Thursday, March 21, 2013

Lots Of Recent Apple Security Patches

--

While I was taking a break to get over a cold, Apple has provided lots of new security patches. Here is my summary:

 I) Security Update 2013-001
(For Snow Leopard, Snow Leopard Server, Lion and Lion Server, included in OS X Mountain Lion Update 10.8.3)

Apple's security content document:

Summary: Seventeen CVE issues were patched, covering twenty-one security issues in OS X.

CVE IDs:
(I have arranged the list chronologically and collected together the affected parts of OS X as a contrast to Apple's listing)

CVE-2011-3058 - Cross-site scripting attacks on EUC-JP encoded websites; Affecting international components for Unicode.

CVE-2012-2088 - Memory corruption caused by a maliciously crafted image; Affecting IOAcceleratorFamily.

CVE-2012-3488,
CVE-2012-3489 - SQL privileges escalation and other issues; Affecting PostgreSQL.

CVE-2012-3525 - Jabber dialback result messages rerouted by a remote attacker, disclosing information; Affecting the Jabber Messages Server.

CVE-2012-3749 - Bypassing of ASLR (address space layout randomization) and kernel address information disclosure; Affecting Kernel.

CVE-2012-3756 - Maliciously crafted MP4 files causing a buffer overflow; Affecting QuickTime.

CVE-2013-0156 - Ruby on Rails issue allowing remote attacker arbitrary code execution via XML parameters; Affecting Podcast Producer Server, Profile Manager, Ruby and Wiki Server.

CVE-2013-0333 - Ruby on Rails issue allowing remote attacker arbitrary code execution via JSON data; Affecting Podcast Producer Server and Wiki Server

CVE-2013-0963 - Bypass of certificate-based Apple ID authentication erroneously extending trust to a user; Affecting Identity Services.

CVE-2013-0966 - Attacker access to HTTP authentication protected directories via URIs containing ignorable Unicode character sequences; Affecting Apache.

CVE-2013-0967 - Maliciously crafted website Java Web Start application launching automatically despite the Java plug-in being disabled; Affects CoreTypes.

CVE-2013-0969 - VoiceOver allowed attacker with keyboard access to launch applications at the login window and modify the system configuration; Affecting Login Window.

CVE-2013-0970 - FaceTime:// URLs in Messages could be formatted to bypass the standard confirmation prompt and initiate a FaceTime call; Affecting Messages.

CVE-2013-0971 - Maliciously crafted PDFs could use ink annotations to cause memory management errors including unexpected application termination and arbitrary code execution; Affecting PDFKit.

CVE-2013-0973 - Plugins in Software Update's marketing text WebView could be used in a man-in-the-middle attack allowing arbitrary code execution; Affecting Software Update.

CVE-2013-0976 - Maliciously crafted images could cause unexpected system termination or arbitrary code execution; Affecting IOAcceleratorFamily.


II) OS X Mountain Lion Update 10.8.3
(Update and Combo Update)

Apple's security content document (same as above):

The security patch content is the generally same as Security Update 2013-001 and Safari 6.0.3.


III) Safari v6.0.3
(Included as part of OS X 10.8.3 and Security Update 2013-001)

Apple's security content document:

Summary: Seventeen security issues affecting WebKit.

CVE IDs

CVE-2012-2824,
CVE-2012-2857,
CVE-2013-0948,
CVE-2013-0949,
CVE-2013-0950,
CVE-2013-0951,
CVE-2013-0952,
CVE-2013-0953,
CVE-2013-0954,
CVE-2013-0955,
CVE-2013-0956,
CVE-2013-0958,
CVE-2013-0959,
CVE-2013-0960,
CVE-2013-0961 - A maliciously crafted website could cause unexpected application termination or arbitrary code execution, aka bad memory management.

CVE-2012-2889 - A maliciously crafted website could use frame elements to allow a cross-site scripting attack.

CVE-2013-0962 - Pasting content on a malicious website could allow a cross-site scripting attack.


IV) iOS 6.1.3

Apple's security content document:

AHEM: Before I get into what this version of iOS fixes, I have to point out that iOS 6.1.3 allows yet-another passcode lock bypass. Sigh. This one enables anyone to use the phone for calls and provides access to the owner's photo gallery. That is all. But that is enough! Read about it and watch the break-in demonstration video at Sophos:


Summary: This update patched the screen lock bypass problem accessible via making an emergency call. The other five patches cover a variety of issues in WebKit, dyld, lockdownd, USB and the Kernel.

CVE-IDs:

CVE-2013-0912 - A maliciously crafted website could use SVG files to cause unexpected application termination or arbitrary code execution; Affects WebKit.

CVE-2013-0977 - Unsigned code could be executed could result from incorrect handling of Mach-O executable files with overlapping segments; Affects dyld.

CVE-2013-0978 - The addresses of structures in the kernel were disclosed via an issue in the ARM prefetch abort handler; Affects Kernel.

CVE-2013-0979 - Able to change permissions on arbitrary files that included a symbolic link after restoring from a backup; Affects LockDown / lockdownd.

CVE-2013-0980 - Screen lock bypass via a logic error in the handling of emergency calls form the lock screen; Affects Passcode Lock.

CVE-2013-0981 - Execution of arbitrary code via an issue with pipe object pointers in the IOUSBDeviceFamily driver; Affects USB.


V) Apple TV v5.2.1

Apple's security content document:
About the security content of Apple TV 5.2.1

Summary: The three patched security flaws are, not surprisingly, also found in iOS 6.1.3.

CVE-IDs:

CVE-2013-0977- Unsigned code could be executed could result from incorrect handling of Mach-O executable files with overlapping segments.

CVE-2013-0978The addresses of structures in the kernel were disclosed via an issue in the ARM prefetch abort handler.

CVE-2013-0981Execution of arbitrary code via an issue with pipe object pointers in the IOUSBDeviceFamily driver.


General Conclusion: As I often say, bad memory management is the bane of modern coding. However, it's interesting to see a wide variety of issues addressed in these updates, not just memory management. Hopefully, this indicates few memory management problems remain in Apple's software, causing attention to turn to other aspects of Apple code.


--

No comments:

Post a Comment