copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2012.0707 - [OSX] Xcode: Access privileged data ...
 

ESB-2012.0707 - [OSX] Xcode: Access privileged data - Remote/unauthenticated
Date: 26 July 2012
References: ESB-2011.0979  ESB-2011.1033  ESB-2011.1032  ASB-2011.0092  ESB-2011.1126  ESB-2012.0114  ESB-2012.0458  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0707
                      APPLE-SA-2012-07-25-2 Xcode 4.4
                               26 July 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Xcode
Publisher:        Apple
Operating System: Mac OS X
Impact/Access:    Access Privileged Data -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2012-3698 CVE-2011-3389 

Reference:        ESB-2012.0458
                  ESB-2012.0114
                  ASB-2011.0092
                  ESB-2011.1126
                  ESB-2011.1033
                  ESB-2011.1032
                  ESB-2011.0979

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2012-07-25-2 Xcode 4.4

Xcode 4.4 is now available and addresses the following:

neon
Available for:  OS X Lion v10.7.4 and later
Impact:  An attacker may be able to decrypt data protected by SSL
Description:  There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
The neon library (used by Subversion) disabled the 'empty fragment'
countermeasure which prevented these attacks. This issue is addressed
by enabling the countermeasure.
CVE-ID
CVE-2011-3389

Xcode
Available for:  OS X Lion v10.7.4 and later
Impact:  Helper tools built with Xcode allow any App Store
application to read their keychain entries
Description:  All signed programs contain a designated requirement
(DR) which states, from the perspective of the developer of the
program, what constraints a program needs to satisfy in order to be
considered an instance of this program. When a Developer ID was used
with Xcode to sign a product that did not have a bundle identifier,
such as a command-line tool or an embedded helper, the generated DR
for the product did not include the developer's ID in the part of the
DR that applies to apps signed by the App Store. As a result, any App
Store app may have accessed keychain items created by the product.
This is addressed by generating a DR with improved checks. Affected
products need to be re-signed with this version of Xcode to include
the improved DR.
CVE-ID
CVE-2012-3698

Xcode 4.4 may be obtained from the Downloads section of the
Apple Developer Connection Member site:  http://developer.apple.com/
Login is required, and membership is free.

Xcode 4.4 is also available from the App Store. It is free to anyone
with OS X 10.7.x Lion and later.

The download file is named: "xcode446938108a.dmg"
Its SHA-1 digest is: d04393543564f85c2f4d82e507d596d3070e9aba

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJQDy5fAAoJEPefwLHPlZEwWasP/iuE4F9PkoV01YyZlBeoQ/qE
zn62KshgNUkVq0TPe/leKG0UXWxYsPQQy1+KC9o7ULnGZWrQLexO7ZySz3eImbIW
VdPXslMzEbk3YiRi/syeo16IwZheMqatKTS47NTG5xREg17vos889xbqxML4ijNN
4IysAFqewbG1qdvu35RkO4uhxO/+6pLiXjkQx/z21ml8S3ZZNnPxCE/9sGWqIJ7R
pO/9+hIecX05wtSUCkqfARZxObSDs0VTQZUak+8fKAF8k5aNY8GdnMrxNBCX9vkU
hHgLTQ4lXaqSv2UEhbkjaZuLHHNFkNINf1pbABDWASiATP0wSLVFYM3KabMqid8I
WS4b3aplqi5GqOHqRWOTtbSTsPJC73DF1PrHlvPZm7WYQmIrF6DPIlmIfK058Fqp
QRpz3H1cZwFf2B/oS4VGwtqjj606lRn7En3psMRlCyKSTdUYPd5dzCIyg8CNlpuy
9AAKEU6fhY2JCEm+2LtqdBZI+WvCET50hD9ZEzkq/2m/sazASJ5W9VtH1JzFHm9N
RvE4NS6k/u6BLU2zsUiqJ/cyVGMV7RF3gIEi+NXAShFNHfavDPgoTN2MPkeT3V0C
sa6X/O3dn4F9PFJZvqKyHKeBRI0lV3PSgKP/xC/K+cD/YraFFFvUn7XoVZ2A8uPW
bYcdpG4AJaNdEGZY71xq
=OWIG
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUBDaku4yVqjM2NGpAQI4PxAAuLdXGbM1bukxxwkRRIyLyTm5Le5ZM+Mk
3h6X9NQj3PBLUk5IOKyqyA0vUgxHlnMmt3IIrUdgUTelVQ0IMlIKl9Wb9AthkU+A
6pEISwGDHS/s30sD0mEk2v8y3qisjN/sGM+9ukqhetdexb9+EhMUt8oQoUqHuGwp
W7fhjNctd4LZmdIic8OcEnXZ8X7o1zElycazlrI8XPv1jc/ZWVdSdQPHagjxxExL
Jt9Y4cOq82MXqoFMYcdLIYqElLWKvurptK0rHw+s0pYw8/C8ljb4v7LqcU63OvbL
vEwYjX2QiXaLTf2Ij0v5ziW6tvaOTSBFZDPxhQanylZ7M78jb3rM9tQwo7PupcEL
4FL8gCbKND9pvgGN8O5/rWIaYSKWeECsvSj5ghl5rXFPQcvhoFk/jngYsuoSsE+2
1sriU2Va+gOoA2n79LMgFiaf8sB0pbAIvQzqqJ0J/2pTCA8EuAxjgrSo07szs+KQ
eO0Ezy7/32FEVkHUrIexCQj6BsjLvrNuEYT17J5YXdYDlEfKkqB5dy6MJKyHaVP2
SUWXcA+JCXQGGoM6qhScm3yp3YN/d8qg8JP0NKeGEbCe904h+UxZs361t58xfIZb
hMfipy5ySckMMvyLyq/bllMaDhTHGqT0+GY45UK4ca0iouKwZGqF46o0jbcUu1vd
vGI4TTG+Ti8=
=opCj
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1980&it=16127