A problem generated by mistakenly issued TURKTRUST certificates has been fixed

Mar 15, 2013 10:23 GMT  ·  By

Apple has released Security Update 2013-001. The latest update addresses a total of 21 vulnerabilities and an issue related to the intermediate CA certificates mistakenly released by TURKTRUST.

The vulnerabilities patched by the company impact Mac OS X 10.6.8, OS X Lion 10.7 to 10.7.5, OS X Mountain Lion 10.8 to 10.8.2, Mac OS X Server 10.6.8, and OS X Lion Server 10.7 to 10.7.5.

The addressed flaws include two remote code execution vulnerabilities in the Wiki Server, one in Profile Manager, one in the Podcast Producer Server, and one in the PDFKit.

Arbitrary code execution could have been possible, in certain circumstances, by exploiting an ImageIO vulnerability with a cleverly-crafted TIFF file, or by leveraging a memory corruption issue in the IOAcceleratorFamily.

Other vulnerabilities fixed by Apple with the first security update for 2013 include a canonicalization issue in Apache, a cross-site scripting bug in International Components for Unicode, and an information disclosure flaw in the kernel.

Clint Ruoho of Laconic Security, Masato Kinugawa, Mark Dowd of Azimuth Security, Eric Monti of Square, Aaron Sigel of vtty.com, Tobias Klein, Kevin Szkudlapski of QuarksLab, and Emilio Escobar have been credited for identifying the security holes.