About the security content of OS X Lion v10.7.3 and Security Update 2012-001

This document describes the security content of OS X Lion v10.7.3 and Security Update 2012-001.

This document describes the security content of OS X Lion v10.7.3 and Security Update 2012-001, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".

OS X Lion v10.7.3 and Security Update 2012-001

  • Address Book

    Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: An attacker in a privileged network position may intercept CardDAV data

    Description: Address Book supports Secure Sockets Layer (SSL) for accessing CardDAV. A downgrade issue caused Address Book to attempt an unencrypted connection if an encrypted connection failed. An attacker in a privileged network position could abuse this behavior to intercept CardDAV data. This issue is addressed by not downgrading to an unencrypted connection without user approval.

    CVE-ID

    CVE-2011-3444 : Bernard Desruisseaux of Oracle Corporation

  • Apache

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Multiple vulnerabilities in Apache

    Description: Apache is updated to version 2.2.21 to address several vulnerabilities, the most serious of which may lead to a denial of service. Further information is available via the Apache web site at http://httpd.apache.org/

    CVE-ID

    CVE-2011-3348

  • Apache

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: An attacker may be able to decrypt data protected by SSL

    Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. Apache disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by providing a configuration parameter to control the countermeasure and enabling it by default.

    CVE-ID

    CVE-2011-3389

  • ATS

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Opening a maliciously crafted font in Font Book may lead to an unexpected application termination or arbitrary code execution

    Description: A memory management issue existed in ATS' handling of data-font files when opened by Font Book.

    CVE-ID

    CVE-2011-3446 : Will Dormann of the CERT/CC

  • CFNetwork

    Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information

    Description: An issue existed in CFNetwork's handling of malformed URLs. When accessing a maliciously crafted URL, CFNetwork could send the request to an incorrect origin server. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-3246 : Erling Ellingsen of Facebook

  • CFNetwork

    Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information

    Description: An issue existed in CFNetwork's handling of malformed URLs. When accessing a maliciously crafted URL, CFNetwork could send unexpected request headers. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-3447 : Erling Ellingsen of Facebook

  • ColorSync

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution

    Description: An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day Initiative

  • CoreAudio

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in the handling of AAC encoded audio streams. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-3252 : Luigi Auriemma working with TippingPoint's Zero Day Initiative

  • CoreMedia

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow existed in CoreMedia's handling of H.264 encoded movie files.

    CVE-ID

    CVE-2011-3448 : Scott Stender of iSEC Partners

  • CoreText

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to an unexpected application termination or arbitrary code execution

    Description: A use after free issue existed in the handling of font files.

    CVE-ID

    CVE-2011-3449 : Will Dormann of the CERT/CC

  • CoreUI

    Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Visiting a malicious website may lead to an unexpected application termination or arbitrary code execution

    Description: An unbounded stack allocation issue existed in the handling of long URLs. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-3450 : Ben Syverson

  • curl

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: A remote server may be able to impersonate clients via GSSAPI requests

    Description: When doing GSSAPI authentication, libcurl unconditionally performs credential delegation. This issue is addressed by disabling GSSAPI credential delegation.

    CVE-ID

    CVE-2011-2192

  • Data Security

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

    Description: Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. DigiCert Malaysia has issued certificates with weak keys that it is unable to revoke. An attacker with a privileged network position could intercept user credentials or other sensitive information intended for a site with a certificate issued by DigiCert Malaysia. This issue is addressed by configuring default system trust settings so that DigiCert Malaysia's certificates are not trusted. We would like to acknowledge Bruce Morton of Entrust, Inc. for reporting this issue.

  • dovecot

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: An attacker may be able to decrypt data protected by SSL

    Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. Dovecot disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by enabling the countermeasure.

    CVE-ID

    CVE-2011-3389 : Apple

  • filecmds

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Decompressing a maliciously crafted compressed file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in the 'uncompress' command line tool.

    CVE-ID

    CVE-2011-2895

  • ImageIO

    Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in libtiff's handling of ThunderScan encoded TIFF images. This issue is addressed by updating libtiff to version 3.9.5.

    CVE-ID

    CVE-2011-1167

  • ImageIO

    Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Multiple vulnerabilities in libpng 1.5.4

    Description: libpng is updated to version 1.5.5 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html

    CVE-ID

    CVE-2011-3328

  • Internet Sharing

    Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: A Wi-Fi network created by Internet Sharing may lose security settings after a system update

    Description: After updating to a version of OS X Lion prior to 10.7.3, the Wi-Fi configuration used by Internet Sharing may revert to factory defaults, which disables the WEP password. This issue only affects systems with Internet Sharing enabled and sharing the connection to Wi-Fi. This issue is addressed by preserving the Wi-Fi configuration during a system update.

    CVE-ID

    CVE-2011-3452 : an anonymous researcher

  • Libinfo

    Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information

    Description: An issue existed in Libinfo's handling of hostname lookup requests. Libinfo could return incorrect results for a maliciously crafted hostname. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-3441 : Erling Ellingsen of Facebook

  • libresolv

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Applications that use OS X's libresolv library may be vulnerable to an unexpected application termination or arbitrary code execution

    Description: An integer overflow existed in the parsing of DNS resource records, which may lead to heap memory corruption.

    CVE-ID

    CVE-2011-3453 : Ilja van Sprundel of IOActive

  • libsecurity

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Some EV certificates may be trusted even if the corresponding root has been marked as untrusted

    Description: The certificate code trusted a root certificate to sign EV certificates if it was on the list of known EV issuers, even if the user had marked it as 'Never Trust' in Keychain. The root would not be trusted to sign non-EV certificates.

    CVE-ID

    CVE-2011-3422 : Alastair Houghton

  • OpenGL

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Applications that use OS X's OpenGL implementation may be vulnerable to an unexpected application termination or arbitrary code execution

    Description: Multiple memory corruption issues existed in the handling of GLSL compilation.

    CVE-ID

    CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and Marc Schoenefeld of the Red Hat Security Response Team

  • PHP

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Multiple vulnerabilities in PHP 5.3.6

    Description: PHP is updated to version 5.3.8 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP web site at http://www.php.net

    CVE-ID

    CVE-2011-1148

    CVE-2011-1657

    CVE-2011-1938

    CVE-2011-2202

    CVE-2011-2483

    CVE-2011-3182

    CVE-2011-3189

    CVE-2011-3267

    CVE-2011-3268

  • PHP

    Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue existed in FreeType's handling of Type 1 fonts. This issue is addressed by updating FreeType to version 2.4.7. Further information is available via the FreeType site at http://www.freetype.org/

    CVE-ID

    CVE-2011-3256 : Apple

  • PHP

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Multiple vulnerabilities in libpng 1.5.4

    Description: libpng is updated to version 1.5.5 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html

    CVE-ID

    CVE-2011-3328

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Opening a maliciously crafted MP4 encoded file may lead to an unexpected application termination or arbitrary code execution

    Description: An uninitialized memory access issue existed in the handling of MP4 encoded files.

    CVE-ID

    CVE-2011-3458 : Luigi Auriemma and pa_kt both working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A signedness issue existed in the handling of font tables embedded in QuickTime movie files.

    CVE-ID

    CVE-2011-3248 : Luigi Auriemma working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: An off by one buffer overflow existed in the handling of rdrf atoms in QuickTime movie files.

    CVE-ID

    CVE-2011-3459 : Luigi Auriemma working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Viewing a maliciously crafted JPEG2000 image file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in the handling of JPEG2000 files.

    CVE-ID

    CVE-2011-3250 : Luigi Auriemma working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in the handling of PNG files.

    CVE-ID

    CVE-2011-3460 : Luigi Auriemma working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in the handling of FLC encoded movie files

    CVE-ID

    CVE-2011-3249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

  • SquirrelMail

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Multiple vulnerabilities in SquirrelMail

    Description: SquirrelMail is updated to version 1.4.22 to address several vulnerabilities, the most serious of which is a cross-site scripting issue. This issue does not affect OS X Lion systems. Further information is available via the SquirrelMail web site at http://www.SquirrelMail.org/

    CVE-ID

    CVE-2010-1637

    CVE-2010-2813

    CVE-2010-4554

    CVE-2010-4555

    CVE-2011-2023

  • Subversion

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Accessing a Subversion repository may lead to the disclosure of sensitive information

    Description: Subversion is updated to version 1.6.17 to address multiple vulnerabilities, the most serious of which may lead to the disclosure of sensitive information. Further information is available via the Subversion web site at http://subversion.apache.org/

    CVE-ID

    CVE-2011-1752

    CVE-2011-1783

    CVE-2011-1921

  • Time Machine

    Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: A remote attacker may access new backups created by the user's system

    Description: The user may designate a remote AFP volume or Time Capsule to be used for Time Machine backups. Time Machine did not verify that the same device was being used for subsequent backup operations. An attacker who is able to spoof the remote volume could gain access to new backups created by the user's system. This issue is addressed by verifying the unique identifier associated with a disk for backup operations.

    CVE-ID

    CVE-2011-3462 : Michael Roitzsch of the Technische Universität Dresden

  • Tomcat

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Multiple vulnerabilities in Tomcat 6.0.32

    Description: Tomcat is updated to version 6.0.33 to address multiple vulnerabilities, the most serious of which may lead to the disclosure of sensitive information. Tomcat is only provided on Mac OS X Server systems. This issue does not affect OS X Lion systems. Further information is available via the Tomcat site at http://tomcat.apache.org/

    CVE-ID

    CVE-2011-2204

  • WebDAV Sharing

    Available for: OS X Lion Server v10.7 to v10.7.2

    Impact: Local users may obtain system privileges

    Description: An issue existed in WebDAV Sharing's handling of user authentication. A user with a valid account on the server or one of its bound directories could cause the execution of arbitrary code with system privileges. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-3463 : Gordon Davisson of Crywolf

  • Webmail

    Available for: OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Viewing a maliciously crafted e-mail message may lead to the disclosure of message content

    Description: A cross-site scripting vulnerability existed in the handling of mail messages. This issue is addressed by updating Roundcube Webmail to version 0.6. This issue does not affect systems prior to OS X Lion. Further information is available via the Roundcube site at http://trac.roundcube.net/

    CVE-ID

    CVE-2011-2937

  • X11

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

    Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue existed in FreeType's handling of Type 1 fonts. This issue is addressed by updating FreeType to version 2.4.7. Further information is available via the FreeType site at http://www.freetype.org/

    CVE-ID

    CVE-2011-3256 : Apple

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: