnerable:
iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. A trust management vulnerability exists in the WiFi component of Apple iOS versions prior to 5. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0297 | CVE-2011-3432 | Apple iOS of UIKit Service disruption in the alert component ( Device hang ) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The UIKit Alerts component in Apple iOS before 5 allows remote attackers to cause a denial of service (device hang) via a long tel: URL that triggers a large size for the acceptance dialog. Apple iOS is prone to a denial-of-service vulnerability when handling specially crafted webpages.
Attackers can exploit this issue to cause the device to hang, denying service to legitimate users.
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. A resource management error vulnerability exists in the UIKit Alerts component in versions prior to Apple iOS 5. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0295 | CVE-2011-3430 | Apple iOS Vulnerabilities affected by unknown details in configuration components |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The Settings component in Apple iOS before 5, when a configuration profile is used for a locale other than English, does not properly implement localization, which makes it easier for attackers to have an unspecified impact by leveraging incorrect configuration display.
This weakness may cause unsuspecting users to set up unsafe configurations, resulting in a false sense of security. This may lead to other attacks. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. Vulnerabilities exist in the Settings component of Apple iOS versions prior to 5. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0296 | CVE-2011-3431 | Apple iOS Vulnerability in obtaining critical state information in the home screen component |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The Home screen component in Apple iOS before 5 does not properly support a certain application-switching gesture, which might allow physically proximate attackers to obtain sensitive state information by watching the device's screen. Apple iOS is prone to an information-disclosure vulnerability.
A local attacker can exploit this issue to retrieve the previous application's state. Information obtained may aid in further attacks.
The following Apple systems are vulnerable:
iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0294 | CVE-2011-3429 | Apple iOS Vulnerability in obtaining important information in the configuration component |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The Settings component in Apple iOS before 5 stores a cleartext parental-restrictions passcode in an unspecified file, which might allow physically proximate attackers to obtain sensitive information by reading this file. Apple iOS is prone to an information-disclosure vulnerability.
A local attacker can exploit this issue to retrieve the passcode which protects parental restrictions. Information obtained may aid in further attacks.
The following Apple systems are vulnerable:
iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. The Settings component in versions prior to Apple iOS 5 has a trust management vulnerability. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0330 | CVE-2011-3246 | Apple iOS and Mac OS X of CFNetwork Vulnerability in which important information is obtained |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
CFNetwork in Apple iOS before 5.0.1 and Mac OS X 10.7 before 10.7.2 does not properly parse URLs, which allows remote attackers to trigger visits to unintended web sites, and transmission of cookies to unintended web sites, via a crafted (1) http or (2) https URL. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2011-006.
The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity.
These issues affect OS X prior to 10.7.2.
An attacker can exploit this issue to obtain sensitive information related to an arbitrary domain by enticing a victim to visit a maliciously crafted website. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Kernel
Available for: iOS 3.0 through 5.0 for iPhone 3GS,
iPhone 4 and iPhone 4S,
iOS 3.1 through 5.0 for iPod touch (3rd generation) and later,
iOS 3.2 through 5.0 for iPad, iOS 4.3 through 5.0 for iPad 2
Impact: An application may execute unsigned code
Description: A logic error existed in the mmap system call's
checking of valid flag combinations. This issue may lead to a bypass
of codesigning checks.
CVE-ID
CVE-2011-3441 : Erling Ellingsen of Facebook, Per Johansson of
Blocket AB
Passcode Lock
Available for: iOS 4.3 through 5.0 for iPad 2
Impact: A person with physical access to a locked iPad 2 may be able
to access some of the user's data
Description: When a Smart Cover is opened while iPad 2 is confirming
power off in the locked state, the iPad does not request a passcode.
This allows some access to the iPad, but data protected by Data
Protection is inaccessible and apps cannot be launched. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone, iPod touch or iPad is docked, iTunes will present the
user with the option to install the update. We recommend applying
the update immediately if possible. Selecting Don't Install will
present the option the next time you connect your iPhone, iPod touch,
or iPad.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone, iPod touch, or iPad
is docked to your computer.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"5.0.1 (9A405)". -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-02-01-1 OS X Lion v10.7.3 and Security Update 2012-001
OS X Lion v10.7.3 and Security Update 2012-001 is now available and
addresses the following:
Address Book
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: An attacker in a privileged network position may intercept
CardDAV data
Description: Address Book supports Secure Sockets Layer (SSL) for
accessing CardDAV. A downgrade issue caused Address Book to attempt
an unencrypted connection if an encrypted connection failed. An
attacker in a privileged network position could abuse this behavior
to intercept CardDAV data. This issue is addressed by not downgrading
to an unencrypted connection without user approval. Further information is available via the Apache web site at
http://httpd.apache.org/
CVE-ID
CVE-2011-3348
Apache
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
Apache disabled the 'empty fragment' countermeasure which prevented
these attacks. This issue is addressed by providing a configuration
parameter to control the countermeasure and enabling it by default.
CVE-ID
CVE-2011-3389
CFNetwork
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. When accessing a maliciously crafted URL, CFNetwork could send
the request to an incorrect origin server.
CVE-ID
CVE-2011-3246 : Erling Ellingsen of Facebook
CFNetwork
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. When accessing a maliciously crafted URL, CFNetwork could send
unexpected request headers.
CVE-ID
CVE-2011-3447 : Erling Ellingsen of Facebook
ColorSync
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: An integer overflow existed in the handling of images
with an embedded ColorSync profile, which may lead to a heap buffer
overflow.
CVE-ID
CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day
Initiative
CoreAudio
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Playing maliciously crafted audio content may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of AAC
encoded audio streams.
CVE-ID
CVE-2011-3252 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
CoreMedia
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in CoreMedia's handling
of H.264 encoded movie files.
CVE-ID
CVE-2011-3448 : Scott Stender of iSEC Partners
CoreText
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to an unexpected application
termination or arbitrary code execution
Description: A use after free issue existed in the handling of font
files.
CVE-ID
CVE-2011-3449 : Will Dormann of the CERT/CC
CoreUI
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a malicious website may lead to an unexpected
application termination or arbitrary code execution
Description: An unbounded stack allocation issue existed in the
handling of long URLs.
CVE-ID
CVE-2011-3450 : Ben Syverson
curl
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: A remote server may be able to impersonate clients via
GSSAPI requests
Description: When doing GSSAPI authentication, libcurl
unconditionally performs credential delegation. This issue is
addressed by disabling GSSAPI credential delegation.
CVE-ID
CVE-2011-2192
Data Security
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: Two certificate authorities in the list of trusted root
certificates have independently issued intermediate certificates to
DigiCert Malaysia. DigiCert Malaysia has issued certificates with
weak keys that it is unable to revoke. An attacker with a privileged
network position could intercept user credentials or other sensitive
information intended for a site with a certificate issued by DigiCert
Malaysia. This issue is addressed by configuring default system trust
settings so that DigiCert Malaysia's certificates are not trusted. We
would like to acknowledge Bruce Morton of Entrust, Inc. for reporting
this issue.
dovecot
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
Dovecot disabled the 'empty fragment' countermeasure which prevented
these attacks. This issue is addressed by enabling the
countermeasure.
CVE-ID
CVE-2011-3389 : Apple
filecmds
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Decompressing a maliciously crafted compressed file may lead
to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the 'uncompress' command
line tool.
CVE-ID
CVE-2011-2895
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF files.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue is address by updating
libtiff to version 3.9.5. Further information is available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-3328
Internet Sharing
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: A Wi-Fi network created by Internet Sharing may lose
security settings after a system update
Description: After updating to a version of OS X Lion prior to
10.7.3, the Wi-Fi configuration used by Internet Sharing may revert
to factory defaults, which disables the WEP password. This issue only
affects systems with Internet Sharing enabled and sharing the
connection to Wi-Fi. This issue is addressed by preserving the Wi-Fi
configuration during a system update.
CVE-ID
CVE-2011-3452 : an anonymous researcher
Libinfo
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in Libinfo's handling of hostname
lookup requests. Libinfo could return incorrect results for a
maliciously crafted hostname.
CVE-ID
CVE-2011-3441 : Erling Ellingsen of Facebook
libresolv
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Applications that use OS X's libresolv library may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: An integer overflow existed in the parsing of DNS
resource records, which may lead to heap memory corruption.
CVE-ID
CVE-2011-3453 : Ilja van Sprundel of IOActive
libsecurity
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Some EV certificates may be trusted even if the
corresponding root has been marked as untrusted
Description: The certificate code trusted a root certificate to sign
EV certificates if it was on the list of known EV issuers, even if
the user had marked it as 'Never Trust' in Keychain. The root would
not be trusted to sign non-EV certificates.
CVE-ID
CVE-2011-3422 : Alastair Houghton
OpenGL
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation. Further information is available via the PHP web site at
http://www.php.net
CVE-ID
CVE-2011-1148
CVE-2011-1657
CVE-2011-1938
CVE-2011-2202
CVE-2011-2483
CVE-2011-3182
CVE-2011-3189
CVE-2011-3267
CVE-2011-3268
PHP
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in FreeType's
handling of Type 1 fonts. This issue is addressed by updating
FreeType to version 2.4.7. Further information is available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-3328
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Opening a maliciously crafted MP4 encoded file may lead to
an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of MP4 encoded files.
CVE-ID
CVE-2011-3458 : Luigi Auriemma and pa_kt both working with
TippingPoint's Zero Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in the handling of font
tables embedded in QuickTime movie files.
CVE-ID
CVE-2011-3248 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An off by one buffer overflow existed in the handling
of rdrf atoms in QuickTime movie files.
CVE-ID
CVE-2011-3459 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted JPEG2000 image file may lead
to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
files.
CVE-ID
CVE-2011-3250 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Processing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PNG files.
CVE-ID
CVE-2011-3460 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of FLC
encoded movie files
CVE-ID
CVE-2011-3249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
SquirrelMail
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in SquirrelMail
Description: SquirrelMail is updated to version 1.4.22 to address
several vulnerabilities, the most serious of which is a cross-site
scripting issue. Further information is available
via the Subversion web site at http://subversion.tigris.org/
CVE-ID
CVE-2011-1752
CVE-2011-1783
CVE-2011-1921
Time Machine
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: A remote attacker may access new backups created by the
user's system
Description: The user may designate a remote AFP volume or Time
Capsule to be used for Time Machine backups. Time Machine did not
verify that the same device was being used for subsequent backup
operations. An attacker who is able to spoof the remote volume could
gain access to new backups created by the user's system. This issue
is addressed by verifying the unique identifier associated with a
disk for backup operations. Tomcat is only provided on Mac OS X Server
systems. Further
information is available via the Tomcat site at
http://tomcat.apache.org/
CVE-ID
CVE-2011-2204
WebDAV Sharing
Available for: OS X Lion Server v10.7 to v10.7.2
Impact: Local users may obtain system privileges
Description: An issue existed in WebDAV Sharing's handling of user
authentication. A user with a valid account on the server or one of
its bound directories could cause the execution of arbitrary code
with system privileges.
CVE-ID
CVE-2011-3463 : Gordon Davisson of Crywolf
Webmail
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted e-mail message may lead to the
disclosure of message content
Description: A cross-site scripting vulnerability existed in the
handling of mail messages. This issue is addressed by updating
Roundcube Webmail to version 0.6. Further information is available via the
Roundcube site at http://trac.roundcube.net/
CVE-ID
CVE-2011-2937
X11
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in FreeType's
handling of Type 1 fonts. This issue is addressed by updating
FreeType to version 2.4.7. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2011-3256 : Apple
OS X Lion v10.7.3 and Security Update 2012-001 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration.
For OS X Lion v10.7.2
The download file is named: MacOSXUpd10.7.3.dmg
Its SHA-1 digest is: 7102fe8f9f47286c45dfa35f6e84e7f730493a7c
For OS X Lion v10.7 and v10.7.1
The download file is named: MacOSXUpdCombo10.7.3.dmg
Its SHA-1 digest is: 07dfce300f6801eb63d9ac13e0bec84e1862a16c
For OS X Lion Server v10.7.2
The download file is named: MacOSXServerUpd10.7.3.dmg
Its SHA-1 digest is: 55a9571635d4ec088c142d68132d0d69fcb8867d
For OS X Lion Server v10.7 and v10.7.1
The download file is named: MacOSXServerUpdCombo10.7.3.dmg
Its SHA-1 digest is: 2c87824f09734499ea166ea0617a3ac21ecf832b
For Mac OS X v10.6.8
The download file is named: SecUpd2012-001Snow.dmg
Its SHA-1 digest is: 40875ee8cb609bbaefc8f421a9c34cc353db42b8
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-001.dmg
Its SHA-1 digest is: 53b3ca5548001a9920aeabed4a034c6e4657fe20
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJPKYxNAAoJEGnF2JsdZQeeLiIIAMLhH2ipDFrhCsw/n4VDeF1V
P6jSkGXC9tBBVMvw1Xq4c2ok4SI34bDfMlURAVR+dde/h6nIZR24aLQVoDLjJuIp
RrO2dm1nQeozLJSx2NbxhVh54BucJdKp4xS1GkDNxkqcdh04RE9hRURXdKagnfGy
9P8QQPOQmKAiWos/LYhCPDInMfrpVNvEVwP8MCDP15g6hylN4De/Oyt7ZshPshSf
MnAFObfBTGX5KioVqTyfdlBkKUfdXHJux61QEFHn8eadX6+/6IuKbUvK9B0icc8E
pvbjOxQatFRps0KNWeIsKQc5i6iQoJhocAiIy6Y6LCuZQuSXCImY2RWXkVYzbWo=
=c1eU
-----END PGP SIGNATURE-----
| VAR-201110-0289 | CVE-2011-3427 | Apple iOS and Apple TV of Data Security Vulnerabilities that can capture important information in components |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
The Data Security component in Apple iOS before 5 and Apple TV before 4.4 does not properly restrict use of the MD5 hash algorithm within X.509 certificates, which makes it easier for man-in-the-middle attackers to spoof servers or obtain sensitive information via a crafted certificate. Apple iOS is prone to a security vulnerability that may allow attackers to conduct spoofing attacks.
Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted servers or obtain sensitive information. This will aid in further attacks. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This issue is
addressed by removing DigiNotar from the list of trusted root
certificates, from the list of Extended Validation (EV) certificate
authorities, and by configuring default system trust settings so that
DigiNotar's certificates, including those issued by other
authorities, are not trusted. This algorithm has known cryptographic weaknesses.
Further research or a misconfigured certificate authority could have
allowed the creation of X.509 certificates with attacker controlled
values that would have been trusted by the system. This would have
exposed X.509 based protocols to spoofing, man in the middle attacks,
and information disclosure. This update disables support for an X.509
certificate with an MD5 hash for any use other than as a trusted root
certificate.
CVE-ID
CVE-2011-3427
Apple TV
Available for: Apple TV 4.0 through 4.3
Impact: An attacker could decrypt part of a SSL connection
Description: Only the SSLv3 and TLS 1.0 versions of SSL were
supported. These versions are subject to a protocol weakness when
using block ciphers. A man-in-the-middle attacker could have injected
invalid data, causing the connection to close but revealing some
information about the previous data. If the same connection was
attempted repeatedly the attacker may eventually have been able to
decrypt the data being sent, such as a password. This issue is
addressed by adding support for TLS 1.2. An attacker with the ability to connect
to a listening service on an iOS device could exhaust system
resources.
CVE-ID
CVE-2011-3259 : Wouter van der Veer of Topicus I&I, and Josh Enders
Apple TV
Available for: Apple TV 4.0 through 4.3
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's
handling of XML data.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team
Apple TV
Available for: Apple TV 4.0 through 4.3
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in JavaScriptCore.
CVE-ID
CVE-2011-3232 : Aki Helin of OUSPG
Installation note:
Apple TV will periodically check for software updates.
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOlcwaAAoJEGnF2JsdZQeegxcIAKElICLSw74Dj2vV1uDzwh8f
6cOg/AKME1KB80rFgkHymBZM4t1mrLhwYLFs5w8oFRbbL02fxAxhw/DRWYHoqWHw
mPR7A2Alg7fwX4FAyhJ/EVb8/szUvRsS9YD2AxOZeDdQdw+40mP5rYgx+dkURuag
Rx6S5M4LaQ7A0/yfnRhUCWc6Er78LIcFxkjY4XEHwRuOR0jOnZyHSI1wx1UAvkam
HeWtRLnamHSANnZhQhrp+cesGRI5HrbbFHGJgc1nBIGZz65qgk3ZOKGh9MPBMrGm
ISg0lZHs/5gVKBFmkaMj1wyMAdsaDezWov01Bqz/UrMVuqo/7sjO4Is8x99W0EE=
=AlFT
-----END PGP SIGNATURE-----
| VAR-201110-0288 | CVE-2011-3426 | Safari for iOS vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Safari in Apple iOS before 5 allows remote web servers to inject arbitrary web script or HTML via a file accompanied by a "Content-Disposition: attachment" HTTP header. Yoshinori Ohta of Business Architects Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Opening a maliciously crafted file may lead to an arbitrary script being executed on the user's web browser.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. BACKGROUND
MobileSafari is Apple's mobile we browser for iOS devices. For more
information about MobileSafari, please the visit following website:
http://www.apple.com/iphone/built-in-apps/safari.html
II. DESCRIPTION
Remote exploitation of a cross site scripting vulnerability in Apple
Inc.'s MobileSafari could allow an attacker to view sensitive
information in the context of the targeted domain.
This vulnerability occurs in MobileSafari's handling of the
Content-Disposition header, which is typically used to inform the
browser that an attachment is contained in the current response. Typical
browser behavior is to prompt the user with an Open dialog, asking them
how they would like to handle the attachment content (such as opening an
external program). However, MobileSafari does not prompt the user, and
instead opens the attached content in the browser. If an attacker can
persuade a target to open an HTML attachment (such as by attaching an
HTML file to an email), then this file will open in the context of the
domain serving the file. This allows the HTML attachment full access to
the DOM of the targeted domain, which can allow for cross site
scripting.
III. ANALYSIS
Exploitation of this vulnerability results in the disclosure of
potentially sensitive information, such as document cookies, on the
target domain. To exploit this vulnerability, a targeted user must open
an attachment from an affected domain. An attacker typically
accomplishes this via social engineering or injecting content into
compromised, trusted sites. Note that a user has to open an attachment,
which takes at least one click; however, MobileSafari does not display
an "Open" prompt dialog, so nothing beyond the initial click is
necessary.
IV. DETECTION
iOS versions prior to 5 are vulnerable.
V. WORKAROUND
iDefense is currently unaware of any workarounds for this issue.
VI. VENDOR RESPONSE
Apple has released a fix which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.
http://lists.apple.com/archives/Security-announce/2011/Oct/msg00001.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2011-3426 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
03/02/2011 Initial Vendor Notification
03/02/2011 Vendor Reply
10/12/2011 Coordinated Public Disclosure
IX.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2011 Verisign
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information
| VAR-201110-0208 | CVE-2011-3213 | Apple Mac OS X of File Systems In the component WebDAV Session hijacking vulnerability |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
The File Systems component in Apple Mac OS X before 10.7.2 does not properly track the specific X.509 certificate that a user manually accepted for an initial https WebDAV connection, which allows man-in-the-middle attackers to hijack WebDAV communication by presenting an arbitrary certificate for a subsequent connection.
The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity.
These issues affect OS X prior to 10.7.2. Apple Mac OS X is prone to an information-disclosure vulnerability.
A remote man-in-the-middle attacker can exploit this issue to disclose potentially sensitive information. Information obtained may aid in further attacks.
NOTE: This issue was previously discussed in BID 50085 (Apple Mac OS X Prior to 10.7.2 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple has
released updates to address these vulnerabilities.
I. Apple has released updates to address these
vulnerabilities.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code,
cause a denial of service, or gain unauthorized access to your
files or system.
III. This advisory describes any known issues related to the
updates and the specific impacts for each vulnerability.
Administrators are encouraged to note these issues and impacts and
test for any potentially adverse effects before wide-scale
deployment.
IV. Please send
email to <cert@cert.org> with "TA11-286A Feedback VU#421739" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
October 13, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTpb8zj/GkGVXE7GMAQI21Af/SHWzIangqPW9vtuG/MQWSBMy9nG4wIZS
DUEAWBEMPTKF3fLrIy6TVpRLN3q/q4dCYXzM4lec4IzKvEbV/bUyg15xEfYdxB0v
s/vARGNwf7tjSbjo+PaHLuSZ1HLn/GLO3CXaf+ut/Kb8y9Fsir5klMgrCX/N0JkY
dLoV9R6zGs1aQzmF9ULB1IQ2/lUkg6CGnyARh0prfhRFwKfu7NZXb8yz5ex68q6V
NF6j9l+XK0Cl4K7R+0ESD4e47jLCg6iN175O8VzrlxiRvBRAyTaFycdMB4uSkmii
xu8SqU2QFhsIJy8J+i1Bb6kuWkaxAnUbxO4tRrmXoqTXl9m0CtpnWA==
=3Wp2
-----END PGP SIGNATURE-----
| VAR-201110-0207 | CVE-2011-3212 | Apple Mac OS X of CoreStorage and Kernel Vulnerability in which important information is obtained |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
CoreStorage in Apple Mac OS X 10.7 before 10.7.2 does not ensure that all disk data is encrypted during the enabling of FileVault, which makes it easier for physically proximate attackers to obtain sensitive information by reading directly from the disk device.
The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity. Apple Mac OS X is prone to an information-disclosure vulnerability.
A local attacker can exploit this issue to retrieve arbitrary files from the vulnerable computer. Information obtained may aid in further attacks.
Apple Mac OS X 10.7 and 10.7.1 are vulnerable.
NOTE: This issue was previously discussed in BID 50085 (Apple Mac OS X Prior to 10.7.2 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-05-09-1 OS X Lion v10.7.4 and Security Update 2012-002
OS X Lion v10.7.4 and Security Update 2012-002 is now available and
addresses the following:
Login Window
Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3
Impact: Remote admins and persons with physical access to the system
may obtain account information
Description: An issue existed in the handling of network account
logins. The login process recorded sensitive information in the
system log, where other users of the system could read it. The
sensitive information may persist in saved logs after installation of
this update. See http://support.apple.com/kb/TS4272 for more
information on how to securely remove any remaining records. This
issue only affects systems running OS X Lion v10.7.3 with users of
Legacy File Vault and/or networked home directories.
CVE-ID
CVE-2012-0652 : Terry Reeves and Tim Winningham of the Ohio State
University, Markus 'Jaroneko' Raty of the Finnish Academy of Fine
Arts, Jaakko Pero of Aalto University, Mark Cohen of Oregon State
University, Paul Nelson
Bluetooth
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A temporary file race condition issue existed in
blued's initialization routine.
CVE-ID
CVE-2012-0649 : Aaron Sigel of vtty.com
curl
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
curl disabled the 'empty fragment' countermeasure which prevented
these attacks. This issue is addressed by enabling empty fragments.
CVE-ID
CVE-2011-3389 : Apple
curl
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Using curl or libcurl with a maliciously crafted URL may
lead to protocol-specific data injection attacks
Description: A data injection issue existed in curl's handling of
URLs. This issue is addressed through improved validation of URLs. By sending a maliciously
crafted message, a remote attacker could cause the directory server
to disclose memory from its address space, potentially revealing
account credentials or other sensitive information. The Directory Server is disabled by
default in non-server installations of OS X.
CVE-ID
CVE-2012-0651 : Agustin Azubel
HFS
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Mounting a maliciously crafted disk image may lead to a
system shutdown or arbitrary code execution
Description: An integer underflow existed in the handling of HFS
catalog files.
CVE-ID
CVE-2012-0642 : pod2g
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF files. Further information is available via the libpng website
at http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-2692
CVE-2011-3328
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue is addressed by updating
libtiff to version 3.9.5. This issue is addressed through improved
handling of the sleep image, and by overwriting the existing sleep
image when updating to OS X v10.7.4.
CVE-ID
CVE-2011-3212 : Felix Groebert of Google Security Team
libarchive
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Extracting a maliciously crafted archive may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple buffer overflows existed in the handling of
tar archives and iso9660 files.
CVE-ID
CVE-2011-1777
CVE-2011-1778
libsecurity
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Verifying a maliciously crafted X.509 certificate, such as
when visiting a maliciously crafted website, may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of X.509 certificates.
CVE-ID
CVE-2012-0654 : Dirk-Willem van Gulik of WebWeaving.org, Guilherme
Prado of Conselho da Justica Federal, Ryan Sleevi of Google
libsecurity
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Support for X.509 certificates with insecure-length RSA keys
may expose users to spoofing and information disclosure
Description: Certificates signed using RSA keys with insecure key
lengths were accepted by libsecurity. This issue is addressed by
rejecting certificates containing RSA keys less than 1024 bits.
CVE-ID
CVE-2012-0655
libxml
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues are addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
LoginUIFramework
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: If the Guest user is enabled, a user with physical access to
the computer may be able to log in to a user other than the Guest
user without entering a password
Description: A race condition existed in the handling of Guest user
logins.
CVE-ID
CVE-2012-0656 : Francisco Gomez (espectalll123)
PHP
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Multiple vulnerabilities in PHP
Description: PHP is updated to version 5.3.10 to address several
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the PHP web site at
http://www.php.net
CVE-ID
CVE-2011-4566
CVE-2011-4885
CVE-2012-0830
Quartz Composer
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: A user with physical access to the computer may be able to
cause Safari to launch if the screen is locked and the RSS Visualizer
screen saver is used
Description: An access control issue existed in Quartz Composer's
handling of screen savers. This issue is addressed through improved
checking for whether or not the screen is locked.
CVE-ID
CVE-2012-0657 : Aaron Sigel of vtty.com
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted movie file during progressive
download may lead to an unexpected application termination or
arbitrary code execution
Description: A buffer overflow existed in the handling of audio
sample tables.
CVE-ID
CVE-2012-0658 : Luigi Auriemma working with HP's Zero Day Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of MPEG
files.
CVE-ID
CVE-2012-0659 : An anonymous researcher working with HP's Zero Day
Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer underflow existed in the handling of MPEG
files.
CVE-ID
CVE-2012-0660 : Justin Kim at Microsoft and Microsoft Vulnerability
Research
QuickTime
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue existed in the handling of
JPEG2000 encoded movie files.
CVE-ID
CVE-2011-1004
CVE-2011-1005
CVE-2011-4815
Samba
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: If SMB file sharing is enabled, an unauthenticated remote
attacker may cause a denial of service or arbitrary code execution
with system privileges
Description: Multiple buffer overflows existed in Samba's handling
of remote procedure calls. By sending a maliciously crafted packet,
an unauthenticated remote attacker could cause a denial of service or
arbitrary code execution with system privileges.
CVE-ID
CVE-2012-0870 : Andy Davis of NGS Secure
CVE-2012-1182 : An anonymous researcher working with HP's Zero Day
Initiative
Security Framework
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework.
Processing untrusted input with the Security framework could result
in memory corruption. This issue does not affect 32-bit processes.
CVE-ID
CVE-2012-0662 : aazubel working with HP's Zero Day Initiative
Time Machine
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: A remote attacker may access a user's Time Machine backup
credentials
Description: The user may designate a Time Capsule or remote AFP
volume attached to an AirPort Base Station to be used for Time
Machine backups. Beginning with AirPort Base Station and Time Capsule
Firmware Update 7.6, Time Capsules and Base Stations support a secure
SRP-based authentication mechanism over AFP. However, Time Machine
did not require that the SRP-based authentication mechanism was used
for subsequent backup operations, even if Time Machine was initially
configured or had ever contacted a Time Capsule or Base Station that
supported it. An attacker who is able to spoof the remote volume
could gain access to user's Time Capsule credentials, although not
backup data, sent by the user's system. This issue is addressed by
requiring use of the SRP-based authentication mechanism if the backup
destination has ever supported it.
CVE-ID
CVE-2012-0675 : Renaud Deraison of Tenable Network Security, Inc.
X11
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Applications that use libXfont to process LZW-compressed
data may be vulnerable to an unexpected application termination or
arbitrary code execution
Description: A buffer overflow existed in libXfont's handling of
LZW-compressed data. This issue is addressed by updating libXfont to
version 1.4.4.
CVE-ID
CVE-2011-2895 : Tomas Hoger of Red Hat
Note: Additionally, this update filters dynamic linker environment
variables from a customized environment property list in the user's
home directory, if present.
OS X Lion v10.7.4 and Security Update 2012-002 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration.
For OS X Lion v10.7.3
The download file is named: MacOSXUpd10.7.4.dmg
Its SHA-1 digest is: 04c53a6148ebd8c5733459620b7c1e2172352d36
For OS X Lion v10.7 and v10.7.2
The download file is named: MacOSXUpdCombo10.7.4.dmg
Its SHA-1 digest is: b11d511a50d9b728532688768fcdee9c1930037f
For OS X Lion Server v10.7.3
The download file is named: MacOSXServerUpd10.7.4.dmg
Its SHA-1 digest is: 3cb5699c8ecf7d70145f3692555557f7206618b2
For OS X Lion Server v10.7 and v10.7.2
The download file is named: MacOSXServerUpdCombo10.7.4.dmg
Its SHA-1 digest is: 917207e922056718b9924ef73caa5fcac06b7240
For Mac OS X v10.6.8
The download file is named: SecUpd2012-002Snow.dmg
Its SHA-1 digest is: 9669fbd9952419e70ac20109cf4db37f9932e9f8
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-002.dmg
Its SHA-1 digest is: 34da2dcbc8d45362f1d5e3b1b218112a729ae1c3
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJPqtkzAAoJEGnF2JsdZQeee2MIAKAcBIY6k0LU2fDLThFoAgKh
WkYpGmCwa7L6n02geHzWrUCK/P/0yGWzDDqLfKlKuKbXdEIRP2wZTlvrqZHLzNO/
nXgz3HN1Xbll8yVXrGMEsoTD23Q+2/ZKLGMlSDw3vgBTVi/g4Rcer4Eew5mTkaoA
j4WkrzgVUIxCMrsWMMwu1SVaizBuTYbNVzCzV3JPF1H0zVtVKgwWjhTdOJ/RDksD
sjZG1XIEqVyv1rNk5BtjxVPFaJGpf9mcHiH8XyKQ0bC6ToM2r3B++Layoc5k1K0V
OxKGSfWOEbWi/KR6vlXyVbe7JnU7a/V0C25HXhnoMEtoTCleZACEByLVtBC87LU=
=6Eiz
-----END PGP SIGNATURE-----
. Apple has
released updates to address these vulnerabilities.
I. Apple has released updates to address these
vulnerabilities.
II.
III. This advisory describes any known issues related to the
updates and the specific impacts for each vulnerability.
Administrators are encouraged to note these issues and impacts and
test for any potentially adverse effects before wide-scale
deployment.
IV. Please send
email to <cert@cert.org> with "TA11-286A Feedback VU#421739" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
October 13, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTpb8zj/GkGVXE7GMAQI21Af/SHWzIangqPW9vtuG/MQWSBMy9nG4wIZS
DUEAWBEMPTKF3fLrIy6TVpRLN3q/q4dCYXzM4lec4IzKvEbV/bUyg15xEfYdxB0v
s/vARGNwf7tjSbjo+PaHLuSZ1HLn/GLO3CXaf+ut/Kb8y9Fsir5klMgrCX/N0JkY
dLoV9R6zGs1aQzmF9ULB1IQ2/lUkg6CGnyARh0prfhRFwKfu7NZXb8yz5ex68q6V
NF6j9l+XK0Cl4K7R+0ESD4e47jLCg6iN175O8VzrlxiRvBRAyTaFycdMB4uSkmii
xu8SqU2QFhsIJy8J+i1Bb6kuWkaxAnUbxO4tRrmXoqTXl9m0CtpnWA==
=3Wp2
-----END PGP SIGNATURE-----
| VAR-201110-0179 | CVE-2011-0224 | Apple Mac OS X of CoreMedia Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
CoreMedia in Apple Mac OS X through 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted QuickTime movie file.
The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity. Apple Mac OS X is prone to multiple memory-corruption vulnerabilities that affect the CoreMedia component.
Attackers can exploit these issues to execute arbitrary code in the context of the affected application.
Mac OS X 10.6.8 and Mac OS X Server 10.6.8 are vulnerable.
NOTE: These issues were previously discussed in BID 50085 (Apple Mac OS X Prior to 10.7.2 Multiple Security Vulnerabilities) but have been given their own record to better document them. Apple has
released updates to address these vulnerabilities.
I. Apple has released updates to address these
vulnerabilities.
II.
III. This advisory describes any known issues related to the
updates and the specific impacts for each vulnerability.
Administrators are encouraged to note these issues and impacts and
test for any potentially adverse effects before wide-scale
deployment.
IV. Please send
email to <cert@cert.org> with "TA11-286A Feedback VU#421739" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
October 13, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTpb8zj/GkGVXE7GMAQI21Af/SHWzIangqPW9vtuG/MQWSBMy9nG4wIZS
DUEAWBEMPTKF3fLrIy6TVpRLN3q/q4dCYXzM4lec4IzKvEbV/bUyg15xEfYdxB0v
s/vARGNwf7tjSbjo+PaHLuSZ1HLn/GLO3CXaf+ut/Kb8y9Fsir5klMgrCX/N0JkY
dLoV9R6zGs1aQzmF9ULB1IQ2/lUkg6CGnyARh0prfhRFwKfu7NZXb8yz5ex68q6V
NF6j9l+XK0Cl4K7R+0ESD4e47jLCg6iN175O8VzrlxiRvBRAyTaFycdMB4uSkmii
xu8SqU2QFhsIJy8J+i1Bb6kuWkaxAnUbxO4tRrmXoqTXl9m0CtpnWA==
=3Wp2
-----END PGP SIGNATURE-----
. Further
information is available via the Apache web site at
http://httpd.apache.org/
CVE-ID
CVE-2011-0419
CVE-2011-3192
Application Firewall
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Executing a binary with a maliciously crafted name may lead
to arbitrary code execution with elevated privileges
Description: A format string vulnerability existed in Application
Firewall's debug logging.
CVE-ID
CVE-2011-0185 : an anonymous reporter
ATS
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description: A signedness issue existed in ATS' handling of Type 1
fonts.
CVE-ID
CVE-2011-0229 : Will Dormann of the CERT/CC
ATS
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Applications which use the ATSFontDeactivate API may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: A buffer overflow issue existed in the
ATSFontDeactivate API. These issues are addressed by updating BIND to version
9.7.3-P3.
These issues are addressed by updating BIND to version 9.6-ESV-R4-P3.
Impact: Root certificates have been updated
Description: Several trusted certificates were added to the list of
system roots. Several existing certificates were updated to their
most recent version. The complete list of recognized system roots may
be viewed via the Keychain Access application.
CFNetwork
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Safari may store cookies it is not configured to accept
Description: A synchronization issue existed in CFNetwork's handling
of cookie policies. Safari's cookie preferences may not be honored,
allowing websites to set cookies that would be blocked were the
preference enforced. This update addresses the issue through improved
handling of cookie storage.
CVE-ID
CVE-2011-0231 : Martin Tessarek, Steve Riggins of Geeks R Us, Justin
C. Walker, and Stephen Creswell
CFNetwork
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of HTTP
cookies. When accessing a maliciously crafted HTTP or HTTPS URL,
CFNetwork could incorrectly send the cookies for a domain to a server
outside that domain. This update addresses the issue through improved bounds
checking.
CVE-ID
CVE-2011-0259 : Apple
CoreMedia
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Visiting a maliciously crafted website may lead to the
disclosure of video data from another site
Description: A cross-origin issue existed in CoreMedia's handling of
cross-site redirects. This issue is addressed through improved origin
tracking.
CVE-ID
CVE-2011-0224 : Apple
CoreProcesses
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: A person with physical access to a system may partially
bypass the screen lock
Description: A system window, such as a VPN password prompt, that
appeared while the screen was locked may have accepted keystrokes
while the screen was locked. This issue is addressed by preventing
system windows from requesting keystrokes while the screen is locked.
CVE-ID
CVE-2011-0260 : Clint Tseng of the University of Washington, Michael
Kobb, and Adam Kemp
CoreStorage
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Converting to FileVault does not erase all existing data
Description: After enabling FileVault, approximately 250MB at the
start of the volume was left unencrypted on the disk in an unused
area. Only data which was present on the volume before FileVault was
enabled was left unencrypted. This issue is addressed by erasing this
area when enabling FileVault, and on the first use of an encrypted
volume affected by this issue.
CVE-ID
CVE-2011-3212 : Judson Powers of ATC-NY
File Systems
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: An attacker in a privileged network position may manipulate
HTTPS server certificates, leading to the disclosure of sensitive
information
Description: An issue existed in the handling of WebDAV volumes on
HTTPS servers. If the server presented a certificate chain that could
not be automatically verified, a warning was displayed and the
connection was closed. If the user clicked the "Continue" button in
the warning dialog, any certificate was accepted on the following
connection to that server. An attacker in a privileged network
position may have manipulated the connection to obtain sensitive
information or take action on the server on the user's behalf. This
update addresses the issue by validating that the certificate
received on the second connection is the same certificate originally
presented to the user. When a password is required to wake from
sleep, a person with physical access may be able to access the system
without entering a password if the system is in display sleep mode.
This update addresses the issue by ensuring that the lock screen is
correctly activated in display sleep mode.
CVE-ID
CVE-2011-3214 : Apple
iChat Server
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: A remote attacker may cause the Jabber server to consume
system resources disproportionately
Description: An issue existed in the handling of XML external
entities in jabberd2, a server for the Extensible Messaging and
Presence Protocol (XMPP). jabberd2 expands external entities in
incoming requests. This allows an attacker to consume system
resources very quickly, denying service to legitimate users of the
server. This update addresses the issue by disabling entity expansion
in incoming requests.
CVE-ID
CVE-2011-1755
Kernel
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: A person with physical access may be able to access the
user's password
Description: A logic error in the kernel's DMA protection permitted
firewire DMA at loginwindow, boot, and shutdown, although not at
screen lock. This update addresses the issue by preventing firewire
DMA at all states where the user is not logged in.
CVE-ID
CVE-2011-3215 : Passware, Inc.
Kernel
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: An unprivileged user may be able to delete another user's
files in a shared directory
Description: A logic error existed in the kernel's handling of file
deletions in directories with the sticky bit.
CVE-ID
CVE-2011-3216 : Gordon Davisson of Crywolf, Linc Davis, R. Dormer,
and Allan Schmid and Oliver Jeckel of brainworks Training
libsecurity
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted website or e-mail message may
lead to an unexpected application termination or arbitrary code
execution
Description: An error handling issue existed when parsing a
nonstandard certificate revocation list extension. These issues are addressed by improved encoding of characters
in HTML output. Further information is available via the Mailman site
at http://mail.python.org/pipermail/mailman-
announce/2011-February/000158.html This issue does not affect OS X
Lion systems.
CVE-ID
CVE-2011-3217 : Apple
Open Directory
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Any user may read another local user's password data
Description: An access control issue existed in Open Directory.
CVE-ID
CVE-2011-3435 : Arek Dreyer of Dreyer Network Consultants, Inc, and
Patrick Dunstan at defenseindepth.net
Open Directory
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: An authenticated user may change that account's password
without providing the current password
Description: An access control issue existed in Open Directory.
CVE-ID
CVE-2011-3436 : Patrick Dunstan at defenceindepth.net
Open Directory
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: A user may be able to log in without a password
Description: When Open Directory is bound to an LDAPv3 server using
RFC2307 or custom mappings, such that there is no
AuthenticationAuthority attribute for a user, an LDAP user may be
allowed to log in without a password.
CVE-ID
CVE-2011-3226 : Jeffry Strunk of The University of Texas at Austin,
Steven Eppler of Colorado Mesa University, Hugh Cole-Baker, and
Frederic Metoz of Institut de Biologie Structurale
PHP
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in FreeType's handling of
Type 1 fonts. This issue is addressed by updating FreeType to version
2.4.6. Further
information is available via the PHP website at http://www.php.net/
CVE-ID
CVE-2010-3436
CVE-2010-4645
CVE-2011-0420
CVE-2011-0421
CVE-2011-0708
CVE-2011-1092
CVE-2011-1153
CVE-2011-1466
CVE-2011-1467
CVE-2011-1468
CVE-2011-1469
CVE-2011-1470
CVE-2011-1471
postfix
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: An attacker in a privileged network position may manipulate
mail sessions, resulting in the disclosure of sensitive information
Description: A logic issue existed in Postfix in the handling of the
STARTTLS command. After receiving a STARTTLS command, Postfix may
process other plain-text commands. An attacker in a privileged
network position may manipulate the mail session to obtain sensitive
information from the encrypted traffic. This update addresses the
issue by clearing the command queue after processing a STARTTLS
command. This update
addresses the issues by applying patches from the python project.
CVE-ID
CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: An attacker in a privileged network position may inject
script in the local domain when viewing template HTML
Description: A cross-site scripting issue existed in QuickTime
Player's "Save for Web" export. The template HTML files generated by
this feature referenced a script file from a non-encrypted origin. An
attacker in a privileged network position may be able to inject
malicious scripts in the local domain if the user views a template
file locally. This issue is resolved by removing the reference to an
online script.
CVE-ID
CVE-2011-3221 : an anonymous researcher working with TippingPoint's
Zero Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted FlashPix file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of
FlashPix files.
CVE-ID
CVE-2011-3223 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
SMB File Server
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: A guest user may browse shared folders
Description: An access control issue existed in the SMB File Server.
Disallowing guest access to the share point record for a folder
prevented the '_unknown' user from browsing the share point but not
guests (user 'nobody'). This issue is addressed by applying the
access control to the guest user. Further information is
available via the Tomcat site at http://tomcat.apache.org/
CVE-ID
CVE-2010-1157
CVE-2010-2227
CVE-2010-3718
CVE-2010-4172
CVE-2011-0013
CVE-2011-0534
User Documentation
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: An attacker in a privileged network position may manipulate
App Store help content, leading to arbitrary code execution
Description: App Store help content was updated over HTTP. This
update addresses the issue by updating App Store help content over
HTTPS.
CVE-ID
CVE-2011-3224 : Aaron Sigel of vtty.com
Web Server
Available for: Mac OS X Server v10.6.8
Impact: Clients may be unable to access web services that require
digest authentication
Description: An issue in the handling of HTTP Digest authentication
was addressed. Users may be denied access to the server's resources,
when the server configuration should have allowed the access. This
issue does not represent a security risk, and was addressed to
facilitate the use of stronger authentication mechanisms. Further information is
available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-2690
CVE-2011-2691
CVE-2011-2692
OS X Lion v10.7.2 also includes Safari 5.1.1. For information on
the security content of Safari 5.1.1, please visit:
http://support.apple.com/kb/HT5000
OS X Lion v10.7.2 and Security Update 2011-006 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration.
For OS X Lion v10.7.1
The download file is named: MacOSXUpd10.7.2.dmg
Its SHA-1 digest is: 37f784e08d4461e83a891a7f8b8af24c2ceb8229
For OS X Lion v10.7
The download file is named: MacOSXUpdCombo10.7.2.dmg
Its SHA-1 digest is: accd06d610af57df24f62ce7af261395944620eb
For OS X Lion Server v10.7.1
The download file is named: MacOSXServerUpd10.7.2.dmg
Its SHA-1 digest is: e4084bf1dfa295a42f619224d149e515317955da
For OS X Lion Server v10.7
The download file is named: MacOSXServerUpdCombo10.7.2.dmg
Its SHA-1 digest is: 25e86f5cf97b6644c7a025230431b1992962ec4a
For Mac OS X v10.6.8
The download file is named: SecUpd2011-006Snow.dmg
Its SHA-1 digest is: 0f9c29610a06370d0c85a4c92dc278a48ba17a84
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2011-006.dmg
Its SHA-1 digest is: 12de3732710bb03059f93527189d221c97ef8a06
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOlc/zAAoJEGnF2JsdZQeeWFcH/RDHS+dCP8T4a92uYRIbs9T3
TFbT7hnOoTB0H+2eN3oziLNime2N4mO921heHobiAKSXv/luU41ZPHxVd6rE77Md
/BHDqLv65RA0XFTIPmrTcfpLhI5UgXDLfOLrsmdwTm52l5zQZkoxufYFf3mB3h7U
ZJUD1s081Pjy45/Cbao097+JrDwS7ahhgkvTmpmSvJK/wWRz4JtZkvIYcQ2uQFR4
sTg4l6pmi3d8sJJ4wzrEaxDpclRjvjURI4DiBMYwGAXeCMRgYi0y03tYtkjXoaSG
69h2yD8EXQBuJkDyouak7/M/eMwUfb2S6o1HyXTldjdvFBFvvwvl+Y3xp8YmDzU=
=gsvn
-----END PGP SIGNATURE-----