Apple Mac OS X Multiple Vulnerabilities

SA49039

CVE-2011-0241, CVE-2011-1004, CVE-2011-1005, CVE-2011-1167, CVE-2011-1777, CVE-2011-1778, CVE-2011-1944, CVE-2011-2692, CVE-2011-2821, CVE-2011-2834, CVE-2011-2895, CVE-2011-3212, CVE-2011-3328, CVE-2011-3389, CVE-2011-3919, CVE-2011-4566, CVE-2011-4815, CVE-2011-4885, CVE-2012-0036, CVE-2012-0642, CVE-2012-0649, CVE-2012-0651, CVE-2012-0652, CVE-2012-0654, CVE-2012-0655, CVE-2012-0656, CVE-2012-0657, CVE-2012-0658, CVE-2012-0659, CVE-2012-0660, CVE-2012-0661, CVE-2012-0662, CVE-2012-0675, CVE-2012-0830, CVE-2012-0870, CVE-2012-1182

07 May 2012

21 Aug 2012

Highly Critical

Vendor Patch

From remote

DoS (Denial of Service)

This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Manipulation of data

This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.

The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.

Privilege escalation

This covers vulnerabilities where a user is able to conduct certain tasks with the privileges of other users or administrative users.

This typically includes cases where a local user on a client or server system can gain access to the administrator or root account thus taking full control of the system.

Security Bypass

This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application.

The actual impact varies significantly depending on the design and purpose of the affected application.

Spoofing

This covers various vulnerabilities where it is possible for malicious users or people to impersonate other users or systems.

Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) The security issue is caused due to the debug switch being enabled within FileVault when using "Legacy FileVault". This may lead to users' password being saved in DEBUGLOG in plain text and can be exploited to read the password via FireWire target disk mode.

Successful exploitation requires that OS X is upgraded from an older version and uses the "Legacy FileVault" feature.

2) A race condition within blued's initialization routine can be exploited by a local user to gain escalated privileges.

3) Some vulnerabilities exist in ImageIO, HFS, curl, Kernel, libarchive, libxml, PHP, Ruby, Samba, and X11.

For more information:
SA43420
SA43434
SA43593
SA44711
SA45046
SA45325
SA45544
SA46107
SA46148
SA46168
SA46417
SA46632
SA47049
SA47404
SA47405
SA47690
SA47806
SA48152
SA48288
SA48742

4) Errors within the directory server when handling network messages can be exploited to disclose certain memory and e.g. gain account credentials.

NOTE: This vulnerability only affects Mac OS X 10.6.

5) An error within the libsecurity component when handling X.509 certificates can be exploited to reference uninitialized memory and execute arbitrary code.

6) A race condition when handling Guest user login can be exploited to log in to other accounts without a password.

7) An error within the Quartz Composer when handling screen savers can be exploited to launch Safari.

Successful exploitation of this vulnerability requires that the RSS Visualizer screen saver is used.

8) An error within QuickTime when handling audio sample tables during progressive download can be exploited to cause a buffer overflow via a specially crafted movie file.

9) An integer underflow error within QuickTime when calculating padding for MPEG samples can be exploited to cause a heap-based buffer overflow.

10) An integer underflow error within QuickTime when handling MPEG files can be exploited to corrupt memory.

11) A use-after-free error within QuickTime when processing the stsz atom in JPEG2000 encoded movie files can be exploited to execute arbitrary code.

12) An integer truncation error within libsecurity_cdsa_plugin when allocating memory can be exploited to cause a heap-based buffer overflow.

13) An error within Time Machine does not verify credentials when using SRP-based authentication for subsequent backup operations, which can be exploited gain access to Time Capsule credentials.

Update to OS X Lion v10.7.4 or apply Security Update 2012-002.

Security Update 2012-002 Server:
http://support.apple.com/kb/DL1527

Security Update 2012-002:
http://support.apple.com/kb/DL1526

OS X Lion Server Combo:
http://support.apple.com/kb/DL1529

OS X Lion Server:
http://support.apple.com/kb/DL1530

OS X Lion Client Combo:
http://support.apple.com/kb/DL1524

OS X Lion Client:
http://support.apple.com/kb/DL1525

1) tarwinator in a forum post.
6) Reported by the vendor
9) An anonymous person via ZDI
10) Justin Kim, Microsoft
11) Damian Put via ZDI
12) aazubel via ZDI

The vendor credits:
2, 7) Aaron Sigel, vtty.com
4) Agustin Azubel
5) Dirk-Willem van Gulik of WebWeaving.org, Guilherme Prado of Conselho da Justica Federal, and Ryan Sleevi of Google
6) Francisco Gomez (espectalll123)
8) Luigi Auriemma via ZDI
13) Renaud Deraison, Tenable Network Security

Apple:
http://support.apple.com/kb/HT5281

Microsoft:
http://technet.microsoft.com/en-us/security/msvr/msvr12-007

tarwinator:
https://discussions.apple.com/thread/3715366

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-076/
http://www.zerodayinitiative.com/advisories/ZDI-12-135/
http://www.zerodayinitiative.com/advisories/ZDI-12-137/