OCS ADVISORY NUMBER:

 

2012-006

DATE(S) ISSUED:

 

 

02/03/2012

 

 

SUBJECT:

 

Multiple Vulnerabilities in Apple Mac OS X Could Allow Remote Code Execution

 

OVERVIEW:

 

Multiple vulnerabilities have been discovered in Apple's OS X and

OS X Server that could allow remote code execution. OS X is a desktop

operating system for the Apple Mac. OS X Server is a server operating

system for the Apple Mac.

These vulnerabilities can be exploited if a user visits or is

redirected to a specially crafted webpage or opens a specially crafted

file, including an e-mail attachment, while using a vulnerable version

of OS X. Successful exploitation could result in an attacker gaining

the same privileges as the logged on user. Depending on the privileges

associated with the user, an attacker could then install programs;

view, change, or delete data; or create new accounts with full user

rights.

SYSTEMS AFFECTED:

OS X Lion 10.7 through 10.7.2

OS X Lion Server 10.7 through 10.7.2

Mac OS X 10.6.8

Mac OS X Server 10.6.8

RISK:

 

Government:

Large and medium government entities: High

Small government entities: High

Businesses:

Large and medium business entities: High

Small business entities: High

Home users: High

DESCRIPTION:

 

Multiple vulnerabilities have been discovered in Apple's OS X that

could allow both remote and local code execution. These

vulnerabilities can be exploited if a user visits or is redirected to a

specially crafted webpage or opens a specially crafted file, including

an e-mail attachment, while using a vulnerable version of OS X.

Apple has identified the following vulnerabilities:

A vulnerability exists in the Address Book application in OS X

Lion v10.7.2 or earlier. This issue exists because the application will

attempt an unencrypted connection to obtain CardDAV data if an

encrypted connection fails. Attackers can exploit this issue by

performing a man in the middle attack or by intercepting the

unencrypted data at strategic network locations. Successful

exploitation could result in the theft of address book contact

information. This issue affects OS X Lion v10.7 to v10.7.2, OS X Lion

Server v10.7 to v10.7.2 (CVE-2011-3444)

An unspecified memory management issue exists in the Font Book

application due the improper handling of certain data-font files. To

exploit this issue, an attacker creates a specially crafted data-font

file and distributes that file to unsuspecting users. When the user

opens the file with Font Book, the exploit is triggered. Successful

exploitation could result in remote code execution. This issue affects

Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2,

OS X Lion Server v10.7 to v10.7.2. (CVE-2011-3446)

An issue exists in the CFNetwork’s handling of malformed URLs

which could lead to information disclosure. When accessing a

maliciously crafted URL, CFNetworkcould send the request to an

incorrect origin server. To exploit this issue, an attacker distributes

a specially crafted URL to unsuspecting users. When a user visits the

URL, certain information could be relayed to the attacker. Successful

exploitation could result in information disclosure which could be used

to aid additional attacks. This issue affects OS X Lion v10.7 to

v10.7.2, OS X Lion Server v10.7 to v10.7.2 (CVE-2011-3246)

An integer overflow vulnerability exists due to the way CFNetwork

handles certain images with embedded ColorSynch information. To

exploit this issue, an attacker distributes a specially crafted image

file to unsuspecting users. When the file is executed, the exploit

triggers. Successful exploitation could result in remote code

execution. This issue affects OS X Lion v10.7 to v10.7.2, OS X Lion

Server v10.7 to v10.7.2  (CVE-2011-3447) and Mac OS X v10.6.8, Mac OS X

Server v10.6.8 (CVE-2011-0200)

A buffer overflow vulnerability exists in a CoreAudio component

of Mac OS X v10.6.8 and Mac OS X Server v10.6.8 due to the improper

handling of certain encoded audio streams. The specifics of how this

vulnerability can be exploited are unclear. However, successful

exploitation does in involve the execution of a specially crafted audio

content and could result in remote code execution. (CVE-2011-3252)

 

  

 

A heap buffer overflow exists in a CoreMedia component of OS X due

to the improper handling on H.264 encoded movie files. To exploit this

issue, an attacker distributes a specially crafted movie file to

unsuspecting users. When the file is executed, the exploit is

triggered. Successful exploitation could result in remote code

execution. This issue affects Mac OS X v10.6.8, Mac OS X Serverv10.6.8,

OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2.

(CVE-2011-3448)

An unspecified after free issue exists in the handling of certain

font files. To exploit this issue, an attacker creates and distributes

a specially crafted file that uses the vulnerable fonts. When the file

is execution the exploit occurs. Successful exploitation could result

in remote code execution. This issue affects Mac OS X v10.6.8, Mac OS X

Server v10.6.8, OS X Lion v10.7 tov10.7.2, OS X Lion Server v10.7 to

v10.7.2 (CVE-2011-3449)

An unbounded stack allocation issue exists in CoreUI’s handling

of long URLs. To exploit this issue, an attacker creates and

distributes a specially crafted website designed to leverage the issue.

When a user visits the website the exploit is triggered. Successful

exploitation could result in remote code execution. This issue affects

OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

(CVE-2011-3450)

An unspecified buffer overflow vulnerability exists in the

“uncompress� command line tool. To exploit this issue, an attacker

distributes a specially crafted compressed file. When the file is

uncompressed via command line, the exploit is triggered. Successful

exploitation could result in remote code execution. This issue affects

Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 tov10.7.2,

OS X Lion Server v10.7 to v10.7.2 (CVE-2011-0241)

A buffer overflow exists in libtiff's handling of ThunderScan

encoded TIFF image files and libpng v1.5.4’s handling of certain PNG

files. To exploit this issue, an attacker distributes a specially

crafted TIFF file or PNG file. When the file is executed, the exploit

is triggered. Successful exploitation could result in code execution.

This issue affects Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion

v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2 (CVE-2011-1167,

CVE-2011-3328)

An unspecified issue exists in Libinfo's handling of hostname

lookup requests. Libinfo could return incorrect results for a specially

crafted hostname. To exploit this issue, an attacker creates a

specially crafted website and distributes a link to unsuspecting users.

When a user visits the site, the exploit is triggered. Successful

exploitation could result in remote code execution. This issue affects

OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

(CVE-2011-3441)

An unspecified integer overflow exists in the parsing of certain

DNS resource records. The details of how this vulnerability can be

exploited are unavailable. Successful exploitation could allow remote

code execution. This issue affects Mac OS X v10.6.8, Mac OS X Server

v10.6.8, OS X Lion v10.7 tov10.7.2, OS X Lion Server v10.7 to v10.7.2

(CVE-2011-3453)

Multiple memory corruption issues exist in OpenGL™s handling of

GLSL compilation. The details of how this vulnerability can be

exploited are unclear. However, successful exploitation could result in

arbitrary code execution. This issue affects Mac OS X v10.6.8, Mac OS X

Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to

v10.7.2 (CVE-2011-3457)

Multiple buffer overflow and memory corruption vulnerabilities

exist in QuickTime which could allow remote code execution. To exploit

these vulnerabilities, an attacker distributes a specially crafted

movie or image file to unsuspecting users. When the file is executed

the exploit is triggered. Successful exploitation could result in

arbitrary code execution. This issue affects Mac OS X v10.6.8, Mac OS X

Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to

v10.7.2 (CVE-2011-3458, CVE-2011-3248, CVE-2011-3459, CVE-2011-3250,

CVE-2011-3460,CVE-2011-3249)

An issue exists in the Time Machine application that could allow

attackers to gain unauthorized access to system backups. The user may

designate a remote AFP volume or Time Capsule to be used for Time

Machine backups. Time Machine did not verify that the same device was

being used for subsequent backup operations. An attacker who is able to

spoof the remote volume could gain access to new backups created by

the user's system. This issue affects OS XLion v10.7 to v10.7.2, OS X

Lion Server v10.7 to v10.7.2. (CVE-2011-3462)

An issue exists in WebDAV Sharing's handling of user

authentication. A user with a valid account on the server or one of its

bound directories could cause the execution of arbitrary code with

system privileges. The details of how this vulnerability can be

exploited are unavailable. This issue affects OS X Lion Server v10.7 to

v10.7.2 (CVE-2011-3463)

A memory corruption issue existed in FreeType's handling of Type 1

fonts. To exploit this issue, an attacker distributes a specially

crafted PDF file which utilizes the vulnerable font. When a user opens

the file, the exploit is triggered. Successful exploitation could

result in remote code execution. This issue affects Mac OS X v10.6.8,

Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server

v10.7 to v10.7.2 (CVE-2011-3256)

Successful exploitation of these vulnerabilities could result in

an attacker gaining the same privileges as the logged on user.

Depending on the privileges associated with the user, an attacker could

then install programs; view, change, or delete data; or create new

accounts with full user rights.  Failed attempts could result in a

denial-of-service.

RECOMMENDATIONS:

 

We recommend the following actions be taken:

Apply appropriate patches provided by Apple to affected systems immediately after appropriate testing.

Remind users not to download or open files from un-trusted websites.

Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.

Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

Run all software as a non-privileged user (one

without administrative privileges) to diminish the effects of a

successful attack.

Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells. 

REFERENCES:

 

Apple:

 

http://support.apple.com/kb/HT5130

Security Focus:

 

http://www.securityfocus.com/advisories/23952

 

http://www.securityfocus.com/bid/51807

 

http://www.securityfocus.com/bid/51808

 

http://www.securityfocus.com/bid/51809

 

http://www.securityfocus.com/bid/51810

 

http://www.securityfocus.com/bid/51811

 

http://www.securityfocus.com/bid/51812

 

http://www.securityfocus.com/bid/51813

 

http://www.securityfocus.com/bid/51814

 

http://www.securityfocus.com/bid/51815

 

http://www.securityfocus.com/bid/51816

 

http://www.securityfocus.com/bid/51817

 

http://www.securityfocus.com/bid/51818

CVE:

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3444

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3446

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3246

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3447

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0200

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3252

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3448

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3449

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3459

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0241

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3328

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1167

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3441

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3453

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3457

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3249

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3460

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3250

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3459

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3248

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3458

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3462

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3463

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3256

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3450