About the security content of OS X Lion v10.7.4 and Security Update 2012-002
This document describes the security content of OS X Lion v10.7.4 and Security Update 2012-002.
OS X Lion v10.7.4 and Security Update 2012-002 can be downloaded and installed via Software Update preferences, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates".
OS X Lion v10.7.4 and Security Update 2012-002
Login Window
Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3
Impact: Remote admins and persons with physical access to the system may obtain account information
Description: An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories.
CVE-ID
CVE-2012-0652 : Terry Reeves and Tim Winningham of the Ohio State University, Markus 'Jaroneko' Räty of the Finnish Academy of Fine Arts, Jaakko Pero of Aalto University, Mark Cohen of Oregon State University, Paul Nelson
Bluetooth
Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: A local user may be able to execute arbitrary code with system privileges
Description: A temporary file race condition issue existed in blued's initialization routine.
CVE-ID
CVE-2012-0649 : Aaron Sigel of vtty.com
curl
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. curl disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by enabling empty fragments.
CVE-ID
CVE-2011-3389 : Apple
curl
Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Using curl or libcurl with a maliciously crafted URL may lead to protocol-specific data injection attacks
Description: A data injection issue existed in curl's handling of URLs. This issue is addressed through improved validation of URLs. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2012-0036
Directory Service
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: A remote attacker may obtain sensitive information
Description: Multiple issues existed in the directory server's handling of messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to disclose memory from its address space, potentially revealing account credentials or other sensitive information. This issue does not affect OS X Lion systems. The Directory Server is disabled by default in non-server installations of OS X.
CVE-ID
CVE-2012-0651 : Agustin Azubel
HFS
Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Mounting a maliciously crafted disk image may lead to a system shutdown or arbitrary code execution
Description: An integer underflow existed in the handling of HFS catalog files.
CVE-ID
CVE-2012-0642 : pod2g
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF files. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: Multiple vulnerabilities in libpng
Description: libpng is updated to version 1.5.5 to address multiple vulnerabilities, the most serious of which may lead to information disclosure. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-2692
CVE-2011-3328
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of ThunderScan encoded TIFF images. This issue is addressed by updating libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
Kernel
Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: When FileVault is used, the disk may contain unencrypted user data
Description: An issue in the kernel's handling of the sleep image used for hibernation left some data unencrypted on disk even when FileVault was enabled. This issue is addressed through improved handling of the sleep image, and by overwriting the existing sleep image when updating to OS X v10.7.4. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2011-3212 : Felix Groebert of Google Security Team
libarchive
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Extracting a maliciously crafted archive may lead to an unexpected application termination or arbitrary code execution
Description: Multiple buffer overflows existed in the handling of tar archives and iso9660 files.
CVE-ID
CVE-2011-1777
CVE-2011-1778
libsecurity
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Verifying a maliciously crafted X.509 certificate, such as when visiting a maliciously crafted website, may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the handling of X.509 certificates.
CVE-ID
CVE-2012-0654 : Dirk-Willem van Gulik of WebWeaving.org, Guilherme Prado of Conselho da Justiça Federal, Ryan Sleevi of Google
libsecurity
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Support for X.509 certificates with insecure-length RSA keys may expose users to spoofing and information disclosure
Description: Certificates signed using RSA keys with insecure key lengths were accepted by libsecurity. This issue is addressed by rejecting certificates containing RSA keys less than 1024 bits.
CVE-ID
CVE-2012-0655
libxml
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution. These issues are addressed by applying the relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences
CVE-2011-3919 : Jüri Aedla
LoginUIFramework
Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: If the Guest user is enabled, a user with physical access to the computer may be able to log in to a user other than the Guest user without entering a password
Description: A race condition existed in the handling of Guest user logins. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2012-0656 : Francisco Gómez (espectalll123)
PHP
Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Multiple vulnerabilities in PHP
Description: PHP is updated to version 5.3.10 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP web site at http://www.php.net
CVE-ID
CVE-2011-4566
CVE-2011-4885
CVE-2012-0830
Quartz Composer
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: A user with physical access to the computer may be able to cause Safari to launch if the screen is locked and the RSS Visualizer screen saver is used
Description: An access control issue existed in Quartz Composer's handling of screen savers. This issue is addressed through improved checking for whether or not the screen is locked.
CVE-ID
CVE-2012-0657 : Aaron Sigel of vtty.com
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted movie file during progressive download may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of audio sample tables.
CVE-ID
CVE-2012-0658 : Luigi Auriemma working with HP's Zero Day Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of MPEG files.
CVE-ID
CVE-2012-0659 : An anonymous researcher working with HP's Zero Day Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer underflow existed in the handling of MPEG files.
CVE-ID
CVE-2012-0660 : Justin Kim at Microsoft and Microsoft Vulnerability Research
QuickTime
Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A use after free issue existed in the handling of JPEG2000 encoded movie files. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2012-0661 : Damian Put working with HP's Zero Day Initiative
Ruby
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Multiple vulnerabilities in Ruby
Description: Ruby is updated to 1.8.7-p357 to address multiple vulnerabilities.
CVE-ID
CVE-2011-1004
CVE-2011-1005
CVE-2011-4815
Samba
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: If SMB file sharing is enabled, an unauthenticated remote attacker may cause a denial of service or arbitrary code execution with system privileges
Description: Multiple buffer overflows existed in Samba's handling of remote procedure calls. By sending a maliciously crafted packet, an unauthenticated remote attacker could cause a denial of service or arbitrary code execution with system privileges. These issues do not affect OS X Lion systems.
CVE-ID
CVE-2012-0870 : Andy Davis of NGS Secure
CVE-2012-1182 : An anonymous researcher working with HP's Zero Day Initiative
Security Framework
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the Security framework. Processing untrusted input with the Security framework could result in memory corruption. This issue does not affect 32-bit processes.
CVE-ID
CVE-2012-0662 : aazubel working with HP's Zero Day Initiative
Time Machine
Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: A remote attacker may access a user's Time Machine backup credentials
Description: The user may designate a Time Capsule or remote AFP volume attached to an AirPort Base Station to be used for Time Machine backups. Beginning with AirPort Base Station and Time Capsule Firmware Update 7.6, Time Capsules and Base Stations support a secure SRP-based authentication mechanism over AFP. However, Time Machine did not require that the SRP-based authentication mechanism was used for subsequent backup operations, even if Time Machine was initially configured or had ever contacted a Time Capsule or Base Station that supported it. An attacker who is able to spoof the remote volume could gain access to user's Time Capsule credentials, although not backup data, sent by the user's system. This issue is addressed by requiring use of the SRP-based authentication mechanism if the backup destination has ever supported it.
CVE-ID
CVE-2012-0675 : Renaud Deraison of Tenable Network Security, Inc.
X11
Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Applications that use libXfont to process LZW-compressed data may be vulnerable to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libXfont's handling of LZW-compressed data. This issue is addressed by updating libXfont to version 1.4.4.
CVE-ID
CVE-2011-2895 : Tomas Hoger of Red Hat
Note: Additionally, this update filters dynamic linker environment variables from a customized environment property list in the user’s home directory, if present.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.