ID

VAR-201110-0428

CVE

CVE-2011-3224

TITLE

Apple Mac OS X of User Documentation Vulnerability in arbitrary code execution in components

DESCRIPTION

The User Documentation component in Apple Mac OS X through 10.6.8 uses http sessions for updates to App Store help information, which allows man-in-the-middle attackers to execute arbitrary code by spoofing the http server. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2011-006. The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity. These issues affect OS X prior to 10.7.2. An attacker can exploit this issue by performing a man-in-the-middle attack. Successful exploits will allow attackers to execute arbitrary code within the context of the affected application. Apple has released updates to address these vulnerabilities. I. Apple has released updates to address these vulnerabilities. II. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. III. This advisory describes any known issues related to the updates and the specific impacts for each vulnerability. Administrators are encouraged to note these issues and impacts and test for any potentially adverse effects before wide-scale deployment. IV. Please send email to <cert@cert.org> with "TA11-286A Feedback VU#421739" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2011 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History October 13, 2011: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTpb8zj/GkGVXE7GMAQI21Af/SHWzIangqPW9vtuG/MQWSBMy9nG4wIZS DUEAWBEMPTKF3fLrIy6TVpRLN3q/q4dCYXzM4lec4IzKvEbV/bUyg15xEfYdxB0v s/vARGNwf7tjSbjo+PaHLuSZ1HLn/GLO3CXaf+ut/Kb8y9Fsir5klMgrCX/N0JkY dLoV9R6zGs1aQzmF9ULB1IQ2/lUkg6CGnyARh0prfhRFwKfu7NZXb8yz5ex68q6V NF6j9l+XK0Cl4K7R+0ESD4e47jLCg6iN175O8VzrlxiRvBRAyTaFycdMB4uSkmii xu8SqU2QFhsIJy8J+i1Bb6kuWkaxAnUbxO4tRrmXoqTXl9m0CtpnWA== =3Wp2 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA46417 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46417/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46417 RELEASE DATE: 2011-10-14 DISCUSS ADVISORY: http://secunia.com/advisories/46417/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46417/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46417 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Some vulnerabilities exist in Apache, BIND, CoreFoundation, CoreMedia, iChat Server, Mailman, Postfix, PHP, Python, QuickTime, Tomcat, and X11: For more information: SA37426 SA38219 SA39574 SA39937 SA40148 SA41724 SA42337 SA42374 SA42435 SA43194 SA43198 SA43389 SA43646 SA43814 SA44490 SA44719 SA44787 SA45046 SA45082 SA45167 SA45516 SA45606 SA46339 2) A format string error in the Application Firewall's debug logging can be exploited via a specially crafted name. 3) A signedness error in the ATS component when handling Type 1 fonts can be exploited via a specially crafted font embedded in a document. 4) An error in the ATS component when handling Type 1 fonts can be exploited to access an out of bounds memory location via a specially crafted font embedded in a document. 5) An error in the ATSFontDeactivate API can be exploited to cause a buffer overflow. 6) A synchronization error in the CFNetwork component when handling cookie policies can be exploited to bypass Safari's cookie preferences and store a cookie that would otherwise be blocked. 7) An error in the CFNetwork component when handling HTTP cookies can be exploited to send a cookie for a domain to a server outside of that domain. 8) Some errors in the CoreMedia component when handling QuickTime movie files can be exploited to corrupt memory. 9) An error in the CoreProcesses component when handling system windows (e.g. VPN password prompt) while the screen is locked can be exploited to partially bypass the screen lock. 10) An error in the CoreStorage component when enabling FileVault did not encrypt some data at the start of a volume. 11) An error when handling HTTPS connections to WebDAV volumes did not properly verify certificate information and can be exploited via a Man-in-the-Middle (MitM) attack. 12) An error in the IOGraphics component within the screen lock functionality when used with Apple Cinema displays can be exploited to access the system without entering a password. 13) A logic error in the kernel's DMA protection can be exploited to access a user's password via firewire DMA access at loginwindow, boot, or shutdown processing. 14) A logic error in the kernel's handling of file deletions in directories when the sticky bit was set can be exploited to delete another user's files within a shared directory. 15) An error exists in the libsecurity module when handling errors during the parsing of a nonstandard certificate revocation list extension. 16) Some errors in the MediaKit component when handling disk images can be exploited to corrupt memory. 17) An error in the Open Directory component within the access control mechanism can be exploited to access another local user's password data. 18) An error in the Open Directory component within the access control mechanism can be exploited to change another user's password. 19) An error in the Open Directory component when bound to a LDAPv3 server and no AuthenticationAuthority attribute for a user exists can be exploited by an LDAP user to login without a password. 20) Some errors in QuickTime when handling movie files can be exploited to corrupt memory via a specially crafted file. 21) An error in QuickTime within the "Save for Web" export feature due to storing certain JavaScript code from the vendor's website using HTTP can be exploited to inject arbitrary code via a Man-in-the-Middle (MitM) attack, which will be executed when saved content is viewed locally. 22) An error in QuickTime when processing URL data handlers within movie files can be exploited to reference uninitialized memory via a specially crafted file. 23) An error in QuickTime when handling the atom hierarchy within movie files can be exploited via a specially crafted file. 24) An error in QuickTime when handling FlashPix files can be exploited to cause a buffer overflow via a specially crafted file. 25) An error in QuickTime when handling FLIC files can be exploited to cause a buffer overflow via a specially crafted file. 26) An error in the SMB File Server when guest access is disabled for a share point record for a folder can be exploited to access the share point using a guest user "nobody". SOLUTION: Update to version 10.7.2 or apply Security Update 2011-006. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: 3, 8, 11, 12, 16, 20, 26) Reported by the vendor. 21, 27) Aaron Sigel, vtty.com 27) Brian Mastenbrook, vtty.com The vendor also credits the following people: 2) An anonymous person 4) Will Dormann, the CERT/CC 5) Steven Michaud, Mozilla 6) Martin Tessarek, Steve Riggins, Geeks R Us, Justin C. Walker, and Stephen Creswell 7) Erling Ellingsen, Facebook 9) Clint Tseng, University, Washington, Michael Kobb, and Adam Kemp 10) Judson Powers, ATC-NY 13) Passware, Inc. 14) Gordon Davisson, Crywolf, Linc Davis, R. Dormer, and Allan Schmid and Oliver Jeckel, brainworks Training 15) Richard Godbee, Virginia Tech 17) Arek Dreyer, Dreyer Network Consultants, Inc, 17, 18) Patrick Dunstan, defenceindepth.net 19) Jeffry Strunk, The University, Texas at Austin, Steven Eppler, Colorado Mesa University, Hugh Cole-Baker, and Frederic Metoz, Institut de Biologie Structurale 22) Luigi Auriemma via ZDI 23) An anonymous person via ZDI 24) Damian Put via ZDI 25) Matt 'j00ru' Jurczyk via ZDI ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5002 vtty.com: http://vttynotes.blogspot.com/2011/10/summary-of-vulnerability-write-ups-on.html http://vttynotes.blogspot.com/2011/10/cve-2011-3224-mitm-to-rce-with-mac-app.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

network

TYPE

other

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Anonymous, Apple, Will Dormann of the CERT/CC, Steven Michaud of Mozilla, Martin Tessarek, Steve Riggins of Geeks R Us, Justin C. Walker, Stephen Creswell, Erling Ellingsen of Facebook, Clint Tseng of the University of Washington, Michael Kobb, Adam Kemp,

SOURCES

LAST UPDATE DATE

2024-11-23T19:57:29.864000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE