Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Mac OS X Bugs Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information and Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1027054 |
|
SecurityTracker URL: http://securitytracker.com/id/1027054
|
|
CVE Reference:
CVE-2012-0649, CVE-2012-0651, CVE-2012-0654, CVE-2012-0655, CVE-2012-0656, CVE-2012-0657, CVE-2012-0658, CVE-2012-0659, CVE-2012-0660, CVE-2012-0661, CVE-2012-0662, CVE-2012-0675
(Links to External Site)
|
Date: May 10 2012
|
Impact:
Disclosure of system information, Execution of arbitrary code via network, User access via local system, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 10.6.8, 10.7.3
|
Description:
Multiple vulnerabilities were reported in Mac OS X. A remote user can cause arbitrary code to be executed on the target user's system. A local user can obtain elevated privileges on the target system. A remote user can obtain potentially sensitive information.
A local user can exploit a temporary file race condition in Bluetooth initialization code to execute arbitrary code with system privileges [CVE-2012-0649]. Version 10.7.x is affected. Aaron Sigel of vtty.com reported this vulnerability.
A remote user can send a specially crafted message to cause the directory server to disclose memory contents [CVE-2012-0651]. Version 10.6.x is affected. Agustin Azubel reported this vulnerability.
A remote user can create a specially crafted X.509 certificate that, when verified by the target user, will trigger a uninitialized memory access error in libsecurity and execute arbitrary code on the target system [CVE-2012-0654]. Dirk-Willem van Gulik of WebWeaving.org, Guilherme Prado of Conselho da Justica Federal, and Ryan Sleevi of Google reported these vulnerabilities.
libsecurity supports X.509 certificates with insecure-length RSA keys, which may expose users to spoofing and information disclosure attacks [CVE-2012-0655].
A physically local user can exploit a flaw in LoginUIFramework to login to a user account without providing a password [CVE-2012-0656]. Systems with the Guest user enabled are affected. Version 10.6.x is not affected. Francisco Gomez (espectalll123) reported this vulnerability.
A physically local user can exploit a flaw in Quartz Composer to cause Safari to launch when the screen is locked and the RSS Visualizer screen saver is used [CVE-2012-0657]. Aaron Sigel of vtty.com reported this vulnerability.
A remote user can create a specially crafted movie file that, when loaded by the target user, will trigger a buffer overflow in the processing of audio sample tables and execute arbitrary code on the target system [CVE-2012-0658]. Luigi Auriemma reported this vulnerability via HP's Zero Day Initiative.
A remote user can create a specially crafted MPEG file that, when loaded by the target user, will trigger an integer overflow and execute arbitrary code on the target system [CVE-2012-0659]. An anonymous researcher reported this vulnerability via HP's Zero Day Initiative.
A remote user can create a specially crafted MPEG file that, when loaded by the target user, will trigger a buffer underflow and execute arbitrary code on the target system [CVE-2012-0660]. Justin Kim at Microsoft and Microsoft Vulnerability Research reported this vulnerability.
A remote user can create a specially crafted movie file that, when loaded by the target user, will trigger a use-after-free memory error in the processing of JPEG2000 encoded movie files and execute arbitrary code on the target system [CVE-2012-0661]. Version 10.6.x is not affected. Damian Put reported this vulnerability via HP's Zero Day Initiative.
A remote user can supply specially crafted data to trigger an integer overflow in the Security Framework [CVE-2012-0662]. 32-bit processes are not affected. aazubel reported this vulnerability via HP's Zero Day Initiative.
A remote user can spoof a Time Machine backup volume to access a target user's Time Machine backup credentials [CVE-2012-0675]. Version 10.7.x is affected. Renaud Deraison of Tenable Network Security reported this vulnerability.
|
Impact:
A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can obtain elevated privileges on the target system.
A remote user can obtain potentially sensitive information.
|
Solution:
The vendor has issued a fix (OS X Lion v10.7.4 and Security Update 2012-002), available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2012-002 or OS X v10.7.4.
For OS X Lion v10.7.3
The download file is named: MacOSXUpd10.7.4.dmg
Its SHA-1 digest is: 04c53a6148ebd8c5733459620b7c1e2172352d36
For OS X Lion v10.7 and v10.7.2
The download file is named: MacOSXUpdCombo10.7.4.dmg
Its SHA-1 digest is: b11d511a50d9b728532688768fcdee9c1930037f
For OS X Lion Server v10.7.3
The download file is named: MacOSXServerUpd10.7.4.dmg
Its SHA-1 digest is: 3cb5699c8ecf7d70145f3692555557f7206618b2
For OS X Lion Server v10.7 and v10.7.2
The download file is named: MacOSXServerUpdCombo10.7.4.dmg
Its SHA-1 digest is: 917207e922056718b9924ef73caa5fcac06b7240
For Mac OS X v10.6.8
The download file is named: SecUpd2012-002Snow.dmg
Its SHA-1 digest is: 9669fbd9952419e70ac20109cf4db37f9932e9f8
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-002.dmg
Its SHA-1 digest is: 34da2dcbc8d45362f1d5e3b1b218112a729ae1c3
The vendor's advisory will be available at:
http://support.apple.com/kb/HT1222
|
Vendor URL: support.apple.com/kb/HT1222 (Links to External Site)
|
Cause:
Access control error, Boundary error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 10 May 2012 02:21:32 +0000
Subject: Apple Mac OS X
|
Excerpt from APPLE-SA-2012-05-09-1 OS X Lion v10.7.4 and Security Update 2012-002
Bluetooth
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A temporary file race condition issue existed in
blued's initialization routine.
CVE-ID
CVE-2012-0649 : Aaron Sigel of vtty.com
Directory Service
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: A remote attacker may obtain sensitive information
Description: Multiple issues existed in the directory server's
handling of messages from the network. By sending a maliciously
crafted message, a remote attacker could cause the directory server
to disclose memory from its address space, potentially revealing
account credentials or other sensitive information. This issue does
not affect OS X Lion systems. The Directory Server is disabled by
default in non-server installations of OS X.
CVE-ID
CVE-2012-0651 : Agustin Azubel
libsecurity
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Verifying a maliciously crafted X.509 certificate, such as
when visiting a maliciously crafted website, may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of X.509 certificates.
CVE-ID
CVE-2012-0654 : Dirk-Willem van Gulik of WebWeaving.org, Guilherme
Prado of Conselho da Justica Federal, Ryan Sleevi of Google
libsecurity
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Support for X.509 certificates with insecure-length RSA keys
may expose users to spoofing and information disclosure
Description: Certificates signed using RSA keys with insecure key
lengths were accepted by libsecurity. This issue is addressed by
rejecting certificates containing RSA keys less than 1024 bits.
CVE-ID
CVE-2012-0655
LoginUIFramework
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: If the Guest user is enabled, a user with physical access to
the computer may be able to log in to a user other than the Guest
user without entering a password
Description: A race condition existed in the handling of Guest user
logins. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2012-0656 : Francisco Gomez (espectalll123)
Quartz Composer
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: A user with physical access to the computer may be able to
cause Safari to launch if the screen is locked and the RSS Visualizer
screen saver is used
Description: An access control issue existed in Quartz Composer's
handling of screen savers. This issue is addressed through improved
checking for whether or not the screen is locked.
CVE-ID
CVE-2012-0657 : Aaron Sigel of vtty.com
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted movie file during progressive
download may lead to an unexpected application termination or
arbitrary code execution
Description: A buffer overflow existed in the handling of audio
sample tables.
CVE-ID
CVE-2012-0658 : Luigi Auriemma working with HP's Zero Day Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of MPEG
files.
CVE-ID
CVE-2012-0659 : An anonymous researcher working with HP's Zero Day
Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer underflow existed in the handling of MPEG
files.
CVE-ID
CVE-2012-0660 : Justin Kim at Microsoft and Microsoft Vulnerability
Research
QuickTime
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue existed in the handling of
JPEG2000 encoded movie files. This issue does not affect systems
prior to OS X Lion.
CVE-ID
CVE-2012-0661 : Damian Put working with HP's Zero Day Initiative
Security Framework
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework.
Processing untrusted input with the Security framework could result
in memory corruption. This issue does not affect 32-bit processes.
CVE-ID
CVE-2012-0662 : aazubel working with HP's Zero Day Initiative
Time Machine
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: A remote attacker may access a user's Time Machine backup
credentials
Description: The user may designate a Time Capsule or remote AFP
volume attached to an AirPort Base Station to be used for Time
Machine backups. Beginning with AirPort Base Station and Time Capsule
Firmware Update 7.6, Time Capsules and Base Stations support a secure
SRP-based authentication mechanism over AFP. However, Time Machine
did not require that the SRP-based authentication mechanism was used
for subsequent backup operations, even if Time Machine was initially
configured or had ever contacted a Time Capsule or Base Station that
supported it. An attacker who is able to spoof the remote volume
could gain access to user's Time Capsule credentials, although not
backup data, sent by the user's system. This issue is addressed by
requiring use of the SRP-based authentication mechanism if the backup
destination has ever supported it.
CVE-ID
CVE-2012-0675 : Renaud Deraison of Tenable Network Security, Inc.
|
|
Go to the Top of This SecurityTracker Archive Page
|
