Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0229
Java for OS X 2013-001 and Mac OS X v10.6 Update 13
20 February 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Java
Publisher: Apple
Operating System: OS X
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1488 CVE-2013-1487 CVE-2013-1486
CVE-2013-1481 CVE-2013-1480 CVE-2013-1478
CVE-2013-1476 CVE-2013-1475 CVE-2013-1473
CVE-2013-0450 CVE-2013-0446 CVE-2013-0445
CVE-2013-0443 CVE-2013-0442 CVE-2013-0441
CVE-2013-0440 CVE-2013-0438 CVE-2013-0435
CVE-2013-0434 CVE-2013-0433 CVE-2013-0432
CVE-2013-0429 CVE-2013-0428 CVE-2013-0427
CVE-2013-0426 CVE-2013-0425 CVE-2013-0424
CVE-2013-0423 CVE-2013-0419 CVE-2013-0409
CVE-2013-0351 CVE-2012-3342 CVE-2012-3213
Reference: ASB-2013.0025
ASB-2013.0013
ESB-2013.0144
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-02-19-1 Java for OS X 2013-001 and Mac OS X v10.6
Update 13
Java for OS X 2013-001 and Mac OS X v10.6 Update 13 is now available
and addresses the following:
Java
Available for: OS X Lion v10.7 or later,
OS X Lion Server v10.7 or later, OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java 1.6.0_37
Description: Multiple vulnerabilities existed in Java 1.6.0_37, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
These issues were addressed by updating to Java version 1.6.0_41. For
Mac OS X v10.6 systems, these issues were addressed in Java for Mac
OS X v10.6 Update 13. Further information is available via the Java
website at http://www.oracle.com/technetwork/java/javase/
releasenotes-136954.html
CVE-ID
CVE-2012-3213
CVE-2012-3342
CVE-2013-0351
CVE-2013-0409
CVE-2013-0419
CVE-2013-0423
CVE-2013-0424
CVE-2013-0425
CVE-2013-0426
CVE-2013-0427
CVE-2013-0428
CVE-2013-0429
CVE-2013-0432
CVE-2013-0433
CVE-2013-0434
CVE-2013-0435
CVE-2013-0438
CVE-2013-0440
CVE-2013-0441
CVE-2013-0442
CVE-2013-0443
CVE-2013-0445
CVE-2013-0446
CVE-2013-0450
CVE-2013-1473
CVE-2013-1475
CVE-2013-1476
CVE-2013-1478
CVE-2013-1480
CVE-2013-1481
Java
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java
Description: Multiple vulnerabilities existed in Java, the most
serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
These issues were addressed by updating to Java version 1.6.0_41.
Further information is available via the Java website at http://www.o
racle.com/technetwork/java/javase/releasenotes-136954.html
CVE-ID
CVE-2013-1486
CVE-2013-1487
CVE-2013-1488
Malware removal
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Description: This update runs a malware removal tool that will
remove the most common variants of malware. If malware is found, it
presents a dialog notifying the user that malware was removed. There
is no indication to the user if malware is not found. This update is
available for systems that installed Java 6.
Java for OS X 2013-001 and Java for Mac OS X 10.6 Update 13
may be obtained from the Software Update pane in System Preferences,
Mac App Store, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6.Update13.dmg
Its SHA-1 digest is: 5327984bc0b300c237fe69cecf69513624f56b0e
For OS X Lion and Mountain Lion systems
The download file is named: JavaForOSX2013-001.dmg
Its SHA-1 digest is: 145d74354241cf2f567d2768bbd0a7185e7d308a
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRI/A/AAoJEPefwLHPlZEwDp4QAKz9nfo397KaudpFDey26bsb
GNR8HQ3Z5Ln0ArgwBcc2XabzIYXsjmY7nPdZgq1m0sWgFGWtfQ7qslRooUyNLOsB
WUddu+hQYvPn3CJOZsaPfTA2mfK6Qk9LeyqzUUkZrRNltHnIFMO7uXLEIdrFdnnx
exFMPjbIq+xM5UZgvd/2grtF4DaZHnbcK+t/tDwH09/hGRQ+l+3a/3FB2S1Av85c
FSuiieyrz2NNnDwFCj5NeSFQuK7hr52TiSOEPYI2eiTepyBHrUy03wAe8uwIzQII
RjkY3Nbc8AZt0Q6lq5TgsQbH+vrwVE07nty36uMKmE2vJXyOAIZjfrrwv9SetLwd
QnU5NYMbeHAHmSN5JQfuvDxEfL15/7Jafw2noJGotdrMzs6XQACFIHKqLORdwNkp
sltj3LwykpcyoCR8Dq7NPafqhp2wySaHX8DFSohcq1aa1w+SLDgPCZUAzknwokCL
f/hVQzP6hD0uHP/2jsLjh5g6TgHmCRdR+CKCs7QZaYAUketelRX9YOcgcXzqf5sy
EcbDvJ+rd3KsQ9gIByGwVhHD87NSZDJAyG0ROjMMS9w/7l7nhGxedzGzlyK3oNl/
VpewgZ8FpUrvY80HOPz5XyFmX+HQoSnJ8er6OI5AvHBPn+Z1yHDLS5zpLeDD/wO9
rmbzMJjZUnlCDXoLEVQ9
=qlVo
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUSR5We4yVqjM2NGpAQJ3DQ//QZReoZtL5SfWVaf4OX5WsCxgqej8ljsc
cbAPMvqrtMueXsYvOybe3muGLSiCmvy0eXFuI3rtVUpaUWWznA/RhoMGAOIZJ3g2
ZKDycb16+clRD3ZlkktwTD5ya/XLhJE9OzEOUPTDtnEuvVIkatp258bc16TaHYdl
MQCHHAYhPy8Sy8jsz1nVUTO5BYbxIRv0Kr8TUDdei8XUvqGcCXRAG5BgOo1TI/ui
SkNn3RbahUQ+U6VM8BAuZMHzcUcTCs6YdR+2EFl5DpfXVpLYCDTvOw8DS9BwRe6S
+zwkCuT+d2u8K0NY4+tt/gM8oK7vAaPPB/wjNIQ4bOJ+ci/jScRt61pcXMob8njp
5wnBHj6cnIGNDOSB5csl0GO7Uk8hWz9ldKakxfsfKQroO10AH1wRrx9M7yVLvuJy
ffCz9+Mlf8zkkyKRHNWk0aJ0+h/rdg+2I2HJ/qhVf5tHZAnCmgjj3bDMCiquDBC3
iZxySLy7zHfbw7HLpe/7GfclMNfenpi8gSM7p9407ftlmnRp/EMoi6wpE2EoqJNU
w3zV3UG18eYZ9gPf7XN4WQdtScUSuc43dtmmq0JoGbFROaQsqaC0MQEnOFKQCD8u
zCbzeF+OBqOVccxN4wBu2K69s5JNEgsZh6bp0BG5fdVvjmpiw8QES4vMsiiCwi/q
jZQYv2ryHwI=
=IeMx
-----END PGP SIGNATURE-----