ID

VAR-201202-0150


CVE

CVE-2011-3449


TITLE

Apple Mac OS X CoreText embedded font vulnerability

Trust: 0.8

sources: CERT/CC: VU#410281

DESCRIPTION

Use-after-free vulnerability in CoreText in Apple Mac OS X before 10.7.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted embedded font in a document. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts may cause denial-of-service conditions. The issue affects Mac OS X and Mac OS X Server versions prior to 10.7.3. NOTE: This issue was previously discussed in BID 51798 (Apple Mac OS X Prior to 10.7.3 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- SC Magazine awards the Secunia CSI a 5-Star rating Top-level rating for ease of use, performance, documentation, support, and value for money. Read more and get a free trial here: http://secunia.com/blog/296 ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47843 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47843/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47843 RELEASE DATE: 2012-02-03 DISCUSS ADVISORY: http://secunia.com/advisories/47843/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47843/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47843 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) The Address Book component downgrades to an unencrypted connection when an encrypted connection fails. This can be exploited to intercept CardDAV data. 2) An error in the bundled version of Apache can be exploited to cause a temporary DoS (Denial of Service). For more information: SA46013 3) A design error in Apache within the Secure Sockets Layer 3.0 (SSL) and Transport Layer Security 1.0 (TLS) protocols when using a block cipher in CBC mode can be exploited to decrypt data protected by SSL. 4) An error in ATS when handling data-font files can be exploited to corrupt memory via a specially crafted font opened by Font Book. 5) An error in CFNetwork when handling URLs can be exploited to disclose sensitive information via a specially crafted web page as a request could be sent to an incorrect origin server. 6) An error in CFNetwork when handling URLs can be exploited to disclose sensitive information via a specially crafted web page as unexpected request headers could be sent. 7) An integer overflow error in ColorSync when handling images with embedded ColorSync profiles can be exploited to cause a heap-based buffer overflow via a specially crafted image. 8) An error in CoreAudio when handling AAC encoded audio streams can be exploited to cause a buffer overflow when playing specially crafted audio content. 9) An error in CoreMedia when handling H.264 encoded movies can be exploited to cause a heap-based buffer overflow. 10) A use-after-free error in CoreText when handling documents containing fonts can be exploited to dereference already freed memory via a specially crafted font. 11) An error exists in CoreUI when handling long URLs and can be exploited via a specially crafted website. 12) An error in curl can be exploited by remote servers to impersonate clients via GSSAPI requests. For more information: SA45067 13) Two of the certificate authorities in the list of trusted root certificates have issued intermediate certificates to DigiCert Malaysia, who has issued certificates with weak keys that cannot be revoked. 14) A design error in dovecot within the Secure Sockets Layer 3.0 (SSL) and Transport Layer Security 1.0 (TLS) protocols when using a block cipher in CBC mode can be exploited to decrypt data protected by SSL. 15) An error in the uncompress command line tool when decompressing compressed files can be exploited to cause a buffer overflow. For more information: SA45544 16) An error in ImageIO when parsing TIFF images can be exploited to cause a buffer overflow. For more information see vulnerability #9: SA45325 17) An error in ImageIO when handling ThunderScan encoded TIFF images can be exploited to cause a buffer overflow. For more information see vulnerability #2: SA43593: 18) An error exists in the bundled version of libpng. For more information: SA46148 19) An error in Internet Sharing may cause the used Wi-Fi configuration to revert to factory defaults (e.g. disabling the WEP password) after a system update. 20) An error in Libinfo can be exploited to disclose sensitive information via a specially crafted website. For more information see vulnerability #4: SA46747 21) An integer overflow error in libresolv when parsing DNS resource records can be exploited to cause a heap-based buffer overflow. 22) An error in libsecurity may cause some EV certificates to be trusted even when the corresponding root is marked untrusted. 23) Multiple errors in OpenGL when handling GLSL compilation can be exploited to corrupt memory. 24) Multiple errors exist in the bundled version of PHP. For more information: SA44874 SA45678 25) Various errors in FreeType when handling Type 1 fonts can be exploited to corrupt memory. For more information: SA46575 26) An error in QuickTime when parsing MP4 encoded files can be exploited to access uninitialised memory. 27) A signedness error in QuickTime when handling font tables embedded in movie files can be exploited to corrupt memory. 28) An off-by-one error in QuickTime when handling rdrf atoms in movie files can be exploited to cause a single byte buffer overflow. 29) An error in QuickTime when parsing JPEG2000 images can be exploited to cause a buffer overflow. 30) An error in QuickTime when parsing PNG images can be exploited to cause a buffer overflow. 31) An error in QuickTime when handling FLC encoded movie files can be exploited to cause a buffer overflow. 32) Multiple errors exists in the bundled version of SquirrelMail. For more information: SA40307 SA45197 33) Various errors exist in the bundled version of Subversion. For more information: SA44681 34) Time Machine does not verify that a designated remote AFP volume or Time Capsule is used for subsequent backups. This can be exploited to access backups by spoofing the remote volume. 35) Errors exist in the bundled version of Tomcat. For more information: SA44981 36) An error in WebDAV Sharing when handling user authentication can be exploited by local users to gain escalated privileges. 37) An error exists in the bundled version of Webmail. For more information: SA45605 SOLUTION: Update to OS X Lion version 10.7.3 or apply Security Update 2012-001. PROVIDED AND/OR DISCOVERED BY: 4, 10) Will Dormann, CERT/CC The vendor also credits: 1) Bernard Desruisseaux, Oracle Corporation 5, 6) Erling Ellingsen, Facebook 7) binaryproof via ZDI 8, 27, 28, 29, 30) Luigi Auriemma via ZDI 9) Scott Stender, iSEC Partners 11) Ben Syverson 19) An anonymous person 21) Ilja van Sprundel, IOActive 22) Alastair Houghton 23) Chris Evans, Google Chrome Security Team and Marc Schoenefeld, Red Hat Security Response Team 26) Luigi Auriemma via ZDI and pa_kt via ZDI 31) Matt "j00ru" Jurczyk via ZDI 34) Michael Roitzsch, Technische Universit\xe4t Dresden 36) Gordon Davisson, Crywolf ORIGINAL ADVISORY: Apple Security Update 2012-001: http://support.apple.com/kb/HT5130 US-CERT: http://www.kb.cert.org/vuls/id/403593 http://www.kb.cert.org/vuls/id/410281 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 3.51

sources: NVD: CVE-2011-3449 // CERT/CC: VU#410281 // CERT/CC: VU#403593 // JVNDB: JVNDB-2012-001284 // BID: 51812 // VULHUB: VHN-51394 // PACKETSTORM: 109442

AFFECTED PRODUCTS

vendor:applemodel: - scope: - version: -

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.7.0

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.7.1

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.7.1

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.7.0

Trust: 1.6

vendor:applemodel:mac os x serverscope:lteversion:10.7.2

Trust: 1.0

vendor:applemodel:mac os xscope:lteversion:10.7.2

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:v10.6.8

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.7 to v10.7.2

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.6.8

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.7 to v10.7.2

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.7.2

Trust: 0.6

vendor:applemodel:mac os x serverscope:eqversion:10.7.2

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.6.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.7.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.7.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.7.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.7.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x10.7.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.7.3

Trust: 0.3

sources: CERT/CC: VU#410281 // CERT/CC: VU#403593 // BID: 51812 // JVNDB: JVNDB-2012-001284 // CNNVD: CNNVD-201202-062 // NVD: CVE-2011-3449

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-3449
value: MEDIUM

Trust: 1.0

CARNEGIE MELLON: VU#410281
value: HIGH

Trust: 0.8

CARNEGIE MELLON: VU#403593
value: HIGH

Trust: 0.8

NVD: CVE-2011-3449
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201202-062
value: MEDIUM

Trust: 0.6

VULHUB: VHN-51394
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2011-3449
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CARNEGIE MELLON: VU#410281
severity: HIGH
baseScore: 9.0
vectorString: NONE
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 9.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CARNEGIE MELLON: VU#403593
severity: HIGH
baseScore: 9.0
vectorString: NONE
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 9.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-51394
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#410281 // CERT/CC: VU#403593 // VULHUB: VHN-51394 // JVNDB: JVNDB-2012-001284 // CNNVD: CNNVD-201202-062 // NVD: CVE-2011-3449

PROBLEMTYPE DATA

problemtype:CWE-399

Trust: 1.9

sources: VULHUB: VHN-51394 // JVNDB: JVNDB-2012-001284 // NVD: CVE-2011-3449

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201202-062

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201202-062

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-001284

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#410281 // CERT/CC: VU#403593

PATCH

title:HT5130url:http://support.apple.com/kb/HT5130

Trust: 0.8

sources: JVNDB: JVNDB-2012-001284

EXTERNAL IDS

db:NVDid:CVE-2011-3449

Trust: 2.8

db:CERT/CCid:VU#410281

Trust: 2.0

db:BIDid:51812

Trust: 1.0

db:CERT/CCid:VU#403593

Trust: 0.9

db:JVNDBid:JVNDB-2012-001284

Trust: 0.8

db:CNNVDid:CNNVD-201202-062

Trust: 0.7

db:NSFOCUSid:18635

Trust: 0.6

db:APPLEid:APPLE-SA-2012-02-01-1

Trust: 0.6

db:SECUNIAid:47843

Trust: 0.2

db:VULHUBid:VHN-51394

Trust: 0.1

db:PACKETSTORMid:109442

Trust: 0.1

sources: CERT/CC: VU#410281 // CERT/CC: VU#403593 // VULHUB: VHN-51394 // BID: 51812 // JVNDB: JVNDB-2012-001284 // PACKETSTORM: 109442 // CNNVD: CNNVD-201202-062 // NVD: CVE-2011-3449

REFERENCES

url:http://support.apple.com/kb/ht5130

Trust: 4.2

url:http://lists.apple.com/archives/security-announce/2012/feb/msg00000.html

Trust: 1.7

url:http://www.kb.cert.org/vuls/id/410281

Trust: 1.2

url:http://developer.apple.com/library/mac/documentation/stringstextfonts/conceptual/coretext_programming/introduction/introduction.html

Trust: 0.8

url:about vulnerability notes

Trust: 0.8

url:contact us about this vulnerability

Trust: 0.8

url:provide a vendor statement

Trust: 0.8

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3449

Trust: 0.8

url:http://jvn.jp/cert/jvnvu382755

Trust: 0.8

url:http://jvn.jp/cert/jvnvu410281

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-3449

Trust: 0.8

url:http://www.securityfocus.com/bid/51812

Trust: 0.6

url:http://www.nsfocus.net/vulndb/18635

Trust: 0.6

url:http://www.apple.com/macosx/

Trust: 0.3

url:http://www.kb.cert.org/vuls/id/403593

Trust: 0.1

url:http://secunia.com/vulnerability_intelligence/

Trust: 0.1

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=47843

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

Trust: 0.1

url:http://secunia.com/advisories/47843/

Trust: 0.1

url:http://secunia.com/advisories/47843/#comments

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/personal/

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/blog/296

Trust: 0.1

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.1

sources: CERT/CC: VU#410281 // CERT/CC: VU#403593 // VULHUB: VHN-51394 // BID: 51812 // JVNDB: JVNDB-2012-001284 // PACKETSTORM: 109442 // CNNVD: CNNVD-201202-062 // NVD: CVE-2011-3449

CREDITS

Will Dormann of the CERT/CC

Trust: 0.9

sources: BID: 51812 // CNNVD: CNNVD-201202-062

SOURCES

db:CERT/CCid:VU#410281
db:CERT/CCid:VU#403593
db:VULHUBid:VHN-51394
db:BIDid:51812
db:JVNDBid:JVNDB-2012-001284
db:PACKETSTORMid:109442
db:CNNVDid:CNNVD-201202-062
db:NVDid:CVE-2011-3449

LAST UPDATE DATE

2024-09-09T22:17:40.175000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#410281date:2012-03-28T00:00:00
db:CERT/CCid:VU#403593date:2012-03-28T00:00:00
db:VULHUBid:VHN-51394date:2012-02-03T00:00:00
db:BIDid:51812date:2015-03-19T08:48:00
db:JVNDBid:JVNDB-2012-001284date:2012-02-06T00:00:00
db:CNNVDid:CNNVD-201202-062date:2012-02-06T00:00:00
db:NVDid:CVE-2011-3449date:2012-02-03T05:00:00

SOURCES RELEASE DATE

db:CERT/CCid:VU#410281date:2012-02-02T00:00:00
db:CERT/CCid:VU#403593date:2012-02-02T00:00:00
db:VULHUBid:VHN-51394date:2012-02-02T00:00:00
db:BIDid:51812date:2012-02-01T00:00:00
db:JVNDBid:JVNDB-2012-001284date:2012-02-06T00:00:00
db:PACKETSTORMid:109442date:2012-02-04T04:42:13
db:CNNVDid:CNNVD-201202-062date:1900-01-01T00:00:00
db:NVDid:CVE-2011-3449date:2012-02-02T18:55:01.207