About the security content of OS X Lion v10.7.4 and Security Update 2012-002

This document describes the security content of OS X Lion v10.7.4 and Security Update 2012-002.

OS X Lion v10.7.4 and Security Update 2012-002 can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".

OS X Lion v10.7.4 and Security Update 2012-002

  • Login Window

    Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3

    Impact: Remote admins and persons with physical access to the system may obtain account information

    Description: An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories.

    CVE-ID

    CVE-2012-0652 : Terry Reeves and Tim Winningham of the Ohio State University, Markus 'Jaroneko' Räty of the Finnish Academy of Fine Arts, Jaakko Pero of Aalto University, Mark Cohen of Oregon State University, Paul Nelson

  • Bluetooth

    Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: A local user may be able to execute arbitrary code with system privileges

    Description: A temporary file race condition issue existed in blued's initialization routine.

    CVE-ID

    CVE-2012-0649 : Aaron Sigel of vtty.com

  • curl

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: An attacker may be able to decrypt data protected by SSL

    Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. curl disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by enabling empty fragments.

    CVE-ID

    CVE-2011-3389 : Apple

  • curl

    Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: Using curl or libcurl with a maliciously crafted URL may lead to protocol-specific data injection attacks

    Description: A data injection issue existed in curl's handling of URLs. This issue is addressed through improved validation of URLs. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2012-0036

  • Directory Service

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8

    Impact: A remote attacker may obtain sensitive information

    Description: Multiple issues existed in the directory server's handling of messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to disclose memory from its address space, potentially revealing account credentials or other sensitive information. This issue does not affect OS X Lion systems. The Directory Server is disabled by default in non-server installations of OS X.

    CVE-ID

    CVE-2012-0651 : Agustin Azubel

  • HFS

    Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: Mounting a maliciously crafted disk image may lead to a system shutdown or arbitrary code execution

    Description: An integer underflow existed in the handling of HFS catalog files.

    CVE-ID

    CVE-2012-0642 : pod2g

  • ImageIO

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF files. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies

  • ImageIO

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8

    Impact: Multiple vulnerabilities in libpng

    Description: libpng is updated to version 1.5.5 to address multiple vulnerabilities, the most serious of which may lead to information disclosure. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html

    CVE-ID

    CVE-2011-2692

    CVE-2011-3328

  • ImageIO

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in libtiff's handling of ThunderScan encoded TIFF images. This issue is addressed by updating libtiff to version 3.9.5.

    CVE-ID

    CVE-2011-1167

  • Kernel

    Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: When FileVault is used, the disk may contain unencrypted user data

    Description: An issue in the kernel's handling of the sleep image used for hibernation left some data unencrypted on disk even when FileVault was enabled. This issue is addressed through improved handling of the sleep image, and by overwriting the existing sleep image when updating to OS X v10.7.4. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-3212 : Felix Groebert of Google Security Team

  • libarchive

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: Extracting a maliciously crafted archive may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple buffer overflows existed in the handling of tar archives and iso9660 files.

    CVE-ID

    CVE-2011-1777

    CVE-2011-1778

  • libsecurity

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: Verifying a maliciously crafted X.509 certificate, such as when visiting a maliciously crafted website, may lead to an unexpected application termination or arbitrary code execution

    Description: An uninitialized memory access issue existed in the handling of X.509 certificates.

    CVE-ID

    CVE-2012-0654 : Dirk-Willem van Gulik of WebWeaving.org, Guilherme Prado of Conselho da Justiça Federal, Ryan Sleevi of Google

  • libsecurity

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: Support for X.509 certificates with insecure-length RSA keys may expose users to spoofing and information disclosure

    Description: Certificates signed using RSA keys with insecure key lengths were accepted by libsecurity. This issue is addressed by rejecting certificates containing RSA keys less than 1024 bits.

    CVE-ID

    CVE-2012-0655

  • libxml

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution. These issues are addressed by applying the relevant upstream patches.

    CVE-ID

    CVE-2011-1944 : Chris Evans of Google Chrome Security Team

    CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences

    CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences

    CVE-2011-3919 : Jüri Aedla

  • LoginUIFramework

    Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: If the Guest user is enabled, a user with physical access to the computer may be able to log in to a user other than the Guest user without entering a password

    Description: A race condition existed in the handling of Guest user logins. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2012-0656 : Francisco Gómez (espectalll123)

  • PHP

    Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: Multiple vulnerabilities in PHP

    Description: PHP is updated to version 5.3.10 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP web site at http://www.php.net

    CVE-ID

    CVE-2011-4566

    CVE-2011-4885

    CVE-2012-0830

  • Quartz Composer

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: A user with physical access to the computer may be able to cause Safari to launch if the screen is locked and the RSS Visualizer screen saver is used

    Description: An access control issue existed in Quartz Composer's handling of screen savers. This issue is addressed through improved checking for whether or not the screen is locked.

    CVE-ID

    CVE-2012-0657 : Aaron Sigel of vtty.com

  • QuickTime

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: Viewing a maliciously crafted movie file during progressive download may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in the handling of audio sample tables.

    CVE-ID

    CVE-2012-0658 : Luigi Auriemma working with HP's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution

    Description: An integer overflow existed in the handling of MPEG files.

    CVE-ID

    CVE-2012-0659 : An anonymous researcher working with HP's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer underflow existed in the handling of MPEG files.

    CVE-ID

    CVE-2012-0660 : Justin Kim at Microsoft and Microsoft Vulnerability Research

  • QuickTime

    Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A use after free issue existed in the handling of JPEG2000 encoded movie files. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2012-0661 : Damian Put working with HP's Zero Day Initiative

  • Ruby

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: Multiple vulnerabilities in Ruby

    Description: Ruby is updated to 1.8.7-p357 to address multiple vulnerabilities.

    CVE-ID

    CVE-2011-1004

    CVE-2011-1005

    CVE-2011-4815

  • Samba

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8

    Impact: If SMB file sharing is enabled, an unauthenticated remote attacker may cause a denial of service or arbitrary code execution with system privileges

    Description: Multiple buffer overflows existed in Samba's handling of remote procedure calls. By sending a maliciously crafted packet, an unauthenticated remote attacker could cause a denial of service or arbitrary code execution with system privileges. These issues do not affect OS X Lion systems.

    CVE-ID

    CVE-2012-0870 : Andy Davis of NGS Secure

    CVE-2012-1182 : An anonymous researcher working with HP's Zero Day Initiative

  • Security Framework

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution

    Description: An integer overflow existed in the Security framework. Processing untrusted input with the Security framework could result in memory corruption. This issue does not affect 32-bit processes.

    CVE-ID

    CVE-2012-0662 : aazubel working with HP's Zero Day Initiative

  • Time Machine

    Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: A remote attacker may access a user's Time Machine backup credentials

    Description: The user may designate a Time Capsule or remote AFP volume attached to an AirPort Base Station to be used for Time Machine backups. Beginning with AirPort Base Station and Time Capsule Firmware Update 7.6, Time Capsules and Base Stations support a secure SRP-based authentication mechanism over AFP. However, Time Machine did not require that the SRP-based authentication mechanism was used for subsequent backup operations, even if Time Machine was initially configured or had ever contacted a Time Capsule or Base Station that supported it. An attacker who is able to spoof the remote volume could gain access to user's Time Capsule credentials, although not backup data, sent by the user's system. This issue is addressed by requiring use of the SRP-based authentication mechanism if the backup destination has ever supported it.

    CVE-ID

    CVE-2012-0675 : Renaud Deraison of Tenable Network Security, Inc.

  • X11

    Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

    Impact: Applications that use libXfont to process LZW-compressed data may be vulnerable to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in libXfont's handling of LZW-compressed data. This issue is addressed by updating libXfont to version 1.4.4.

    CVE-ID

    CVE-2011-2895 : Tomas Hoger of Red Hat

Note: Additionally, this update filters dynamic linker environment variables from a customized environment property list in the user’s home directory, if present.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: