Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) An error within AirPort when handling Wi-Fi frames can be exploited to trigger an out-of-bounds memory access and cause a system reset.

NOTE: This vulnerability does not affect Mac OS X 10.6.

2) An error within App Store may lead to a user's AppleID password being logged to a local file.

3) An unspecified error in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded.

4) An error within Certificate Trust Policy when handling an Extended Validation (EV) certificate with no OCSP URL can be exploited to disclose certain sensitive information via Man-in-the-Middle (MitM) attacks.

5) An integer overflow error within the ColorSync component when handling the ncl2 tag can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code via a specially crafted image.

6) An off-by-one error within the CoreFoundation framework when handling CFStrings can be exploited to execute arbitrary code.

7) An integer overflow error in CoreGraphics when handling PDF files containing Type 1 fonts can be exploited to cause a buffer overflow via a specially crafted PDF file.

8) A path validation error within xftpd can be exploited to perform a recursive directory listing and disclose the list of otherwise restricted files.

9) An error in ImageIO within the handling of TIFF files can be exploited to cause a heap-based buffer overflow.

10) An error in ImageIO within the handling of JPEG2000 files can be exploited to cause a heap-based buffer overflow.

11) An error within ICU (International Components for Unicode) when handling certain uppercase strings can be exploited to cause a buffer overflow.

12) A NULL pointer dereference error within the kernel when handling IPV6 socket options can be exploited to cause a system reset.

13) An error within Libsystem when using the glob(3) API can be exploited to cause a high CPU consumption.

14) An error within libxslt can be exploited to disclose certain addresses from the heap.

For more information see vulnerability #2 in:
SA43832

15) An error exists within MobileMe when determining a user's email aliases. This can be exploited to disclose a user's MobileMe email aliases via Man-in-the-Middle (MitM) attacks.

16) Some vulnerabilities are caused due to a vulnerable bundled version of MySQL.

For more information:
SA41048
SA41716

17) Some vulnerabilities are caused due to a vulnerable bundled version of OpenSSL.

For more information:
SA37291
SA38807
SA42243
SA42473
SA43227

18) A vulnerability is caused due to a vulnerable bundled version of GNU patch.

For more information:
SA43677

19) An indexing error in the OfficeImport framework when processing certain records in a Microsoft Word file can be exploited to dereference an invalid function pointer and may allow execution of arbitrary code.

NOTE: This vulnerability only affects Mac OS X 10.6.

20) An integer overflow error in QuickTime when parsing a fmt chunk in RIFF WAV files can be exploited to cause a buffer overflow and execute arbitrary code via a specially crafted WAV file.

21) An error within QuickTime when processing sample tables in QTVR files can be exploited to corrupt memory, which may allow execution of arbitrary code.

22) An integer overflow error in QuickTime when parsing the sample description of the alac (Apple Lossless Audio) codec can be exploited to cause a buffer overflow via a specially crafted audio file.

23) An array indexing error in QuickTime when parsing a Matrix structure within PICT image files can be exploited to cause a buffer overflow and execute arbitrary code.

24) An input validation error in QuickTime when processing the frame screen dimension value in certain files (e.g. MOV, MP4, and JPG) can be exploited to cause a buffer overflow.

25) Some vulnerabilities are caused due to a vulnerable bundled version of Samba.

For more information:
SA41354
SA43512

26) An error in servermgrd when handling XML-RPC requests can be exploited to disclose arbitrary files from the local resources.

27) A vulnerability is caused due to a vulnerable bundled version of subversion.

For more information:
SA43603

Solution
Update to version 10.6.8 or apply Security Update 2011-004.
Further details available to Secunia VIM customers

Provided and/or discovered by
1, 26) Reported by the vendor
5) binaryproof via ZDI
9) Dominic Chell, NGS Secure
19) Tobias Klein via iDefense
20) Luigi Auriemma via ZDI
21) Honggang Ren, Fortinet's FortiGuard Labs
22) Luigi Auriemma and Damian Put via ZDI
23) Subreption LLC via ZDI
24) Luigi Auriemma via iDefense

The vendor credits:
2) Paul Nelson
3) Marc Schoenefeld, Red Hat Security Response Team and Harry Sintonen
4) Chris Hawk and Wan-Teh Chang, Google
6) Harry Sintonen
7) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team
8) team karlkani
10) Harry Sintonen
11) David Bienvenu, Mozilla
12) Thomas Clement, Intego
13) Maksymilian Arciemowicz
14) Chris Evans, Google Chrome Security Team
15) Aaron Sigel, vtty.com

Changelog
Further details available to Secunia VIM customers

Original Advisory
Apple Security Update 2011-004:
http://support.apple.com/kb/HT4723

Fortinet's FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-22.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-228/
http://www.zerodayinitiative.com/advisories/ZDI-11-229/
http://www.zerodayinitiative.com/advisories/ZDI-11-230/
http://www.zerodayinitiative.com/advisories/ZDI-11-231/

NGS Secure:
http://archives.neohapsis.com/archives/bugtraq/2011-07/0034.html
http://archives.neohapsis.com/archives/bugtraq/2011-10/0050.html

iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=926
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=927

Other references
Further details available to Secunia VIM customers

Technical Analysis
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers