Operating System:

[OSX]

Published:

20 September 2012

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0899
OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update 2012-004
                             20 September 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          OS X
Publisher:        Apple
Operating System: Mac OS X
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
                  Access Privileged Data          -- Remote/Unauthenticated      
                  Denial of Service               -- Remote/Unauthenticated      
                  Access Confidential Data        -- Remote/Unauthenticated      
Resolution:       Patch/Upgrade
CVE Names:        CVE-2012-3723 CVE-2012-3722 CVE-2012-3721
                  CVE-2012-3720 CVE-2012-3719 CVE-2012-3718
                  CVE-2012-3716 CVE-2012-2688 CVE-2012-2386
                  CVE-2012-2311 CVE-2012-2143 CVE-2012-1823
                  CVE-2012-1667 CVE-2012-1173 CVE-2012-1172
                  CVE-2012-0831 CVE-2012-0671 CVE-2012-0670
                  CVE-2012-0668 CVE-2012-0652 CVE-2012-0650
                  CVE-2012-0643 CVE-2012-0053 CVE-2012-0031
                  CVE-2012-0021 CVE-2011-4599 CVE-2011-4317
                  CVE-2011-4313 CVE-2011-3607 CVE-2011-3389
                  CVE-2011-3368 CVE-2011-3048 CVE-2011-3026

Reference:        ASB-2012.0105
                  ASB-2012.0103
                  ASB-2012.0093
                  ASB-2012.0070
                  ASB-2012.0066
                  ASB-2012.0047
                  ASB-2012.0027
                  ASB-2012.0025
                  ESB-2012.0528
                  ESB-2012.0527
                  ESB-2012.0518
                  ESB-2012.0346
                  ESB-2012.0257
                  ESB-2012.0178
                  ESB-2012.0114
                  ESB-2012.0101
                  ASB-2011.0111
                  ASB-2011.0102
                  ASB-2011.0092
                  ESB-2011.1032
                  ESB-2011.1249.2

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2012-09-19-2 OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and
Security Update 2012-004

OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update
2012-004 are now available and address the following:

Apache
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
Impact:  Multiple vulnerabilities in Apache
Description:  Apache is updated to version 2.2.22 to address several
vulnerabilities, the most serious of which may lead to a denial of
service. Further information is available via the Apache web site at
http://httpd.apache.org/. This issue does not affect OS X Mountain
Lion systems.
CVE-ID
CVE-2011-3368
CVE-2011-3607
CVE-2011-4317
CVE-2012-0021
CVE-2012-0031
CVE-2012-0053

BIND
Available for:  OS X Lion v10.7 to v10.7.4,
OS X Lion Server v10.7 to v10.7.4
Impact:  A remote attacker may be able to cause a denial of service
in systems configured to run BIND as a DNS nameserver
Description:  A reachable assertion issue existed in the handling of
DNS records. This issue was addressed by updating to BIND 9.7.6-P1.
This issue does not affect OS X Mountain Lion systems.
CVE-ID
CVE-2011-4313

BIND
Available for:  OS X Lion v10.7 to v10.7.4,
OS X Lion Server v10.7 to v10.7.4,
OS X Mountain Lion v10.8 and v10.8.1
Impact:  A remote attacker may be able to cause a denial of service,
data corruption, or obtain sensitive information from process memory
in systems configured to run BIND as a DNS nameserver
Description:  A memory management issue existed in the handling of
DNS records. This issue was addressed by updating to BIND 9.7.6-P1 on
OS X Lion systems, and BIND 9.8.3-P1 on OS X Mountain Lion systems.
CVE-ID
CVE-2012-1667

CoreText
Available for:  OS X Lion v10.7 to v10.7.4,
OS X Lion Server v10.7 to v10.7.4
Impact:  Applications that use CoreText may be vulnerable to an
unexpected application termination or arbitrary code execution
Description:  A bounds checking issue existed in the handling of text
glyphs, which may lead to out of bounds memory reads or writes. This
issue was addressed through improved bounds checking. This issue does
not affect Mac OS X v10.6 or OS X Mountain Lion systems.
CVE-ID
CVE-2012-3716 : Jesse Ruderman of Mozilla Corporation

Data Security
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4,
OS X Mountain Lion v10.8 and v10.8.1
Impact:  An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description:  TrustWave, a trusted root CA, has issued, and
subsequently revoked, a sub-CA certificate from one of its trusted
anchors. This sub-CA facilitated the interception of communications
secured by Transport Layer Security (TLS). This update adds the
involved sub-CA certificate to OS X's list of untrusted certificates.

DirectoryService
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact:  If the DirectoryService Proxy is used, a remote attacker may
cause a denial of service or arbitrary code execution
Description:  A buffer overflow existed in the DirectoryService
Proxy. This issue was addressed through improved bounds checking.
This issue does not affect OS X Lion and Mountain Lion systems.
CVE-ID
CVE-2012-0650 : aazubel working with HP's Zero Day Initiative

ImageIO
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
Impact:  Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images. These issues do not affect OS X Mountain
Lion systems.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048

ImageIO
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
Impact:  Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description:  An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images. This issue does not affect OS X Mountain Lion
systems.
CVE-ID
CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day
Initiative

Installer
Available for:  OS X Lion v10.7 to v10.7.4,
OS X Lion Server v10.7 to v10.7.4
Impact:  Remote admins and persons with physical access to the system
may obtain account information
Description:  The fix for CVE-2012-0652 in OS X Lion 10.7.4 prevented
user passwords from being recorded in the system log, but did not
remove the old log entries. This issue was addressed by deleting log
files that contained passwords. This issue does not affect Mac OS X
10.6 or OS X Mountain Lion systems.
CVE-ID
CVE-2012-0652

International Components for Unicode
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
Impact:  Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description:  A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking. This issue does not affect OS X Mountain Lion systems.
CVE-ID
CVE-2011-4599

Kernel
Available for:  OS X Lion v10.7 to v10.7.4,
OS X Lion Server v10.7 to v10.7.4
Impact:  A malicious program could bypass sandbox restrictions
Description:  A logic issue existed in the handling of debug system
calls. This may allow a malicious program to gain code execution in
other programs with the same user privileges. This issue was
addressed by disabling handling of addresses in PT_STEP and
PT_CONTINUE. This issue does not affect OS X Mountain Lion systems.
CVE-ID
CVE-2012-0643 : iOS Jailbreak Dream Team

LoginWindow
Available for:  OS X Mountain Lion v10.8 and v10.8.1
Impact:  A local user may be able to obtain other user's login
passwords
Description:  A user-installed input method could intercept password
keystrokes from Login Window or Screen Saver Unlock. This issue was
addressed by preventing user-installed methods from being used when
the system is handling login information.
CVE-ID
CVE-2012-3718 : An anonymous researcher

Mail
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
Impact:  Viewing an e-mail message may lead to execution of web
plugins
Description:  An input validation issue existed in Mail's handling of
embedded web plugins. This issue was addressed by disabling third-
party plug-ins in Mail. This issue does not affect OS X Mountain Lion
systems.
CVE-ID
CVE-2012-3719 : Will Dormann of the CERT/CC

Mobile Accounts
Available for:  OS X Mountain Lion v10.8 and v10.8.1
Impact:  A user with access to the contents of a mobile account may
obtain the account password
Description:  Creating a mobile account saved a hash of the password
in the account, which was used to login when the mobile account was
used as an external account. The password hash could be used to
determine the user's password. This issue was addressed by creating
the password hash only if external accounts are enabled on the system
where the mobile account is created.
CVE-ID
CVE-2012-3720 : Harald Wagener of Google, Inc.

PHP
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4,
OS X Mountain Lion v10.8 and v10.8.1
Impact:  Multiple vulnerabilities in PHP
Description:  >PHP is updated to version 5.3.15 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the PHP web site at
http://www.php.net
CVE-ID
CVE-2012-0831
CVE-2012-1172
CVE-2012-1823
CVE-2012-2143
CVE-2012-2311
CVE-2012-2386
CVE-2012-2688

PHP
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
Impact:  PHP scripts which use libpng may be vulnerable to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in the handling of
PNG files. This issue was addressed by updating PHP's copy of libpng
to version 1.5.10. This issue does not affect OS X Mountain Lion
systems.
CVE-ID
CVE-2011-3048

Profile Manager
Available for:  OS X Lion Server v10.7 to v10.7.4
Impact:  An unauthenticated user could enumerate managed devices
Description:  An authentication issue existed in the Device
Management private interface. This issue was addressed by removing
the interface. This issue does not affect OS X Mountain Lion
systems.
CVE-ID
CVE-2012-3721 : Derick Cassidy of XEquals Corporation

QuickLook
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
Impact:  Viewing a maliciously crafted .pict file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in the handling of
.pict files. This issue was addressed through improved validation of
.pict files. This issue does not affect OS X Mountain Lion systems.
CVE-ID
CVE-2012-0671 : Rodrigo Rubira Branco (twitter.com/bsdaemon) from the
Qualys Vulnerability & Malware Research Labs (VMRL)

QuickTime
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  An integer overflow existed in QuickTime's handling of
sean atoms. This issue was addressed through improved bounds
checking. This issue does not affect OS X Mountain Lion systems.
CVE-ID
CVE-2012-0670 : Tom Gallagher (Microsoft) and Paul Bates (Microsoft)
working with HP's Zero Day Initiative

QuickTime
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization. This issue does not affect OS X
Mountain Lion systems.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC

QuickTime
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of RLE
encoded movie files. This issue was addressed through improved bounds
checking. This issue does not affect OS X Mountain Lion systems.
CVE-ID
CVE-2012-0668 : Luigi Auriemma working with HP's Zero Day Initiative

Ruby
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
Impact:  An attacker may be able to decrypt data protected by SSL
Description:  There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
The Ruby OpenSSL module disabled the 'empty fragment' countermeasure
which prevented these attacks. This issue was addressed by enabling
empty fragments. This issue does not affect OS X Mountain Lion
systems.
CVE-ID
CVE-2011-3389

USB
Available for:  OS X Lion v10.7 to v10.7.4,
OS X Lion Server v10.7 to v10.7.4
Impact:  Attaching a USB device may lead to an unexpected system
termination or arbitrary code execution
Description:  A memory corruption issue existed in the handling of
USB hub descriptors. This issue was addressed through improved
handling of the bNbrPorts descriptor field. This issue does not
affect OS X Mountain Lion systems.
CVE-ID
CVE-2012-3723 : Andy Davis of NGS Secure

Note: OS X Mountain Lion v10.8.2 includes the content of
Safari 6.0.1. For further details see "About the security content
of Safari 6.0.1" at http://http//support.apple.com/kb/HT5502


OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update
2012-004 may be obtained from the Software Update pane in System
Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 or Security Update
2012-004.

For OS X Mountain Lion v10.8.1
The download file is named: OSXUpd10.8.2.dmg
Its SHA-1 digest is: d6779e1cc748b78af0207499383b1859ffbebe33

For OS X Mountain Lion v10.8
The download file is named: OSXUpdCombo10.8.2.dmg
Its SHA-1 digest is: b08f10233d362e39f20b69f91d1d73f5e7b68a2c

For OS X Lion v10.7.4
The download file is named: MacOSXUpd10.7.5.dmg
Its SHA-1 digest is: e0a9582cce9896938a7a541bd431862d93893532

For OS X Lion v10.7 and v10.7.3
The download file is named: MacOSXUpdCombo10.7.5.dmg
Its SHA-1 digest is: f7a26b164fa10dae4fe646e57b01c34a619c8d9b

For OS X Lion Server v10.7.4
The download file is named: MacOSXServerUpd10.7.5.dmg
Its SHA-1 digest is: a891b03bfb4eecb745c0c39a32f39960fdb6796a

For OS X Lion Server v10.7 and v10.7.3
The download file is named: MacOSXServerUpdCombo10.7.5.dmg
Its SHA-1 digest is: df6e1748ab0a3c9e05c890be49d514673efd965e

For Mac OS X v10.6.8
The download file is named: SecUpd2012-004.dmg
Its SHA-1 digest is: 5b136e29a871d41012f0c6ea1362d6210c8b4fb7

For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-004.dmg
Its SHA-1 digest is: 9b24496be15078e58a88537700f2f39c112e3b28

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJQWhlbAAoJEPefwLHPlZEwwjwQAKrpQlZh1B2mkSTLxR7QZg6e
Qm7SmIZL9sjl5gQkTxoAvOGxJ8uRdYPlJ1IpyU/MbK0GqO53KmFSeKkwCnvLKMaW
pc6tiFaQ4zV4LEAwBAFEuqCsMyPEJqKDhYXl2cHQmWfAlrLCyCKfzGLy2mY2UnkE
DQC2+ys70DChFv2GzyXlibBXAGMKDygJ5dVKynsi1ceZLYWbUJoGwlUtXPylBpnO
QyGWXmEloPbhK6HJbKMNacuDdVcb26pvIeFiivkTSxPVlZ3ns2tAwEyvHrzA9O4n
7rQ6jvfDbguOZmM5sPFvVKBw2GVDBNU+G3T8ouIXhk6Pjhr4in8VFCb8MIMLb8hm
7YYn2z1TzKTNmUuYbwe6ukQvf57cPuW0bAvslbl6PgrzqorlNPU4rDoSvPrJx/RO
BOYkcxfirevHDGibfkeqXPjL3h+bVrb1USZpAv+ZOAy0M89SHFcvMtpAhxnoGiV5
w4EyKB+9Yi/CSAk2Ne3Y5kHH7/v3pWV68aJwhVirya7ex3vnJ+M+lRLKSm2BUjL3
+9fykrJBDujFDXoCmK5CN5Wx36DSVZ4VO1h635crotudtcvd+LQ2VHma/Chav5wK
q5SSllf4KEownpx6o/qTxpg5tcC4lvgTcsDHlYcNq2s8KTTjmOden8ar4h7M7QD2
xyBfrQfG/dsif6jGHaot
=8joH
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUFqCPu4yVqjM2NGpAQIarQ/9GgIe6oCa7DjqYAfk4PUHubc/Mej9Ly/3
ZVIOvN4v7pekZor6jY8I02rOihgyfVJSBK5Ds+TxdnjyVznq6iUcWDCXF8WU2KDF
BW3dAyai6PG+wm6+BC8iB7av3I5cLvFqu1iGE9KwQSVCleMhDaRO0cMJ2C4QK2po
c+Tn8p1Zo/SSJQqKdaecvqz3/ilYKEwOrfXrHl3xeVOiiYu4q9LNtAxB96SVaDq3
2CJ4eC8bZc89rSIEC3VB0TrCqhtxcMu5yVJ00N5HXRvQ+wLHuASayMpLupv/hUNr
+mkFV+Bpj8vOrzLhSDyJUQ7X7e6e6FsBDBvPIpkLhYGK+IHMra5gY8idSPRybMsL
T9FCWYjFZh5GURvlDoeMXHUURM5ATPjX0Cc9cYY3pu2moBwppS9q+Ua1KoFj8Szk
9l/G/IjV5RsetT6kdcD9XH0GREA2gpwLO9HldhO6B312fCj9oNcv08DuW2fXW9VI
Uyj8M3BBUQeBNB7XC9OMmC6R26IQzLBz2AlXkVFxTHORgxF5y0p7ydbF2ceKnXaS
ySD/zxQQPQWdTd+h4orI4pLRv3HAhcPA6z3rXE9HHgP8Z5RIctcZPFrdctRVAWy1
aJ7LljwbHbKD7a2uRdICVAAU7cfyF5QrFKDobexDazmRseQo5vpZVnSrxcDgkPgf
gkAJd8S36g4=
=zHiN
-----END PGP SIGNATURE-----