Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0392
OS X Mountain Lion v10.8.3 and Security Update 2013-001
15 March 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OS X Mountain Lion
Publisher: Apple
Operating System: OS X
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Console/Physical
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0976 CVE-2013-0973 CVE-2013-0971
CVE-2013-0970 CVE-2013-0969 CVE-2013-0967
CVE-2013-0966 CVE-2013-0963 CVE-2013-0333
CVE-2013-0156 CVE-2012-3756 CVE-2012-3749
CVE-2012-3525 CVE-2012-3489 CVE-2012-3488
CVE-2012-2088 CVE-2011-3058
Reference: ASB-2013.0030
ASB-2012.0045
ESB-2013.0200
ESB-2013.0149
ESB-2013.0124
ESB-2013.0059
Original Bulletin:
http://support.apple.com/kb/HT1222
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-03-14-1 OS X Mountain Lion v10.8.3 and Security Update
2013-001
OS X Mountain Lion v10.8.3 and Security Update 2013-001 is now
available and addresses the following:
Apache
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.2
Impact: An attacker may be able to access directories that are
protected with HTTP authentication without knowing the correct
credentials
Description: A canonicalization issue existed in the handling of
URIs with ignorable Unicode character sequences. This issue was
addressed by updating mod_hfs_apple to forbid access to URIs with
ignorable Unicode character sequences.
CVE-ID
CVE-2013-0966 : Clint Ruoho of Laconic Security
CoreTypes
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.2
Impact: Visiting a maliciously crafted website could allow a Java
Web Start application to be launched automatically even if the Java
plug-in is disabled
Description: Java Web Start applications would run even if the Java
plug-in was disabled. This issue was addressed by removing JNLP files
from the CoreTypes safe file type list, so the Web Start application
will not be run unless the user opens it in the Downloads directory.
CVE-ID
CVE-2013-0967
International Components for Unicode
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.2
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A canonicalization issue existed in the handling of the
EUC-JP encoding, which could lead to a cross-site scripting attack on
EUC-JP encoded websites. This issue was addressed by updating the
EUC-JP mapping table.
CVE-ID
CVE-2011-3058 : Masato Kinugawa
Identity Services
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.2
Impact: Authentication relying on certificate-based Apple ID
authentication may be bypassed
Description: An error handling issue existed in Identity Services.
If the user's AppleID certificate failed to validate, the user's
AppleID was assumed to be the empty string. If multiple systems
belonging to different users enter this state, applications relying
on this identity determination may erroneously extend trust. This
issue was addressed by ensuring that NULL is returned instead of an
empty string.
CVE-ID
CVE-2013-0963
ImageIO
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.2
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088
IOAcceleratorFamily
Available for: OS X Mountain Lion v10.8 to v10.8.2
Impact: Viewing a maliciously crafted image may lead to an
unexpected system termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
graphics data. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-0976 : an anonymous researcher
Kernel
Available for: OS X Mountain Lion v10.8 to v10.8.2
Impact: Maliciously crafted or compromised applications may be able
to determine addresses in the kernel
Description: An information disclosure issue existed in the handling
of APIs related to kernel extensions. Responses containing an
OSBundleMachOHeaders key may have included kernel addresses, which
may aid in bypassing address space layout randomization protection.
This issue was addressed by unsliding the addresses before returning
them.
CVE-ID
CVE-2012-3749 : Mark Dowd of Azimuth Security, Eric Monti of Square,
and additional anonymous researchers
Login Window
Available for: OS X Mountain Lion v10.8 to v10.8.2
Impact: An attacker with keyboard access may modify the system
configuration
Description: A logic error existed in VoiceOver's handling of the
Login Window, whereby an attacker with access to the keyboard could
launch System Preferences and modify the system configuration. This
issue was addressed by preventing VoiceOver from launching
applications at the Login Window.
CVE-ID
CVE-2013-0969 : Eric A. Schulman of Purpletree Labs
Messages
Available for: OS X Mountain Lion v10.8 to v10.8.2
Impact: Clicking a link from Messages may initiate a FaceTime call
without prompting
Description: Clicking on a specifically-formatted FaceTime:// URL in
Messages could bypass the standard confirmation prompt. This issue
was addressed by additional validation of FaceTime:// URLs.
CVE-ID
CVE-2013-0970 : Aaron Sigel of vtty.com
Messages Server
Available for: Mac OS X Server 10.6.8,
OS X Lion Server v10.7 to v10.7.5
Impact: A remote attacker may reroute federated Jabber messages
Description: An issue existed in the Jabber server's handling of
dialback result messages. An attacker may cause the Jabber server to
disclose information intended for users of federated servers. This
issue was addressed through improved handling of dialback result
messages.
CVE-ID
CVE-2012-3525
PDFKit
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.2
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue existed in the handling of ink
annotations in PDF files. This issue was addressed through improved
memory management.
CVE-ID
CVE-2013-0971 : Tobias Klein working with HP TippingPoint's Zero Day
Initiative
Podcast Producer Server
Available for: Mac OS X Server 10.6.8,
OS X Lion Server v10.7 to v10.7.5
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A type casting issue existed in Ruby on Rails' handling
of XML parameters. This issue was addressed by disabling XML
parameters in the Rails implementation used by Podcast Producer
Server.
CVE-ID
CVE-2013-0156
Podcast Producer Server
Available for: OS X Lion Server v10.7 to v10.7.5
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A type casting issue existed in Ruby on Rails' handling
of JSON data. This issue was addressed by switching to using the
JSONGem backend for JSON parsing in the Rails implementation used by
Podcast Producer Server.
CVE-ID
CVE-2013-0333
PostgreSQL
Available for: Mac OS X Server 10.6.8,
OS X Lion Server v10.7 to v10.7.5
Impact: Multiple vulnerabilities in PostgreSQL
Description: PostgreSQL was updated to version 9.1.5 to address
multiple vulnerabilities, the most serious of which may allow
database users to read files from the file system with the privileges
of the database server role account. Further information is available
via the PostgreSQL web site at
http://www.postgresql.org/docs/9.1/static/release-9-1-5.html
CVE-ID
CVE-2012-3488
CVE-2012-3489
Profile Manager
Available for: OS X Lion Server v10.7 to v10.7.5
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A type casting issue existed in Ruby on Rails' handling
of XML parameters. This issue was addressed by disabling XML
parameters in the Rails implementation used by Profile Manager.
CVE-ID
CVE-2013-0156
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'rnet'
boxes in MP4 files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2012-3756 : Kevin Szkudlapski of QuarksLab
Ruby
Available for: Mac OS X Server 10.6.8
Impact: A remote attacker may be able to cause arbitrary code
execution if a Rails application is running
Description: A type casting issue existed in Ruby on Rails' handling
of XML parameters. This issue was addressed by disabling YAML and
symbols in XML parameters in Rails.
CVE-ID
CVE-2013-0156
Security
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.2
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: Several intermediate CA certificates were mistakenly
issued by TURKTRUST. This may allow a man-in-the-middle attacker to
redirect connections and intercept user credentials or other
sensitive information. This issue was addressed by not allowing the
incorrect SSL certificates.
Software Update
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5
Impact: An attacker with a privileged network position may be able
to cause arbitrary code execution
Description: Software Update allowed a man in the middle attacker to
insert plugin content into the marketing text displayed for updates.
This may allow the exploitation of a vulnerable plugin, or facilitate
social engineering attacks involving plugins. This issue does not
affect OS X Mountain Lion systems. This issue was addressed by
preventing plugins from being loaded in Software Update's marketing
text WebView.
CVE-ID
CVE-2013-0973 : Emilio Escobar
Wiki Server
Available for: OS X Lion Server v10.7 to v10.7.5
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A type casting issue existed in Ruby on Rails' handling
of XML parameters. This issue was addressed by disabling XML
parameters in the Rails implementation used by Wiki Server.
CVE-ID
CVE-2013-0156
Wiki Server
Available for: OS X Lion Server v10.7 to v10.7.5
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A type casting issue existed in Ruby on Rails' handling
of JSON data. This issue was addressed by switching to using the
JSONGem backend for JSON parsing in the Rails implementation used by
Wiki Server.
CVE-ID
CVE-2013-0333
Malware removal
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.2
Description: This update runs a malware removal tool that will
remove the most common variants of malware. If malware is found, it
presents a dialog notifying the user that malware was removed. There
is no indication to the user if malware is not found.
Note: OS X Mountain Lion v10.8.3 includes the content of
Safari 6.0.3. For further details see "About the security content
of Safari 6.0.3" at http://http//support.apple.com/kb/HT5671
OS X Mountain Lion v10.8.3 and Security Update 2013-001 may be
obtained from the Software Update pane in System Preferences,
or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
OS X Mountain Lion v10.8.3, or Security Update
2013-001.
For OS X Mountain Lion v10.8.2
The download file is named: OSXUpd10.8.3.dmg
Its SHA-1 digest is: e6165572e9145ea05aac23fa30372a9b0a0bbf3c
For OS X Mountain Lion v10.8 and v10.8.1
The download file is named: OSXUpdCombo10.8.3.dmg
Its SHA-1 digest is: 1bc49fde5ff6e252aa7908b4cb1f9cb9c8a5fa29
For OS X Lion v10.7.5
The download file is named: SecUpd2013-001.dmg
Its SHA-1 digest is: 5bc540a208c720fce3448f853d852336781e1a17
For OS X Lion Server v10.7.5
The download file is named: SecUpdSrvr2013-001.dmg
Its SHA-1 digest is: e88ff36fc8e88c4c995422d3f2364c56ebe51b07
For Mac OS X v10.6.8
The download file is named: SecUpd2013-001.dmg
Its SHA-1 digest is: dc52d0f7d2db6080c57c7b9252a4d85c5e178450
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2013-001.dmg
Its SHA-1 digest is: fd7946f8d1f1bce0394b6e56c8d7387812e14694
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRQiuBAAoJEPefwLHPlZEwGfgP/0UDCn2KBop3IJ4Ad31yiG3N
gH+yQl4GDONhm/HgrPWGQgcuVI69FmAqk+7arwOL7+7hlsSDQ5uSWDraRdd0EPmO
aq2DxPxt6bYi4fHSrfkvRblVr/PcPxswEEshM82JU60Oy88EDA87bI8yy4qi8KJ4
E8+6O31vLuUeAaHf0SNE8y1p2iKpdmHH/Afo0iAVx3ddm8e8wMVPZ9XbR02pe8MV
qmMWj8icBLNyHGoSl48zm5t4Ah4MS9qgXNjsYY+Mq2AcrqQI5EFTbdWpKFM7SQ1G
UcM6zmeHtKNz8H21MDYKg1UHjo49MZnFb6ahRXN0E3jsPrfO4Co/2t6ogOLRZ90X
2Sd1RfwqYnRZRfwyOAe3htBYDpVEfvU1eaNMoTTHLRKWgarxUoXvww2cjnomAg5y
tg+btVeQfzdHu+yClvioCbYqblKKxJf8lmhiLEgoH2bRaz2L+fluWW9yGQarxmrb
vQ+cMKuy7heyLpNhwRHZioo4/b2K/IZBnkKwH76Ey3yAXnSSAD9xwbFZZAU5J8YQ
liULOm9tv1sUlNHMyTsjplIsFkAIrkl+H43hn3/A+q4TIsDkmtPvOOl4Rc9/5w8H
ZibyLnmr1XgXvd6CgFzIvl7Ink+d/xGHTnlybHszCMzR5o6Rg7sTeQsD34aNymcc
Lz1nnBtRAbfDgARdRX4e
=WUBR
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUUKACu4yVqjM2NGpAQIzuw//XrdY+aNcuu5SUiDcA4GqKmvImhkB/Ile
kZFZjDITcUggfQkZTc+6pQSwQIpSliJ9ZKiUrY2hNjxq1tqhUjBoB60ycOglDo6F
q9QwqFL+uQMXqtwE+yUGDpaLVjkh7vEbvwM4BB78T9LjQHXgFIX9N2QBSiv0fvaG
/XWksik4q36oKD3PsOp8ZOpkpJM0wKXQ4VThfSCD9X0DALTA89bBU5SWGUuGWUgC
Qq6qlk5VRu2iRfJOGeTPSnnC+DGAdKXGNmiBTEWNCpO9rOx4Oc96EWvZhsgD9Qlh
gmIha53MKL8kkXJPl4Q2ijwRMq0BfpYWfen6dTv+syUS/A1mtmHEnSgOosGS9CCg
eMgiQDmRsp2K0j0fnY8c/dIwpphoxgwGzgAA16AFkQPWySSY5S4zVDJv9UCFtZO9
eIRiQGwZn3b0Si6+HCgB02rdpap03gpMS0BJ+yYMHElbK98VP9dPfoVEFnm+Kcrq
nmrgqVjhaFuUoy1LL4uKSaXeyPBI4rtSOqDDl1XxRGQET6Twz19QsWUkYGfyCW3M
WY57+UAIdAF9MV8U1jA6JG04Ev71w0G0sv7vfwTvDmZHwa4cvOlam4N07IXCzvuQ
sgG+ogE9pchhvg7565mJtqYtuwBhtvI51xDJsom0v5PNQ55tj3Twa86iRBDmsSL5
gGmIh8B32NQ=
=86RM
-----END PGP SIGNATURE-----