Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) The Address Book component downgrades to an unencrypted connection when an encrypted connection fails. This can be exploited to intercept CardDAV data.

2) An error in the bundled version of Apache can be exploited to cause a temporary DoS (Denial of Service).

For more information:
SA46013

3) A design error in Apache within the Secure Sockets Layer 3.0 (SSL) and Transport Layer Security 1.0 (TLS) protocols when using a block cipher in CBC mode can be exploited to decrypt data protected by SSL.

4) An error in ATS when handling data-font files can be exploited to corrupt memory via a specially crafted font opened by Font Book.

5) An error in CFNetwork when handling URLs can be exploited to disclose sensitive information via a specially crafted web page as a request could be sent to an incorrect origin server.

6) An error in CFNetwork when handling URLs can be exploited to disclose sensitive information via a specially crafted web page as unexpected request headers could be sent.

7) An integer overflow error in ColorSync can be exploited to cause a heap-based buffer overflow.

For more information see vulnerability #5:
SA45054

8) An error in CoreAudio when handling AAC encoded audio streams can be exploited to cause a buffer overflow when playing specially crafted audio content.

9) An error in CoreMedia when handling H.264 encoded movies can be exploited to cause a heap-based buffer overflow.

10) A use-after-free error in CoreText when handling documents containing fonts can be exploited to dereference already freed memory via a specially crafted font.

11) An error exists in CoreUI when handling long URLs and can be exploited via a specially crafted website.

12) An error in curl can be exploited by remote servers to impersonate clients via GSSAPI requests.

For more information:
SA45067

13) Two of the certificate authorities in the list of trusted root certificates have issued intermediate certificates to DigiCert Malaysia, who has issued certificates with weak keys that cannot be revoked.

14) A design error in dovecot within the Secure Sockets Layer 3.0 (SSL) and Transport Layer Security 1.0 (TLS) protocols when using a block cipher in CBC mode can be exploited to decrypt data protected by SSL.

15) An error in the uncompress command line tool when decompressing compressed files can be exploited to cause a buffer overflow.

For more information:
SA45544

16) An error in ImageIO when parsing TIFF images can be exploited to cause a buffer overflow.

For more information see vulnerability #9:
SA45325

17) An error in ImageIO when handling ThunderScan encoded TIFF images can be exploited to cause a buffer overflow.

For more information see vulnerability #2:
SA43593:

18) An error exists in the bundled version of libpng.

For more information:
SA46148

19) An error in Internet Sharing may cause the used Wi-Fi configuration to revert to factory defaults (e.g. disabling the WEP password) after a system update.

20) An error in Libinfo can be exploited to disclose sensitive information via a specially crafted website.

For more information see vulnerability #4:
SA46747

21) An integer overflow error in libresolv when parsing DNS resource records can be exploited to cause a heap-based buffer overflow.

22) An error in libsecurity may cause some EV certificates to be trusted even when the corresponding root is marked untrusted.

23) Multiple errors in OpenGL when handling GLSL compilation can be exploited to corrupt memory.

24) Multiple errors exist in the bundled version of PHP.

For more information:
SA44874
SA45678

25) Various errors in FreeType when handling Type 1 fonts can be exploited to corrupt memory.

For more information:
SA46575

26) An error in QuickTime when parsing MP4 encoded files can be exploited to access uninitialised memory.

27) A signedness error in QuickTime when handling font tables embedded in movie files can be exploited to corrupt memory.

28) An off-by-one error in QuickTime when handling rdrf atoms in movie files can be exploited to cause a single byte buffer overflow.

29) An error in QuickTime when parsing JPEG2000 images can be exploited to cause a buffer overflow.

30) An error in QuickTime when parsing the MediaVideo header in videos encoded with the PNG format can be exploited to cause a buffer overflow via a video with a specially crafted bit depth.

31) An error in QuickTime when handling FLC encoded movie files can be exploited to cause a buffer overflow.

32) Multiple errors exists in the bundled version of SquirrelMail.

For more information:
SA40307
SA45197

33) Various errors exist in the bundled version of Subversion.

For more information:
SA44681

34) Time Machine does not verify that a designated remote AFP volume or Time Capsule is used for subsequent backups. This can be exploited to access backups by spoofing the remote volume.

35) Errors exist in the bundled version of Tomcat.

For more information:
SA44981

36) An error in WebDAV Sharing when handling user authentication can be exploited by local users to gain escalated privileges.

37) An error exists in the bundled version of Webmail.

For more information:
SA45605

Solution
Update to OS X Lion version 10.7.3 or apply Security Update 2012-001.

Provided and/or discovered by
4, 10) Will Dormann, CERT/CC
30) Luigi Auriemma via ZDI

The vendor also credits:
1) Bernard Desruisseaux, Oracle Corporation
5, 6) Erling Ellingsen, Facebook
8, 27, 28, 29) Luigi Auriemma via ZDI
9) Scott Stender, iSEC Partners
11) Ben Syverson
19) An anonymous person
21) Ilja van Sprundel, IOActive
22) Alastair Houghton
23) Chris Evans, Google Chrome Security Team and Marc Schoenefeld, Red Hat Security Response Team
26) Luigi Auriemma via ZDI and pa_kt via ZDI
31) Matt "j00ru" Jurczyk via ZDI
34) Michael Roitzsch, Technische Universität Dresden
36) Gordon Davisson, Crywolf

Changelog
Further details available in Customer Area

Original Advisory
Apple Security Update 2012-001:
http://support.apple.com/kb/HT5130

US-CERT:
http://www.kb.cert.org/vuls/id/403593
http://www.kb.cert.org/vuls/id/410281

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-058/

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area