• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

UPDATE: 2012's First OS X Update Corrects 52 Security Vulnerabilities

February 6, 2012 By Corey Nachreiner

Last week, Apple released an OS X update that fixed 52 security vulnerabilities. However, customers have reported that the Snow Leopard (10.6.x) version of the update causes problems with Rosetta — a component that allows Intel Macs to run PowerPC programs. In response, Apple has revised their original advisory, and released a new version of the Snow Leopard update.

If you use Snow Leopard, and you downloaded Apple’s update on February 1, you should download the revised v1.1 update from the Apple Software Download page. Apple doesn’t appear to have changed the text on their download page to reflect this new version. However, they did share new checksums for the revised updates in their email security advisory. You can find those SHA-1 checksums below:

For Mac OS X v10.6.8

  • Download file name: SecUpd2012-001Snow.dmg
  • SHA-1 digest: 29218a1a28efecd15b3033922d71f0441390490a

For Mac OS X Server v10.6.8

  • Download file name: SecUpdSrvr2012-001.dmg
  • SHA-1 digest: 105bdebf2e07fc5c0127f482276ccb7b6b631199
For reference purposes, I’ve included our original OS X alert below.

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.6.x (Snow Leopard) and OS X 10.7.x (Lion)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various document or media files
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer
  • What to do: OS X administrators should download, test and install OS X 10.7.3 or Security Update 2012-001 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 52 (number based on CVE-IDs) security issues in 27 components that ship as part of OS X or OS X Server, including Apache, Quicktime, and Time Machine. Some of the fixed vulnerabilities include:

  • Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle various image file types. Unfortunately, it also suffers from various security vulnerabilities (including some buffer overflow vulnerabilities) involving the way it handles certain types of image files. Though these vulnerabilities differ technically, they generally share the same scope and impact. If an attacker can get a victim to view a specially crafted image file (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. The affected image types include TIFF and PNG.
  • CoreAudio Buffer Overflow Vulnerability. CoreAudio is a component that helps OS X play audio content. It suffers from a buffer overflow vulnerability. By enticing you to play a specially crafted audio file, an attacker would exploit this flaw to either crash your system, or execute code with your privileges.
  • Several Quicktime Vulnerabilities. Quicktime is the popular video and media player that ships with OS X (and iTunes). Quicktime suffers from six security issues (number based on CVE-IDs) involving how it handles certain image and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted image or video in QuickTime, she could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, elevation of privilege vulnerabilities, and information disclosure flaws. Components patched by this security update include:

ApacheATS
CFNetworkColorSync
CoreAudioCoreMedia
CoreTextCoreUI
curlData Security
dovecotfilecmds
ImageIOInternet Sharing
Libinfolibresolv
libsecurityOpenGL
PHPQuickTime
SquirrelMailSubversion
Time MachineTomcat
WebDAV SharingWebmail
X11

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.

Solution Path:

Apple has released OS X Security Update 2012-001 and OS X 10.7.3 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can, or let Apple’s automatic Software Update utility do it for you

  • OS X Lion Update 10.7.3 (Client)
  • OS X Lion Update 10.7.3 (Client Combo)
  • OS X Lion Update 10.7.3 (Server)
  • OS X Lion Update 10.7.3 (Server) Combo
  • Security Update 2012-001 Server (Snow Leopard)
  • Security Update 2012-001 (Snow Leopard)

Note: Some of these updates are rather large (700MB or greater), and all require a reboot.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

  • February 2012 OS X  Security Update

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: Apple

Comments

  1. Francis says

    February 14, 2012 at 10:30 pm

    Good to know about the article

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use