CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2011-046

DATE(S) ISSUED:
06/24/2011

SUBJECT:
Multiple Vulnerabilities in Apple Mac OS X Could Allow Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been identified in Apple Mac OS X and Apple Mac OS X Server. These vulnerabilities may be exploited if a user visits, is redirected to a web page, or opens a malicious file that was designed to take advantage of these vulnerabilities. Successful exploitation could result in an attacker gaining the same privileges as the logged on user, cause denial of service or gain access to sensitive information. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights..

SYSTEMS AFFECTED:

Mac OS X Prior to 10.6.5

Mac OS X Server 10.6.7

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:

Multiple vulnerabilities have been identified in Apple Mac OS X and Mac OS X Server. These vulnerabilities may be exploited if a user visits, is redirected to a web page, or opens a malicious file that was designed to take advantage of these vulnerabilities. Apple has identified the following vulnerabilities:

An out of bounds memory read issue affects Airport due to the handling of Wi-Fi frames. An attacker on the same network can reboot a vulnerable host.

App Store may log the user's AppleID password to a local file.

A heap buffer overflow vulnerability affect ATS when viewing a document that contains TrueType fonts. An attacker can exploit this issue to execute arbitrary code.

An error handling vulnerability affects the Certificate Trust Policy. If an ExtendedValidation (EV) certificate has no OCSP URL, and CRL checking is enabled, the CRL will not be checked and a revoked certificate may be accepted as valid.

An integer overflow vulnerability affects the ColorSync when opening a maliciously crafted image with embedded ColorSync profile. An attacker can exploit this issue to execute arbitrary code.

An off-by-one buffer overflow vulnerability affects CoreGraphics when viewing a maliciously crafted PDF file. An attacker can exploit this issue to execute arbitrary code.

A path validation issue existed in FTP Server. An attacker with FTP access may perform a recursive directory listing starting from the root, including directories that are not shared for FTP.

A heap buffer overflow vulnerability affects ImageIO's when visiting a maliciously crafted website. An attacker can exploit this issue to execute arbitrary code.

A buffer overflow vulnerability affects the International Components for Unicode (ICU) when handling uppercase strings. An attacker can exploit this issue to execute arbitrary code.

A null dereference vulnerability affects the kernel when handling IPV6 socket options. A local attacker may be able to cause a system reset.

A denial of service vulnerability affects Libsystem if a glob(3) API pattern comes from an untrusted source.

A disclosure to heap buffer addresses vulnerability affects libxslt when visiting a maliciously crafted website.

An information disclosure vulnerability affects MobileMe when mail requests are made over HTTP. An attacker may be able to capture a user's email aliases.

Multiple vulnerabilities affecting the time zone tables in MySQL. An attacker can exploit these issues to execute arbitrary code

Multiple vulnerabilities affecting exist in OpenSSL which could result in arbitrary code execution. An attacker can exploit these issues to execute arbitrary code.

A directory traversal vulnerability affects the GNU patch. Running patch on a maliciously crafted patch file may cause arbitrary files to be created or overwritten.

A memory corruption vulnerability affects QuickLook when viewing a maliciously crafted Microsoft Office files. An attacker can exploit this issue to execute arbitrary code.

An integer overflow vulnerability affects QuickTime when handling a maliciously crafted RIFF WAV file.An attacker can exploit this issue to execute arbitrary code.

A memory corruption vulnerability affects QuickTime when viewing a maliciously crafted movie file. An attacker can exploit this issue to execute arbitrary code.

An integer overflow vulnerability affects Quicktime when viewing a maliciously crafted movie file. An attacker can exploit this issue to execute arbitrary code.

A buffer overflow vulnerability affects Quicktime when viewing maliciously crafted PICT or JPEG images. An attacker can exploit this issue to execute arbitrary code.

A stack buffer overflow vulnerability affects Samba when SMB file sharing is enabled. An attacker can exploit this issue to execute arbitrary code.

A memory corruption vulnerability affects Samba when SMB file sharing is enabled.An attacker can exploit this issue to execute arbitrary code.

An information disclosure vulnerability affects servermgrd when XML-RPC interface processes XML-RPC requests.

A denial of service vulnerability affects web based subversion hosts when processing lock tokens sent over HTTP.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, cause denial of service or gain access to sensitive information. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.
  • Remind users not to download or open files from un-trusted websites.
  • Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

REFERENCES:

Apple:
http://support.apple.com/kb/HT4723

SecurityFocus:
http://www.securityfocus.com/bid/48412
http://www.securityfocus.com/bid/48416
http://www.securityfocus.com/bid/48415
http://www.securityfocus.com/bid/48419
http://www.securityfocus.com/bid/48420
http://www.securityfocus.com/bid/48418
http://www.securityfocus.com/bid/48422

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2632
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3677
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3682
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3833
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3836
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3837
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3838
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4651
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0014
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0197
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0201
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0203
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0208
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0211
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0715
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1132