2012-001 v1.1 3 patches removed/security implications?

Question

Level 6

13,220 points

2012-001 v1.1 3 patches removed/security implications?

Besides finding out if this fixes all the problems for any PPC app affected, what I still want to know is since v1.1 reportedly removed the patches in the original for the three ImageIO vulnerabilities as the fix for the Rosetta problem, doesn't that leave us wide open now for those exploits? These looked kind of nasty. Nothing like having a little information about what's going on.

ImageIO

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF files. This issue does not affect OS X Lion systems.

CVE-ID

CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies

-------------

ImageIO

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow existed in libtiff's handling of ThunderScan encoded TIFF images. This issue is addressed by updating libtiff to version 3.9.5.

CVE-ID

CVE-2011-1167

------------

ImageIO

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2

Impact: Multiple vulnerabilities in libpng 1.5.4

Description: libpng is updated to version 1.5.5 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html

Posted on Feb 4, 2012 6:31 AM

Reply

Answer 1

lkrupp

Level 6

14,296 points

Feb 4, 2012 7:16 AM in response to WZZZ

We were "wide open" to these issues before the security update so what's the problem? The bad guys were likely well aware of these holes long before the fixes were released. They always are. This is much ado about nothing in my opinion since this stuff has never made it to the world. IMHO the patches were removed as a quick fix for the problem at hand. Apple software engineers are probably working on fixes to the fixes to be released in a future update. So hand wringing does not apply here... and never has anyway.

Reply

Answer 2

WZZZ Author

Level 6

13,220 points

Feb 4, 2012 7:37 AM in response to lkrupp

All that is supposition. I'm not as certain as you that these were already well known. How do you know that? I like to think these are exploits demonstrated only under laboratory conditions (as are most of the vulnerabilities patched in any security update.) But another way of looking at this is now it's widely publicized what these vulnerabilities are and that they are wide open.

BTW, I'm not doing any "hand wringing." I just want solid information and it doesn't look like any will be forthcoming from Apple.

Message was edited by: WZZZ

Reply