Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) Some vulnerabilities exist in Apache, BIND, CoreFoundation, CoreMedia, iChat Server, Mailman, Postfix, PHP, Python, QuickTime, Tomcat, and X11:

For more information:
SA37426
SA38219
SA39574
SA39937
SA40148
SA41724
SA42337
SA42374
SA42435
SA43194
SA43198
SA43389
SA43646
SA43814
SA44490
SA44719
SA44787
SA45046
SA45082
SA45167
SA45516
SA45606
SA46339

2) A format string error in the Application Firewall's debug logging can be exploited via a specially crafted name.

3) A signedness error in the ATS component when handling Type 1 fonts can be exploited via a specially crafted font embedded in a document.

4) An error in the ATS component when handling Type 1 fonts can be exploited to access an out of bounds memory location via a specially crafted font embedded in a document.

5) An error in the ATSFontDeactivate API can be exploited to cause a buffer overflow.

6) A synchronization error in the CFNetwork component when handling cookie policies can be exploited to bypass Safari's cookie preferences and store a cookie that would otherwise be blocked.

7) An error in the CFNetwork component when handling HTTP cookies can be exploited to send a cookie for a domain to a server outside of that domain.

8) Some errors in the CoreMedia component when handling QuickTime movie files can be exploited to corrupt memory.

9) An error in the CoreProcesses component when handling system windows (e.g. VPN password prompt) while the screen is locked can be exploited to partially bypass the screen lock.

10) An error in the CoreStorage component when enabling FileVault did not encrypt some data at the start of a volume.

11) An error when handling HTTPS connections to WebDAV volumes did not properly verify certificate information and can be exploited via a Man-in-the-Middle (MitM) attack.

12) An error in the IOGraphics component within the screen lock functionality when used with Apple Cinema displays can be exploited to access the system without entering a password.

13) A logic error in the kernel's DMA protection can be exploited to access a user's password via firewire DMA access at loginwindow, boot, or shutdown processing.

14) A logic error in the kernel's handling of file deletions in directories when the sticky bit was set can be exploited to delete another user's files within a shared directory.

15) An error exists in the libsecurity module when handling errors during the parsing of a nonstandard certificate revocation list extension.

16) Some errors in the MediaKit component when handling disk images can be exploited to corrupt memory.

17) An error in the Open Directory component within the access control mechanism can be exploited to access another local user's password data.

18) An error in the Open Directory component within the access control mechanism can be exploited to change another user's password.

19) An error in the Open Directory component when bound to a LDAPv3 server and no AuthenticationAuthority attribute for a user exists can be exploited by an LDAP user to login without a password.

20) Some errors in QuickTime when handling movie files can be exploited to corrupt memory via a specially crafted file.

21) An error in QuickTime within the "Save for Web" export feature due to storing certain JavaScript code from the vendor's website using HTTP can be exploited to inject arbitrary code via a Man-in-the-Middle (MitM) attack, which will be executed when saved content is viewed locally.

22) An error in QuickTime.qts when processing URL data handlers within .mov files can be exploited to reference uninitialized memory via a specially crafted file.

23) An error in QuickTime when handling the atom hierarchy within movie files can be exploited via a specially crafted file.

24) An indexing error in QuickTime when handling FlashPix files containing a tile with the compression type 0x2 (JPEG) can be exploited to cause a memory corruption via a specially crafted file.

25) An error in QuickTime when handling FLC Delta Decompression blocks in FLIC files can be exploited to cause a buffer overflow via a specially crafted file.

26) An error in the SMB File Server when guest access is disabled for a share point record for a folder can be exploited to access the share point using a guest user "nobody".

27) An error in the User Documentation due to App Store help content being updated over HTTP can be exploited to inject arbitrary AppleScript and Python code into the update via a Man-in-the-Middle (MitM) attack.

Successful exploitation of vulnerabilities #3 - #5, #8, #20, #22 - #25, and #27 may allow execution of arbitrary code.

Solution
Update to version 10.7.2 or apply Security Update 2011-006.
Further details available to Secunia VIM customers

Provided and/or discovered by
3, 8, 11, 12, 16, 20, 26) Reported by the vendor.
21, 27) Aaron Sigel, vtty.com
22) Luigi Auriemma via ZDI
23) An anonymous person via ZDI
24) Damian Put via ZDI
25) Matt 'j00ru' Jurczyk via ZDI
27) Brian Mastenbrook, vtty.com

The vendor also credits the following people:
2) An anonymous person
4) Will Dormann, the CERT/CC
5) Steven Michaud, Mozilla
6) Martin Tessarek, Steve Riggins, Geeks R Us, Justin C. Walker, and Stephen Creswell
7) Erling Ellingsen, Facebook
9) Clint Tseng, University, Washington, Michael Kobb, and Adam Kemp
10) Judson Powers, ATC-NY
13) Passware, Inc.
14) Gordon Davisson, Crywolf, Linc Davis, R. Dormer, and Allan Schmid and Oliver Jeckel, brainworks Training
15) Richard Godbee, Virginia Tech
17) Arek Dreyer, Dreyer Network Consultants, Inc,
17, 18) Patrick Dunstan, defenceindepth.net
19) Jeffry Strunk, The University, Texas at Austin, Steven Eppler, Colorado Mesa University, Hugh Cole-Baker, and Frederic Metoz, Institut de Biologie Structurale

Changelog
Further details available to Secunia VIM customers

Original Advisory
Apple:
http://support.apple.com/kb/HT5002

vtty.com:
http://vttynotes.blogspot.com/2011/10/summary-of-vulnerability-write-ups-on.html
http://vttynotes.blogspot.com/2011/10/cve-2011-3224-mitm-to-rce-with-mac-app.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-295/
http://www.zerodayinitiative.com/advisories/ZDI-11-311/
http://www.zerodayinitiative.com/advisories/ZDI-11-312/
http://www.zerodayinitiative.com/advisories/ZDI-11-313/
http://www.zerodayinitiative.com/advisories/ZDI-12-136/

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers