Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset.

2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service).

For more information:
SA40206

3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code.

4) An unspecified error in the handling of embedded OpenType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded.

5) Multiple unspecified errors in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded.

6) An error exists in the Type1Scaler library in Apple Type Services (ATS) when processing embedded Type 1 fonts. This can be exploited to cause a buffer overflow e.g. via a specially crafted file opened in Preview.

7) Multiple unspecified errors in the handling of SFNT tables in embedded fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded.

8) An integer overflow error in bzip2 can be exploited to terminate an application using the library or execute arbitrary code via a specially crafted archive.

For more information:
SA41452

9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories.

10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

For more information:
SA41503
SA42426

11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded.

12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read certain raw data from the filesystem.

13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow.

14) An integer overflow error in ImageIO within the handling of XBM files can be exploited to potentially execute arbitrary code.

15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow.

16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow.

17) A signedness error in ImageIO within the "copyImageBlockSetTiff()" function when handling JPEG encoded TIFF files can be exploited to cause a heap-based buffer overflow.

18) Multiple errors in the RawCamera library when handling Canon RAW image files (".CR2") can be exploited to cause buffer overflows.

19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website.

20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features.

For more information:
SA37977
SA42396

21) An error within the "i386_set_ldt()" system call can be exploited by malicious, local users to execute arbitrary code with system privileges.

22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive.

23) An error exists in the libxml library when traversing the XPath.

For more information:
SA42175

24) A double free error exists in the libxml library when handling XPath expressions.

For more information:
SA42721

25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks.

For more information:
SA41265

26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

For more information:
SA39573
SA41724

27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions.

For more information:
SA41724

28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code.

29) A boundary error exists in QuickLook when parsing an OfficeArtMetafileHeader record in certain Microsoft Office files. This can be exploited to cause a buffer overflow and execute arbitrary code when e.g. a specially crafted document is opened via Safari.

30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files.

31) An integer overflow error in QuickTime when handling certain movie files can be exploited to potentially execute arbitrary code when a specially crafted file is viewed.

32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data.

33) An integer truncation error within the Ruby BigDecimal class can be exploited to potentially execute arbitrary code.

This vulnerability only affects 64-bit Ruby processes.

34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system.

For more information:
SA41354

35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions.

For more information:
SA41652

36) A weakness in Terminal uses SSH version 1 as the default protocol version when using ssh via the "New Remote Connection" dialog.

37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library.

For more information:
SA41738

Solution
Update to version 10.6.7 or apply Security Update 2011-001.

Provided and/or discovered by
6) geekable via ZDI.
12) Dan Rosenberg, Virtual Security Research.
15, 16, 33) Reported by the vendor.
17) Dominic Chell, NGS Secure.
18) Paul Harrington, NGS Secure.
28) Tobias Klein via iDefense.
29) Charlie Miller and Dion Blazakis via ZDI.

The vendor credits:
3) Alexander Strange.
5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team.
6) Felix Grobert, Google Security Team.
7) Marc Schoenefeld, Red Hat Security Response Team.
11) Christoph Diehl, Mozilla.
13) Andrzej Dyjak via iDefense.
14) Harry Sintonen.
19) Aaron Sigel, vtty.com.
21) Jeff Mears.
22) Peter Schwenk, University of Delaware.
30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team.
31) Honggang Ren, Fortinet's FortiGuard Labs.
32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
36) Matt Warren, HNW Inc.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Apple:
http://support.apple.com/kb/HT4581

iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-108/
http://www.zerodayinitiative.com/advisories/ZDI-11-109/

NGS Secure:
http://archives.neohapsis.com/archives/bugtraq/2011-03/0208.html
http://archives.neohapsis.com/archives/bugtraq/2011-03/0202.html
http://archives.neohapsis.com/archives/bugtraq/2011-07/0036.html
http://archives.neohapsis.com/archives/bugtraq/2011-07/0037.html

VSR:
http://www.vsecurity.com/resources/advisory/20110322-1/

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers