Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset.
NOTE: This vulnerability does not affect Mac OS X 10.6.
2) An error within App Store may lead to a user's AppleID password being logged to a local file.
3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded.
4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks.
5) An integer overflow error within the ColorSync component when handling the ncl2 tag can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code via a specially crafted image.
6) An off-by-one error within the CoreFoundation framework when handling CFStrings can be exploited to execute arbitrary code.
7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file.
8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files.
9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow.
10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow.
11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow.
12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset.
13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption.
14) An error within libxslt can be exploited to disclose certain addresses from the heap.
For more information see vulnerability #2 in: SA43832
15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks.
16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL.
19) An indexing error in the OfficeImport framework when processing certain records in a Microsoft Word file can be exploited to dereference an invalid function pointer and may allow execution of arbitrary code.
NOTE: This vulnerability only affects Mac OS X 10.6.
20) An integer overflow error in QuickTime when parsing a fmt chunk in RIFF WAV files can be exploited to cause a buffer overflow and execute arbitrary code via a specially crafted WAV file.
21) An error within QuickTime when processing sample tables in QTVR files can be exploited to corrupt memory, which may allow execution of arbitrary code.
22) An integer overflow error in QuickTime when parsing the sample description of the alac (Apple Lossless Audio) codec can be exploited to cause a buffer overflow via a specially crafted audio file.
23) An array indexing error in QuickTime when parsing a Matrix structure within PICT image files can be exploited to cause a buffer overflow and execute arbitrary code.
24) An input validation error in QuickTime when processing the frame screen dimension value in certain files (e.g. MOV, MP4, and JPG) can be exploited to cause a buffer overflow.
25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba.
Provided and/or discovered by: 1, 26) Reported by the vendor
5) binaryproof via ZDI
9) Dominic Chell, NGS Secure
19) Tobias Klein via iDefense
20) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
22) Luigi Auriemma and Damian Put via ZDI
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense
The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team
8) team karlkani
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com
Original Advisory: Apple Security Update 2011-004:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org