ID

VAR-201202-0147


CVE

CVE-2011-3446


TITLE

Apple Mac OS X CoreText embedded font vulnerability

Trust: 0.8

sources: CERT/CC: VU#410281

DESCRIPTION

Apple Type Services (ATS) in Apple Mac OS X before 10.7.3 does not properly manage memory for data-font files, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted font that is accessed by Font Book. Attackers can exploit this issue by enticing an unsuspecting user to open a malicious font file in the Font Book application. An attacker could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. This issue affects Mac OS X 10.6.8, Mac OS X Server 10.6.8, Mac OS X Lion 10.7 to 10.7.2 and Mac OS X Lion Server 10.7 to 10.7.2. ---------------------------------------------------------------------- SC Magazine awards the Secunia CSI a 5-Star rating Top-level rating for ease of use, performance, documentation, support, and value for money. Read more and get a free trial here: http://secunia.com/blog/296 ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47843 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47843/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47843 RELEASE DATE: 2012-02-03 DISCUSS ADVISORY: http://secunia.com/advisories/47843/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47843/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47843 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) The Address Book component downgrades to an unencrypted connection when an encrypted connection fails. This can be exploited to intercept CardDAV data. 2) An error in the bundled version of Apache can be exploited to cause a temporary DoS (Denial of Service). For more information: SA46013 3) A design error in Apache within the Secure Sockets Layer 3.0 (SSL) and Transport Layer Security 1.0 (TLS) protocols when using a block cipher in CBC mode can be exploited to decrypt data protected by SSL. 5) An error in CFNetwork when handling URLs can be exploited to disclose sensitive information via a specially crafted web page as a request could be sent to an incorrect origin server. 6) An error in CFNetwork when handling URLs can be exploited to disclose sensitive information via a specially crafted web page as unexpected request headers could be sent. 7) An integer overflow error in ColorSync when handling images with embedded ColorSync profiles can be exploited to cause a heap-based buffer overflow via a specially crafted image. 8) An error in CoreAudio when handling AAC encoded audio streams can be exploited to cause a buffer overflow when playing specially crafted audio content. 9) An error in CoreMedia when handling H.264 encoded movies can be exploited to cause a heap-based buffer overflow. 10) A use-after-free error in CoreText when handling documents containing fonts can be exploited to dereference already freed memory via a specially crafted font. 11) An error exists in CoreUI when handling long URLs and can be exploited via a specially crafted website. 12) An error in curl can be exploited by remote servers to impersonate clients via GSSAPI requests. For more information: SA45067 13) Two of the certificate authorities in the list of trusted root certificates have issued intermediate certificates to DigiCert Malaysia, who has issued certificates with weak keys that cannot be revoked. 14) A design error in dovecot within the Secure Sockets Layer 3.0 (SSL) and Transport Layer Security 1.0 (TLS) protocols when using a block cipher in CBC mode can be exploited to decrypt data protected by SSL. 15) An error in the uncompress command line tool when decompressing compressed files can be exploited to cause a buffer overflow. For more information: SA45544 16) An error in ImageIO when parsing TIFF images can be exploited to cause a buffer overflow. For more information see vulnerability #9: SA45325 17) An error in ImageIO when handling ThunderScan encoded TIFF images can be exploited to cause a buffer overflow. For more information see vulnerability #2: SA43593: 18) An error exists in the bundled version of libpng. For more information: SA46148 19) An error in Internet Sharing may cause the used Wi-Fi configuration to revert to factory defaults (e.g. disabling the WEP password) after a system update. 20) An error in Libinfo can be exploited to disclose sensitive information via a specially crafted website. For more information see vulnerability #4: SA46747 21) An integer overflow error in libresolv when parsing DNS resource records can be exploited to cause a heap-based buffer overflow. 22) An error in libsecurity may cause some EV certificates to be trusted even when the corresponding root is marked untrusted. 23) Multiple errors in OpenGL when handling GLSL compilation can be exploited to corrupt memory. 24) Multiple errors exist in the bundled version of PHP. For more information: SA44874 SA45678 25) Various errors in FreeType when handling Type 1 fonts can be exploited to corrupt memory. For more information: SA46575 26) An error in QuickTime when parsing MP4 encoded files can be exploited to access uninitialised memory. 27) A signedness error in QuickTime when handling font tables embedded in movie files can be exploited to corrupt memory. 28) An off-by-one error in QuickTime when handling rdrf atoms in movie files can be exploited to cause a single byte buffer overflow. 29) An error in QuickTime when parsing JPEG2000 images can be exploited to cause a buffer overflow. 30) An error in QuickTime when parsing PNG images can be exploited to cause a buffer overflow. 31) An error in QuickTime when handling FLC encoded movie files can be exploited to cause a buffer overflow. 32) Multiple errors exists in the bundled version of SquirrelMail. For more information: SA40307 SA45197 33) Various errors exist in the bundled version of Subversion. For more information: SA44681 34) Time Machine does not verify that a designated remote AFP volume or Time Capsule is used for subsequent backups. This can be exploited to access backups by spoofing the remote volume. 35) Errors exist in the bundled version of Tomcat. For more information: SA44981 36) An error in WebDAV Sharing when handling user authentication can be exploited by local users to gain escalated privileges. 37) An error exists in the bundled version of Webmail. For more information: SA45605 SOLUTION: Update to OS X Lion version 10.7.3 or apply Security Update 2012-001. PROVIDED AND/OR DISCOVERED BY: 4, 10) Will Dormann, CERT/CC The vendor also credits: 1) Bernard Desruisseaux, Oracle Corporation 5, 6) Erling Ellingsen, Facebook 7) binaryproof via ZDI 8, 27, 28, 29, 30) Luigi Auriemma via ZDI 9) Scott Stender, iSEC Partners 11) Ben Syverson 19) An anonymous person 21) Ilja van Sprundel, IOActive 22) Alastair Houghton 23) Chris Evans, Google Chrome Security Team and Marc Schoenefeld, Red Hat Security Response Team 26) Luigi Auriemma via ZDI and pa_kt via ZDI 31) Matt "j00ru" Jurczyk via ZDI 34) Michael Roitzsch, Technische Universit\xe4t Dresden 36) Gordon Davisson, Crywolf ORIGINAL ADVISORY: Apple Security Update 2012-001: http://support.apple.com/kb/HT5130 US-CERT: http://www.kb.cert.org/vuls/id/403593 http://www.kb.cert.org/vuls/id/410281 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 3.51

sources: NVD: CVE-2011-3446 // CERT/CC: VU#410281 // CERT/CC: VU#403593 // JVNDB: JVNDB-2012-001281 // BID: 51832 // VULHUB: VHN-51391 // PACKETSTORM: 109442

AFFECTED PRODUCTS

vendor:applemodel: - scope: - version: -

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.7.0

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.7.1

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.7.1

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.7.0

Trust: 1.6

vendor:applemodel:mac os x serverscope:lteversion:10.7.2

Trust: 1.0

vendor:applemodel:mac os xscope:lteversion:10.7.2

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:v10.6.8

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.7 to v10.7.2

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.6.8

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.7 to v10.7.2

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.7.2

Trust: 0.6

vendor:applemodel:mac os x serverscope:eqversion:10.7.2

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.7.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.7.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.7.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.7.1

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x10.7.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.7.3

Trust: 0.3

sources: CERT/CC: VU#410281 // CERT/CC: VU#403593 // BID: 51832 // JVNDB: JVNDB-2012-001281 // CNNVD: CNNVD-201202-050 // NVD: CVE-2011-3446

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-3446
value: HIGH

Trust: 1.0

CARNEGIE MELLON: VU#410281
value: HIGH

Trust: 0.8

CARNEGIE MELLON: VU#403593
value: HIGH

Trust: 0.8

NVD: CVE-2011-3446
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201202-050
value: HIGH

Trust: 0.6

VULHUB: VHN-51391
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2011-3446
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CARNEGIE MELLON: VU#410281
severity: HIGH
baseScore: 9.0
vectorString: NONE
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 9.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CARNEGIE MELLON: VU#403593
severity: HIGH
baseScore: 9.0
vectorString: NONE
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 9.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-51391
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#410281 // CERT/CC: VU#403593 // VULHUB: VHN-51391 // JVNDB: JVNDB-2012-001281 // CNNVD: CNNVD-201202-050 // NVD: CVE-2011-3446

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2011-3446

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201202-050

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201202-050

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-001281

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#410281 // CERT/CC: VU#403593

PATCH

title:HT5130url:http://support.apple.com/kb/HT5130

Trust: 0.8

sources: JVNDB: JVNDB-2012-001281

EXTERNAL IDS

db:NVDid:CVE-2011-3446

Trust: 2.8

db:CERT/CCid:VU#403593

Trust: 2.0

db:CERT/CCid:VU#410281

Trust: 0.9

db:BIDid:51832

Trust: 0.9

db:JVNDBid:JVNDB-2012-001281

Trust: 0.8

db:CNNVDid:CNNVD-201202-050

Trust: 0.7

db:NSFOCUSid:18634

Trust: 0.6

db:SECUNIAid:47843

Trust: 0.2

db:VULHUBid:VHN-51391

Trust: 0.1

db:PACKETSTORMid:109442

Trust: 0.1

sources: CERT/CC: VU#410281 // CERT/CC: VU#403593 // VULHUB: VHN-51391 // BID: 51832 // JVNDB: JVNDB-2012-001281 // PACKETSTORM: 109442 // CNNVD: CNNVD-201202-050 // NVD: CVE-2011-3446

REFERENCES

url:http://support.apple.com/kb/ht5130

Trust: 4.5

url:http://www.kb.cert.org/vuls/id/403593

Trust: 1.2

url:http://developer.apple.com/library/mac/documentation/stringstextfonts/conceptual/coretext_programming/introduction/introduction.html

Trust: 0.8

url:about vulnerability notes

Trust: 0.8

url:contact us about this vulnerability

Trust: 0.8

url:provide a vendor statement

Trust: 0.8

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3446

Trust: 0.8

url:http://jvn.jp/cert/jvnvu382755

Trust: 0.8

url:http://jvn.jp/cert/jvnvu403593

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-3446

Trust: 0.8

url:http://www.securityfocus.com/bid/51832

Trust: 0.6

url:http://www.nsfocus.net/vulndb/18634

Trust: 0.6

url:http://www.apple.com/macosx/

Trust: 0.3

url:http://secunia.com/vulnerability_intelligence/

Trust: 0.1

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=47843

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

Trust: 0.1

url:http://www.kb.cert.org/vuls/id/410281

Trust: 0.1

url:http://secunia.com/advisories/47843/

Trust: 0.1

url:http://secunia.com/advisories/47843/#comments

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/personal/

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/blog/296

Trust: 0.1

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.1

sources: CERT/CC: VU#410281 // CERT/CC: VU#403593 // VULHUB: VHN-51391 // BID: 51832 // JVNDB: JVNDB-2012-001281 // PACKETSTORM: 109442 // CNNVD: CNNVD-201202-050 // NVD: CVE-2011-3446

CREDITS

Will Dormann of CERT.

Trust: 0.9

sources: BID: 51832 // CNNVD: CNNVD-201202-050

SOURCES

db:CERT/CCid:VU#410281
db:CERT/CCid:VU#403593
db:VULHUBid:VHN-51391
db:BIDid:51832
db:JVNDBid:JVNDB-2012-001281
db:PACKETSTORMid:109442
db:CNNVDid:CNNVD-201202-050
db:NVDid:CVE-2011-3446

LAST UPDATE DATE

2024-09-09T21:01:56.196000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#410281date:2012-03-28T00:00:00
db:CERT/CCid:VU#403593date:2012-03-28T00:00:00
db:VULHUBid:VHN-51391date:2012-02-03T00:00:00
db:BIDid:51832date:2015-03-19T07:35:00
db:JVNDBid:JVNDB-2012-001281date:2012-02-06T00:00:00
db:CNNVDid:CNNVD-201202-050date:2012-02-07T00:00:00
db:NVDid:CVE-2011-3446date:2012-02-03T05:00:00

SOURCES RELEASE DATE

db:CERT/CCid:VU#410281date:2012-02-02T00:00:00
db:CERT/CCid:VU#403593date:2012-02-02T00:00:00
db:VULHUBid:VHN-51391date:2012-02-02T00:00:00
db:BIDid:51832date:2012-02-02T00:00:00
db:JVNDBid:JVNDB-2012-001281date:2012-02-06T00:00:00
db:PACKETSTORMid:109442date:2012-02-04T04:42:13
db:CNNVDid:CNNVD-201202-050date:1900-01-01T00:00:00
db:NVDid:CVE-2011-3446date:2012-02-02T18:55:01.067