About the security content of OS X Lion v10.7.2 and Security Update 2011-006

This document describes the security content of OS X Lion v10.7.2 and Security Update 2011-006.

This document describes the security content of OS X Lion v10.7.2 and Security Update 2011-006, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".
 

OS X Lion v10.7.2 and Security Update 2011-006

  • Apache

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Multiple vulnerabilities in Apache

    Description: Apache is updated to version 2.2.20 to address several vulnerabilities, the most serious of which may lead to a denial of service. CVE-2011-0419 does not affect OS X Lion systems. Further information is available via the Apache web site at http://httpd.apache.org/

    CVE-ID

    CVE-2011-0419

    CVE-2011-3192

  • Application Firewall

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Executing a binary with a maliciously crafted name may lead to arbitrary code execution with elevated privileges

    Description: A format string vulnerability existed in Application Firewall's debug logging.

    CVE-ID

    CVE-2011-0185 : an anonymous reporter

  • ATS

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution

    Description: A signedness issue existed in ATS' handling of Type 1 fonts. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-3437

  • ATS

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution

    Description: An out of bounds memory access issue existed in ATS' handling of Type 1 fonts. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0229 : Will Dormann of the CERT/CC

  • ATS

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Applications which use the ATSFontDeactivate API may be vulnerable to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow issue existed in the ATSFontDeactivate API.

    CVE-ID

    CVE-2011-0230 : Steven Michaud of Mozilla

  • BIND

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Multiple vulnerabilities in BIND 9.7.3

    Description: Multiple denial of service issues existed in BIND 9.7.3. These issues are addressed by updating BIND to version 9.7.3-P3.

    CVE-ID

    CVE-2011-1910

    CVE-2011-2464

  • BIND

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Multiple vulnerabilities in BIND

    Description: Multiple denial of service issues existed in BIND. These issues are addressed by updating BIND to version 9.6-ESV-R4-P3.

    CVE-ID

    CVE-2009-4022

    CVE-2010-0097

    CVE-2010-3613

    CVE-2010-3614

    CVE-2011-1910

    CVE-2011-2464

  • Certificate Trust Policy

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1.

    Impact: Root certificates have been updated

    Description: Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.

  • CFNetwork

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Safari may store cookies it is not configured to accept

    Description: A synchronization issue existed in CFNetwork's handling of cookie policies. Safari's cookie preferences may not be honored, allowing websites to set cookies that would be blocked were the preference enforced. This update addresses the issue through improved handling of cookie storage.

    CVE-ID

    CVE-2011-0231 : Martin Tessarek, Steve Riggins of Geeks R Us, Justin C. Walker, and Stephen Creswell

  • CFNetwork

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information

    Description: An issue existed in CFNetwork's handling of HTTP cookies. When accessing a maliciously crafted HTTP or HTTPS URL, CFNetwork could incorrectly send the cookies for a domain to a server outside that domain. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-3246 : Erling Ellingsen of Facebook

  • CoreFoundation

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue existed in CoreFoundation's handling of string tokenization. This issue does not affect OS X Lion systems. This update addresses the issue through improved bounds checking.

    CVE-ID

    CVE-2011-0259 : Apple

  • CoreMedia

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Visiting a maliciously crafted website may lead to the disclosure of video data from another site

    Description: A cross-origin issue existed in CoreMedia's handling of cross-site redirects. This issue is addressed through improved origin tracking.

    CVE-ID

    CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)

  • CoreMedia

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple memory corruption issues existed in the handling of QuickTime movie files. These issues do not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0224 : Apple

  • CoreProcesses

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: A person with physical access to a system may partially bypass the screen lock

    Description: A system window, such as a VPN password prompt, that appeared while the screen was locked may have accepted keystrokes while the screen was locked. This issue is addressed by preventing system windows from requesting keystrokes while the screen is locked. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-0260 : Clint Tseng of the University of Washington, Michael Kobb, and Adam Kemp

  • CoreStorage

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Converting to FileVault does not erase all existing data

    Description: After enabling FileVault, approximately 250MB at the start of the volume was left unencrypted on the disk in an unused area. Only data which was present on the volume before FileVault was enabled was left unencrypted. This issue is addressed by erasing this area when enabling FileVault, and on the first use of an encrypted volume affected by this issue. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-3212 : Judson Powers of ATC-NY

  • File Systems

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: An attacker in a privileged network position may manipulate HTTPS server certificates, leading to the disclosure of sensitive information

    Description: An issue existed in the handling of WebDAV volumes on HTTPS servers. If the server presented a certificate chain that could not be automatically verified, a warning was displayed and the connection was closed. If the user clicked the "Continue" button in the warning dialog, any certificate was accepted on the following connection to that server. An attacker in a privileged network position may have manipulated the connection to obtain sensitive information or take action on the server on the user's behalf. This update addresses the issue by validating that the certificate received on the second connection is the same certificate originally presented to the user.

    CVE-ID

    CVE-2011-3213 : Apple

  • IOGraphics

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: A person with physical access may be able to bypass the screen lock

    Description: An issue existed with the screen lock when used with Apple Cinema Displays. When a password is required to wake from sleep, a person with physical access may be able to access the system without entering a password if the system is in display sleep mode. This update addresses the issue by ensuring that the lock screen is correctly activated in display sleep mode. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-3214 : Apple

  • iChat Server

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: A remote attacker may cause the Jabber server to consume system resources disproportionately

    Description: An issue existed in the handling of XML external entities in jabberd2, a server for the Extensible Messaging and Presence Protocol (XMPP). jabberd2 expands external entities in incoming requests. This allows an attacker to consume system resources very quickly, denying service to legitimate users of the server. This update addresses the issue by disabling entity expansion in incoming requests.

    CVE-ID

    CVE-2011-1755

  • Kernel

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: A person with physical access may be able to access the user's password

    Description: A logic error in the kernel's DMA protection permitted firewire DMA at loginwindow, boot, and shutdown, although not at screen lock. This update addresses the issue by preventing firewire DMA at all states where the user is not logged in.

    CVE-ID

    CVE-2011-3215 : Passware, Inc.

  • Kernel

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: An unprivileged user may be able to delete another user's files in a shared directory

    Description: A logic error existed in the kernel's handling of file deletions in directories with the sticky bit.

    CVE-ID

    CVE-2011-3216 : Gordon Davisson of Crywolf, Linc Davis, R. Dormer, and Allan Schmid and Oliver Jeckel of brainworks Training

  • libsecurity

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution

    Description: An error handling issue existed when parsing a nonstandard certificate revocation list extension.

    CVE-ID

    CVE-2011-3227 : Richard Godbee of Virginia Tech

  • Mailman

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Multiple vulnerabilities in Mailman 2.1.14

    Description: Multiple cross-site scripting issues existed in Mailman 2.1.14. These issues are addressed by improved encoding of characters in HTML output. Further information is available via the Mailman site at http://mail.python.org/pipermail/mailman-announce/2011-February/000158.html This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0707

  • MediaKit

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Opening a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple memory corruption issues existed in the handling of disk images. These issues do not affect OS X Lion systems.

    CVE-ID

    CVE-2011-3217 : Apple

  • Open Directory

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Any user may read another local user's password data

    Description: An access control issue existed in Open Directory. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-3435 : Arek Dreyer of Dreyer Network Consultants, Inc, and Patrick Dunstan at defenseindepth.net

  • Open Directory

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: An authenticated user may change that account's password without providing the current password

    Description: An access control issue existed in Open Directory. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-3436 : Patrick Dunstan at defenceindepth.net

  • Open Directory

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: A user may be able to log in without a password

    Description: When Open Directory is bound to an LDAPv3 server using RFC2307 or custom mappings, such that there is no AuthenticationAuthority attribute for a user, an LDAP user may be allowed to log in without a password. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-3226 : Jeffry Strunk of The University of Texas at Austin, Steven Eppler of Colorado Mesa University, Hugh Cole-Baker, and Frederic Metoz of Institut de Biologie Structurale

  • PHP

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

    Description: A signedness issue existed in FreeType's handling of Type 1 fonts. This issue is addressed by updating FreeType to version 2.4.6. This issue does not affect systems prior to OS X Lion. Further information is available via the FreeType site at http://www.freetype.org/

    CVE-ID

    CVE-2011-0226

  • PHP

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Multiple vulnerabilities in libpng 1.4.3

    Description: libpng is updated to version 1.5.4 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html

    CVE-ID

    CVE-2011-2690

    CVE-2011-2691

    CVE-2011-2692

  • PHP

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Multiple vulnerabilities in PHP 5.3.4

    Description: PHP is updated to version 5.3.6 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. This issues do not affect OS X Lion systems. Further information is available via the PHP website at http://www.php.net/

    CVE-ID

    CVE-2010-3436

    CVE-2010-4645

    CVE-2011-0420

    CVE-2011-0421

    CVE-2011-0708

    CVE-2011-1092

    CVE-2011-1153

    CVE-2011-1466

    CVE-2011-1467

    CVE-2011-1468

    CVE-2011-1469

    CVE-2011-1470

    CVE-2011-1471

  • postfix

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Multiple vulnerabilities in Postfix

    Description: Postfix is updated to version 2.5.14 to address multiple vulnerabilities, the most serious of which may allow an attacker in a privileged network position to manipulate the mail session to obtain sensitive information from the encrypted traffic. These issues should not affect OS X Lion systems. More information is available via the Postfix site at http://www.postfix.org/announcements/postfix-2.7.3.html

    CVE-ID

    CVE-2011-0411

    CVE-2011-1720

  • python

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Multiple vulnerabilities in python

    Description: Multiple vulnerabilities existed in python, the most serious of which may lead to arbitrary code execution. This update addresses the issues by applying patches from the python project. Further information is available via the python site at http://www.python.org/download/releases/

    CVE-ID

    CVE-2010-1634

    CVE-2010-2089

    CVE-2011-1521

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple memory corruption issues existed in QuickTime's handling of movie files.

    CVE-ID

    CVE-2011-3228 : Apple

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow existed in the handling of STSC atoms in QuickTime movie files. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow existed in the handling of STSS atoms in QuickTime movie files. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0250 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow existed in the handling of STSZ atoms in QuickTime movie files. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0251 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow existed in the handling of STTS atoms in QuickTime movie files. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: An attacker in a privileged network position may inject script in the local domain when viewing template HTML

    Description: A cross-site scripting issue existed in QuickTime Player's "Save for Web" export. The template HTML files generated by this feature referenced a script file from a non-encrypted origin. An attacker in a privileged network position may be able to inject malicious scripts in the local domain if the user views a template file locally. This issue is resolved by removing the reference to an online script. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-3218 : Aaron Sigel of vtty.com

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in QuickTime's handling of H.264 encoded movie files.

    CVE-ID

    CVE-2011-3219 : Damian Put working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Viewing a maliciously crafted movie file may lead to the disclosure of memory contents

    Description: An uninitialized memory access issue existed in QuickTime's handling of URL data handlers within movie files.

    CVE-ID

    CVE-2011-3220 : Luigi Auriemma working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: An implementation issue existed in QuickTime's handling of the atom hierarchy within a movie file.

    CVE-ID

    CVE-2011-3221 : an anonymous researcher working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Viewing a maliciously crafted FlashPix file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in QuickTime's handling of FlashPix files.

    CVE-ID

    CVE-2011-3222 : Damian Put working with TippingPoint's Zero Day Initiative

  • QuickTime

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow existed in QuickTime's handling of FLIC files.

    CVE-ID

    CVE-2011-3223 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

  • SMB File Server

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: A guest user may browse shared folders

    Description: An access control issue existed in the SMB File Server. Disallowing guest access to the share point record for a folder prevented the '_unknown' user from browsing the share point but not guests (user 'nobody'). This issue is addressed by applying the access control to the guest user. This issue does not affect systems prior to OS X Lion.

    CVE-ID

    CVE-2011-3225

  • Tomcat

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: Multiple vulnerabilities in Tomcat 6.0.24

    Description: Tomcat is updated to version 6.0.32 to address multiple vulnerabilities, the most serious of which may lead to a cross site scripting attack. Tomcat is only provided on Mac OS X Server systems. This issue does not affect OS X Lion systems. Further information is available via the Tomcat site at http://tomcat.apache.org/

    CVE-ID

    CVE-2010-1157

    CVE-2010-2227

    CVE-2010-3718

    CVE-2010-4172

    CVE-2011-0013

    CVE-2011-0534

  • User Documentation

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

    Impact: An attacker in a privileged network position may manipulate App Store help content, leading to arbitrary code execution

    Description: App Store help content was updated over HTTP. This update addresses the issue by updating App Store help content over HTTPS. This issue does not affect OS X Lion systems.

    CVE-ID

    CVE-2011-3224 : Aaron Sigel of vtty.com and Brian Mastenbrook

  • Web Server

    Available for: Mac OS X Server v10.6.8

    Impact: Clients may be unable to access web services that require digest authentication

    Description: An issue in the handling of HTTP Digest authentication was addressed. Users may be denied access to the server's resources, when the server configuration should have allowed the access. This issue does not represent a security risk, and was addressed to facilitate the use of stronger authentication mechanisms. Systems running OS X Lion Server are not affected by this issue.

  • X11

    Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: Multiple vulnerabilities in libpng

    Description: Multiple vulnerabilities existed in libpng, the most serious of which may lead to arbitrary code execution. These issues are addressed by updating libpng to version 1.5.4 on OS Lion systems, and to 1.2.46 on Mac OS X v10.6 systems. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html

    CVE-ID

    CVE-2011-2690

    CVE-2011-2691

    CVE-2011-2692

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: