Summary:
- These vulnerabilities affect: All current versions of OS X 10.6.x (Snow Leopard) and OS X 10.7.x (Lion)
- How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various document or media files
- Impact: Various results; in the worst case, an attacker executes code on your user’s computer
- What to do: OS X administrators should download, test and install OS X 10.7.3 or Security Update 2012-001 as soon as possible, or let Apple’s Software updater do it for you.
Exposure:
Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 52 (number based on CVE-IDs) security issues in 27 components that ship as part of OS X or OS X Server, including Apache, Quicktime, and Time Machine. Some of the fixed vulnerabilities include:
- Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle various image file types. Unfortunately, it also suffers from various security vulnerabilities (including some buffer overflow vulnerabilities) involving the way it handles certain types of image files. Though these vulnerabilities differ technically, they generally share the same scope and impact. If an attacker can get a victim to view a specially crafted image file (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. The affected image types include TIFF and PNG.
- CoreAudio Buffer Overflow Vulnerability. CoreAudio is a component that helps OS X play audio content. It suffers from a buffer overflow vulnerability. By enticing you to play a specially crafted audio file, an attacker would exploit this flaw to either crash your system, or execute code with your privileges.
- Several Quicktime Vulnerabilities. Quicktime is the popular video and media player that ships with OS X (and iTunes). Quicktime suffers from six security issues (number based on CVE-IDs) involving how it handles certain image and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted image or video in QuickTime, she could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges.
Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, elevation of privilege vulnerabilities, and information disclosure flaws. Components patched by this security update include:
| Apache | ATS |
| CFNetwork | ColorSync |
| CoreAudio | CoreMedia |
| CoreText | CoreUI |
| curl | Data Security |
| dovecot | filecmds |
| ImageIO | Internet Sharing |
| Libinfo | libresolv |
| libsecurity | OpenGL |
| PHP | QuickTime |
| SquirrelMail | Subversion |
| Time Machine | Tomcat |
| WebDAV Sharing | Webmail |
| X11 |
Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.
Solution Path:
Apple has released OS X Security Update 2012-001 and OS X 10.7.3 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can, or let Apple’s automatic Software Update utility do it for you
- OS X Lion Update 10.7.3 (Client)
- OS X Lion Update 10.7.3 (Client Combo)
- OS X Lion Update 10.7.3 (Server)
- OS X Lion Update 10.7.3 (Server) Combo
- Security Update 2012-001 Server (Snow Leopard)
- Security Update 2012-001 (Snow Leopard)
Note: Some of these updates are rather large (700MB or greater), and all require a reboot.
For All Users:
These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.
Status:
Apple has released updates to fix these flaws.
References:
This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)