var-201103-0276
Vulnerability from variot
Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS X before 10.6.7 allow remote attackers to execute arbitrary code via a document that contains a crafted embedded Type 1 font. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within how the Type1Scaler library processes a specially formatted compact font file. When processing this file, the application will corrupt memory outside the bounds of an allocated buffer. This can lead to code execution under the context of the application that utilizes the library. Apple Mac OS X is prone to multiple buffer-overflow vulnerabilities because it fails to properly bounds check user-supplied input. Failed exploit attempts will result in a denial-of-service condition. Versions prior to OS X 10.6.7 are vulnerable. NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple Mac OS X is the American Apple ( Apple ) company for Mac A set of special operating systems developed by computers. ZDI-11-108: Mac OS X Compact Font Format Decoder Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-108
March 22, 2011
-- CVE ID: CVE-2011-0176
-- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors: Apple
-- Affected Products: Apple Preview
-- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10952.
-- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at:
http://support.apple.com/kb/HT4581
-- Disclosure Timeline: 2010-12-01 - Vulnerability reported to vendor 2011-03-22 - Coordinated public release of advisory
-- Credit: This vulnerability was discovered by: * geekable
-- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
TITLE: Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID: SA43814
VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43814/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
RELEASE DATE: 2011-03-22
DISCUSS ADVISORY: http://secunia.com/advisories/43814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)
http://secunia.com/advisories/43814/
ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset.
2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service).
For more information: SA40206
3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code.
8) An integer overflow error in bzip2 can be exploited to terminate an application using the library or execute arbitrary code via a specially crafted archive.
For more information: SA41452
9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories.
10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
For more information: SA41503 SA42426
11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded.
12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read arbitrary files.
13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow.
15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow.
16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow.
17) An integer overflow error in ImageIO within the handling of JPEG encoded TIFF files can be exploited to potentially execute arbitrary code.
18) Multiple errors in Image RAW when handling Canon RAW image files can be exploited to cause buffer overflows.
19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website.
20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features.
22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive.
23) An error exists in the libxml library when traversing the XPath.
For more information: SA42175
24) A double free error exists in the libxml library when handling XPath expressions.
For more information: SA42721
25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks.
For more information: SA41265
26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
For more information: SA39573 SA41724
27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions.
For more information: SA41724
28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code.
29) An error in QuickLook when handling certain Microsoft Office files can be exploited to corrupt memory when a specially crafted document is downloaded.
30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files.
31) An integer overflow error in QuickTime when handling certain movie files can be exploited to potentially execute arbitrary code when a specially crafted file is viewed.
32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data.
33) An integer truncation error within the Ruby BigDecimal class can be exploited to potentially execute arbitrary code.
This vulnerability only affects 64-bit Ruby processes.
34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system.
For more information: SA41354
35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions.
For more information: SA41652
36) A weakness in Terminal uses SSH version 1 as the default protocol version when using ssh via the "New Remote Connection" dialog.
37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library.
For more information: SA41738
SOLUTION: Update to version 10.6.7 or apply Security Update 2011-001.
PROVIDED AND/OR DISCOVERED BY: 15, 16, 33) Reported by the vendor.
The vendor credits: 3) Alexander Strange. 5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team. 6) Felix Grobert, Google Security Team and geekable via ZDI. 7) Marc Schoenefeld, Red Hat Security Response Team. 11) Christoph Diehl, Mozilla. 12) Dan Rosenberg, Virtual Security Research. 13) Andrzej Dyjak via iDefense. 14) Harry Sintonen. 17) Dominic Chell, NGS Secure. 18) Paul Harrington, NGS Secure. 19) Aaron Sigel, vtty.com. 21) Jeff Mears. 22) Peter Schwenk, University of Delaware. 28) Tobias Klein via iDefense. 29) Charlie Miller and Dion Blazakis via ZDI. 30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team. 31) Honggang Ren, Fortinet's FortiGuard Labs. 32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR). 36) Matt Warren, HNW Inc.
ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4581
iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201103-0276",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.3"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.2"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.4"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.1"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.2"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.5"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.1"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.0"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.0"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.6.5"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.6.4"
},
{
"model": "mac os x server",
"scope": "lte",
"trust": 1.0,
"vendor": "apple",
"version": "10.6.6"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.6.3"
},
{
"model": "mac os x",
"scope": "lte",
"trust": 1.0,
"vendor": "apple",
"version": "10.6.6"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.6 to v10.6.6"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.6 to v10.6.6"
},
{
"model": "preview",
"scope": null,
"trust": 0.7,
"vendor": "apple",
"version": null
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.6.6"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.6"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.5"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.4"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.3"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.3"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6"
},
{
"model": "mac os server",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.7"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-11-108"
},
{
"db": "BID",
"id": "46971"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001402"
},
{
"db": "CNNVD",
"id": "CNNVD-201103-287"
},
{
"db": "NVD",
"id": "CVE-2011-0176"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:apple:mac_os_x",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:mac_os_x_server",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-001402"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "geekable",
"sources": [
{
"db": "ZDI",
"id": "ZDI-11-108"
}
],
"trust": 0.7
},
"cve": "CVE-2011-0176",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2011-0176",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2011-0176",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-48121",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2011-0176",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2011-0176",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2011-0176",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201103-287",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-48121",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-11-108"
},
{
"db": "VULHUB",
"id": "VHN-48121"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001402"
},
{
"db": "CNNVD",
"id": "CNNVD-201103-287"
},
{
"db": "NVD",
"id": "CVE-2011-0176"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS X before 10.6.7 allow remote attackers to execute arbitrary code via a document that contains a crafted embedded Type 1 font. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within how the Type1Scaler library processes a specially formatted compact font file. When processing this file, the application will corrupt memory outside the bounds of an allocated buffer. This can lead to code execution under the context of the application that utilizes the library. Apple Mac OS X is prone to multiple buffer-overflow vulnerabilities because it fails to properly bounds check user-supplied input. Failed exploit attempts will result in a denial-of-service condition. \nVersions prior to OS X 10.6.7 are vulnerable. \nNOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple Mac OS X is the American Apple ( Apple ) company for Mac A set of special operating systems developed by computers. ZDI-11-108: Mac OS X Compact Font Format Decoder Remote Code Execution Vulnerability\n\nhttp://www.zerodayinitiative.com/advisories/ZDI-11-108\n\nMarch 22, 2011\n\n-- CVE ID:\nCVE-2011-0176 \n\n-- CVSS:\n10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n-- Affected Vendors:\nApple\n\n-- Affected Products:\nApple Preview\n\n-- TippingPoint(TM) IPS Customer Protection:\nTippingPoint IPS customers have been protected against this\nvulnerability by Digital Vaccine protection filter ID 10952. \n\n-- Vendor Response:\nApple has issued an update to correct this vulnerability. More\ndetails can be found at:\n\nhttp://support.apple.com/kb/HT4581\n\n-- Disclosure Timeline:\n2010-12-01 - Vulnerability reported to vendor\n2011-03-22 - Coordinated public release of advisory\n\n-- Credit:\nThis vulnerability was discovered by:\n * geekable\n\n-- About the Zero Day Initiative (ZDI):\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \na best-of-breed model for rewarding security researchers for responsibly\ndisclosing discovered vulnerabilities. \n\nResearchers interested in getting paid for their security research\nthrough the ZDI can find more information and sign-up at:\n\n http://www.zerodayinitiative.com\n\nThe ZDI is unique in how the acquired vulnerability information is\nused. TippingPoint does not re-sell the vulnerability details or any\nexploit code. Instead, upon notifying the affected product vendor,\nTippingPoint provides its customers with zero day protection through\nits intrusion prevention technology. Explicit details regarding the\nspecifics of the vulnerability are not exposed to any parties until\nan official vendor patch is publicly available. Furthermore, with the\naltruistic aim of helping to secure a broader user base, TippingPoint\nprovides this vulnerability information confidentially to security\nvendors (including competitors) who have a vulnerability protection or\nmitigation product. \n\nOur vulnerability disclosure policy is available online at:\n\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\n\nFollow the ZDI on Twitter:\n\n http://twitter.com/thezdi\n. ----------------------------------------------------------------------\n\n\nMeet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). \n\nhttp://secunia.com/company/events/mms_2011/\n\n\n----------------------------------------------------------------------\n\nTITLE:\nApple Mac OS X Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA43814\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/43814/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=43814\n\nRELEASE DATE:\n2011-03-22\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/43814/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/43814/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=43814\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nApple has issued a security update for Mac OS X, which fixes multiple\nvulnerabilities. \n\n1) A divide-by-zero error in AirPort when handling Wi-Fi frames can\nbe exploited to cause a system reset. \n\n2) Multiple vulnerabilities in Apache can be exploited by malicious\npeople to disclose potentially sensitive information and by malicious\nusers and malicious people to cause a DoS (Denial of Service). \n\nFor more information:\nSA40206\n\n3) A format string error within AppleScript Studio when handling\ncertain commands via dialogs can be exploited to potentially execute\narbitrary code. \n\n8) An integer overflow error in bzip2 can be exploited to terminate\nan application using the library or execute arbitrary code via a\nspecially crafted archive. \n\nFor more information:\nSA41452\n\n9) An error within the \"FSFindFolder()\" API in CarbonCore when used\nwith the \"kTemporaryFolderType\" flag can be exploited to disclose the\ncontents of arbitrary directories. \n\n10) Multiple errors in ClamAV can be exploited by malicious people to\ncause a DoS (Denial of Service) and potentially compromise a\nvulnerable system. \n\nFor more information:\nSA41503\nSA42426\n\n11) An unspecified error in the handling of embedded fonts in\nCoreText can be exploited to corrupt memory when a specially crafted\ndocument is viewed or downloaded. \n\n12) An integer overflow error within the handling of the\nF_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be\nexploited to read arbitrary files. \n\n13) An error in ImageIO within the handling of JPEG files can be\nexploited to cause a heap-based buffer overflow. \n\n15) An error in libTIFF within the handling of JPEG encoded TIFF\nfiles can be exploited to cause a buffer overflow. \n\n16) An error in libTIFF within the handling of CCITT Group 4 encoded\nTIFF files can be exploited to cause a buffer overflow. \n\n17) An integer overflow error in ImageIO within the handling of JPEG\nencoded TIFF files can be exploited to potentially execute arbitrary\ncode. \n\n18) Multiple errors in Image RAW when handling Canon RAW image files\ncan be exploited to cause buffer overflows. \n\n19) An error in the Install Helper when handling URLs can be\nexploited to install an arbitrary agent by tricking the user into\nvisiting a malicious website. \n\n20) Multiple errors in Kerberos can be exploited by malicious users\nand malicious people to conduct spoofing attacks and bypass certain\nsecurity features. \n\n22) An integer truncation error within Libinfo when handling NFS RPC\npackets can be exploited to cause NFS RPC services to become\nunresponsive. \n\n23) An error exists in the libxml library when traversing the XPath. \n\nFor more information:\nSA42175\n\n24) A double free error exists in the libxml library when handling\nXPath expressions. \n\nFor more information:\nSA42721\n\n25) Two errors in Mailman can be exploited by malicious users to\nconduct script insertion attacks. \n\nFor more information:\nSA41265\n\n26) Multiple errors in PHP can be exploited by malicious users and\nmalicious people to bypass certain security restrictions and by\nmalicious people to cause a DoS (Denial of Service) and potentially\ncompromise a vulnerable system. \n\nFor more information:\nSA39573\nSA41724\n\n27) Multiple errors in PHP can be exploited by malicious users and\nmalicious people to bypass certain security restrictions. \n\nFor more information:\nSA41724\n\n28) An error in the OfficeImport framework when processing records\ncontaining formulas shared between multiple cells can be exploited to\ncorrupt memory and potentially execute arbitrary code. \n\n29) An error in QuickLook when handling certain Microsoft Office\nfiles can be exploited to corrupt memory when a specially crafted\ndocument is downloaded. \n\n30) Multiple unspecified errors in QuickTime when handling JPEG2000,\nFlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality)\nmovie files can be exploited to corrupt memory via specially crafted\nfiles. \n\n31) An integer overflow error in QuickTime when handling certain\nmovie files can be exploited to potentially execute arbitrary code\nwhen a specially crafted file is viewed. \n\n32) An error within QuickTime plug-in when handling cross-site\nredirects can be exploited to disclose video data. \n\n33) An integer truncation error within the Ruby BigDecimal class can\nbe exploited to potentially execute arbitrary code. \n\nThis vulnerability only affects 64-bit Ruby processes. \n\n34) A boundary error in Samba can be exploited by malicious people to\npotentially compromise a vulnerable system. \n\nFor more information:\nSA41354\n\n35) A security issue in Subversion can be exploited by malicious\npeople to bypass certain security restrictions. \n\nFor more information:\nSA41652\n\n36) A weakness in Terminal uses SSH version 1 as the default protocol\nversion when using ssh via the \"New Remote Connection\" dialog. \n\n37) Some vulnerabilities in FreeType can be exploited to cause a DoS\n(Denial of Service) or potentially compromise an application using\nthe library. \n\nFor more information:\nSA41738\n\nSOLUTION:\nUpdate to version 10.6.7 or apply Security Update 2011-001. \n\nPROVIDED AND/OR DISCOVERED BY:\n15, 16, 33) Reported by the vendor. \n\nThe vendor credits:\n3) Alexander Strange. \n5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security\nTeam, Marc Schoenefeld of Red Hat Security Response Team, and Tavis\nOrmandy and Will Drewry of Google Security Team. \n6) Felix Grobert, Google Security Team and geekable via ZDI. \n7) Marc Schoenefeld, Red Hat Security Response Team. \n11) Christoph Diehl, Mozilla. \n12) Dan Rosenberg, Virtual Security Research. \n13) Andrzej Dyjak via iDefense. \n14) Harry Sintonen. \n17) Dominic Chell, NGS Secure. \n18) Paul Harrington, NGS Secure. \n19) Aaron Sigel, vtty.com. \n21) Jeff Mears. \n22) Peter Schwenk, University of Delaware. \n28) Tobias Klein via iDefense. \n29) Charlie Miller and Dion Blazakis via ZDI. \n30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher\nvia ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability\nDiscovery Team. \n31) Honggang Ren, Fortinet\u0027s FortiGuard Labs. \n32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR). \n36) Matt Warren, HNW Inc. \n\nORIGINAL ADVISORY:\nApple:\nhttp://support.apple.com/kb/HT4581\n\niDefense:\nhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2011-0176"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001402"
},
{
"db": "ZDI",
"id": "ZDI-11-108"
},
{
"db": "BID",
"id": "46971"
},
{
"db": "VULHUB",
"id": "VHN-48121"
},
{
"db": "PACKETSTORM",
"id": "99601"
},
{
"db": "PACKETSTORM",
"id": "99616"
}
],
"trust": 2.79
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-48121",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-48121"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2011-0176",
"trust": 3.6
},
{
"db": "ZDI",
"id": "ZDI-11-108",
"trust": 1.1
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001402",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-860",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-201103-287",
"trust": 0.7
},
{
"db": "SECUNIA",
"id": "43814",
"trust": 0.7
},
{
"db": "APPLE",
"id": "APPLE-SA-2011-03-21-1",
"trust": 0.6
},
{
"db": "BID",
"id": "46971",
"trust": 0.4
},
{
"db": "PACKETSTORM",
"id": "99601",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-48121",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "99616",
"trust": 0.1
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-11-108"
},
{
"db": "VULHUB",
"id": "VHN-48121"
},
{
"db": "BID",
"id": "46971"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001402"
},
{
"db": "PACKETSTORM",
"id": "99601"
},
{
"db": "PACKETSTORM",
"id": "99616"
},
{
"db": "CNNVD",
"id": "CNNVD-201103-287"
},
{
"db": "NVD",
"id": "CVE-2011-0176"
}
]
},
"id": "VAR-201103-0276",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-48121"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T19:49:10.611000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "HT4581",
"trust": 1.5,
"url": "http://support.apple.com/kb/HT4581"
},
{
"title": "HT4581",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT4581?viewlocale=ja_JP"
},
{
"title": "JavaForMacOSX10.6",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=44376"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-11-108"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001402"
},
{
"db": "CNNVD",
"id": "CNNVD-201103-287"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-48121"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001402"
},
{
"db": "NVD",
"id": "CVE-2011-0176"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://support.apple.com/kb/ht4581"
},
{
"trust": 1.7,
"url": "http://lists.apple.com/archives/security-announce/2011/mar/msg00006.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-0176"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu636925"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-0176"
},
{
"trust": 0.6,
"url": "http://secunia.com/advisories/43814"
},
{
"trust": 0.3,
"url": "http://www.apple.com/macosx/"
},
{
"trust": 0.3,
"url": "http://www.zerodayinitiative.com/advisories/zdi-11-108/?utm_source=feedburner\u0026utm_medium=feed\u0026utm_campaign=feed%3a+zdi-published-advisories+%28zero+day+initiative+published+advisories%29"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/disclosure_policy/"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/zdi-11-108"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-0176"
},
{
"trust": 0.1,
"url": "http://twitter.com/thezdi"
},
{
"trust": 0.1,
"url": "http://www.tippingpoint.com"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com"
},
{
"trust": 0.1,
"url": "http://secunia.com/products/corporate/evm/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
},
{
"trust": 0.1,
"url": "http://secunia.com/company/events/mms_2011/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/43814/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/43814/#comments"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/personal/"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=43814"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-11-108"
},
{
"db": "VULHUB",
"id": "VHN-48121"
},
{
"db": "BID",
"id": "46971"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001402"
},
{
"db": "PACKETSTORM",
"id": "99601"
},
{
"db": "PACKETSTORM",
"id": "99616"
},
{
"db": "CNNVD",
"id": "CNNVD-201103-287"
},
{
"db": "NVD",
"id": "CVE-2011-0176"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-11-108"
},
{
"db": "VULHUB",
"id": "VHN-48121"
},
{
"db": "BID",
"id": "46971"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001402"
},
{
"db": "PACKETSTORM",
"id": "99601"
},
{
"db": "PACKETSTORM",
"id": "99616"
},
{
"db": "CNNVD",
"id": "CNNVD-201103-287"
},
{
"db": "NVD",
"id": "CVE-2011-0176"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-03-22T00:00:00",
"db": "ZDI",
"id": "ZDI-11-108"
},
{
"date": "2011-03-23T00:00:00",
"db": "VULHUB",
"id": "VHN-48121"
},
{
"date": "2011-03-21T00:00:00",
"db": "BID",
"id": "46971"
},
{
"date": "2011-04-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-001402"
},
{
"date": "2011-03-22T20:31:19",
"db": "PACKETSTORM",
"id": "99601"
},
{
"date": "2011-03-22T09:25:41",
"db": "PACKETSTORM",
"id": "99616"
},
{
"date": "2011-03-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201103-287"
},
{
"date": "2011-03-23T02:00:04.143000",
"db": "NVD",
"id": "CVE-2011-0176"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-03-22T00:00:00",
"db": "ZDI",
"id": "ZDI-11-108"
},
{
"date": "2011-03-24T00:00:00",
"db": "VULHUB",
"id": "VHN-48121"
},
{
"date": "2015-03-19T08:34:00",
"db": "BID",
"id": "46971"
},
{
"date": "2011-04-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-001402"
},
{
"date": "2011-03-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201103-287"
},
{
"date": "2024-11-21T01:23:28.830000",
"db": "NVD",
"id": "CVE-2011-0176"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "99601"
},
{
"db": "CNNVD",
"id": "CNNVD-201103-287"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple Mac OS X of Apple Type Services Vulnerable to buffer overflow",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-001402"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201103-287"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.