SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Client)  >   Apple Mail Vendors:   Apple Computer
Apple Mail MobileMe May Disclose Email Alias to Remote Users Monitoring the Network
SecurityTracker Alert ID:  1025704
SecurityTracker URL:  http://securitytracker.com/id/1025704
CVE Reference:   CVE-2011-0207   (Links to External Site)
Date:  Jun 24 2011
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 10.6.8
Description:   A vulnerability was reported in Apple Mail MobileMe. A remote user with the ability to monitor the network can obtain a user's email alias.

A remote user in a privileged network position can obtain a user's email aliases when Apple Mail makes a request via HTTP to the MobileMe servers.

Aaron Sigel of vtty.com reported this vulnerability.
Impact:   A remote user can obtain a target user's email aliases.
Solution:   The vendor has issued a fix as part of Mac OS X v10.6.8 and Security Update 2011-004, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2011-004 or Mac OS X v10.6.8.

For Mac OS X v10.6.7
The download file is named: MacOSXUpd10.6.8.dmg
Its SHA-1 digest is: fee3d708be1cef09185eb9f6bfad1884efb3f0fc

For Mac OS X v10.6 - v10.6.6
The download file is named: MacOSXUpdCombo10.6.8.dmg
Its SHA-1 digest is: 7e22a53b62bf16f44fbba4042606af91888335cf

For Mac OS X Server v10.6.7
The download file is named: MacOSXServerUpd10.6.8.dmg
Its SHA-1 digest is: 34e8d742635d11fe483b2ca63cbd2df4fe6bd42a

For Mac OS X Server v10.6 - v10.6.6
The download file is named: MacOSXServerUpdCombo10.6.8.dmg
Its SHA-1 digest is: 123bebedc91e9483c7e44e671bf27fda34821b1f

For Mac OS X v10.5.8
The download file is named: SecUpd2011-004.dmg
Its SHA-1 digest is: 2d8967d783c08c4d7904c0138f5ea6fb0056a2f0

For Mac OS X Server v10.5.8
The download file is named: SecUpdSrvr2011-004.dmg
Its SHA-1 digest is: 9fe192900feb5808307aa0329f1d0df430f536f6

The vendor's advisory is available at:

http://support.apple.com/kb/HT4723
Vendor URL:  support.apple.com/kb/HT4723 (Links to External Site)
Cause:   Access control error
Underlying OS:   UNIX (OS X)

Message History:   None.

 Source Message Contents
Date:  Fri, 24 Jun 2011 00:49:59 +0000
Subject:  Apple Mail


MobileMe
Available for:  Mac OS X v10.6 through v10.6.7,
Mac OS X Server v10.6 through v10.6.7
Impact:  An attacker with a privileged network position may read a
user's MobileMe email aliases
Description:  When communicating with MobileMe to determine a user's
email aliases, Mail will make requests over HTTP. As a result, an
attacker with a privileged network position may read a user's
MobileMe email aliases. This issue is addressed by using SSL to
access the user's email aliases.
CVE-ID
CVE-2011-0207 : Aaron Sigel of vtty.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC