This document describes the security content of OS X Lion v10.7.2 and Security Update 2011-006, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
If you need to purchase Mac OS X 10.7 Lion, you may order it from this page. The most current version of OS X is OS X 10.9 Mavericks. To learn more, please click here. What do you receive: An email with a content code for the Mac App Store. Note: Content codes are usually delivered within 1 business day but may occasionally take longer. The use of content codes and redeemed software is subject. Find answers with millions of other Mac OS X v10.7 Lion users in our vibrant community. Search discussions or ask a question about Mac OS X v10.7 Lion.
For information about the Apple Product Security PGP Key, see 'How to use the Apple Product Security PGP Key.'
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see 'Apple Security Updates'.
OS X Lion v10.7.2 and Security Update 2011-006
- ApacheAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Multiple vulnerabilities in ApacheDescription: Apache is updated to version 2.2.20 to address several vulnerabilities, the most serious of which may lead to a denial of service. CVE-2011-0419 does not affect OS X Lion systems. Further information is available via the Apache web site at http://httpd.apache.org/CVE-IDCVE-2011-0419CVE-2011-3192
- Application FirewallAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Executing a binary with a maliciously crafted name may lead to arbitrary code execution with elevated privilegesDescription: A format string vulnerability existed in Application Firewall's debug logging.CVE-IDCVE-2011-0185 : an anonymous reporter
- ATSAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code executionDescription: A signedness issue existed in ATS' handling of Type 1 fonts. This issue does not affect systems prior to OS X Lion.CVE-IDCVE-2011-3437
- ATSAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code executionDescription: An out of bounds memory access issue existed in ATS' handling of Type 1 fonts. This issue does not affect OS X Lion systems.CVE-IDCVE-2011-0229 : Will Dormann of the CERT/CC
- ATSAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Applications which use the ATSFontDeactivate API may be vulnerable to an unexpected application termination or arbitrary code executionDescription: A buffer overflow issue existed in the ATSFontDeactivate API.CVE-IDCVE-2011-0230 : Steven Michaud of Mozilla
- BINDAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Multiple vulnerabilities in BIND 9.7.3Description: Multiple denial of service issues existed in BIND 9.7.3. These issues are addressed by updating BIND to version 9.7.3-P3.CVE-IDCVE-2011-1910CVE-2011-2464
- BINDAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Multiple vulnerabilities in BINDDescription: Multiple denial of service issues existed in BIND. These issues are addressed by updating BIND to version 9.6-ESV-R4-P3.CVE-IDCVE-2009-4022CVE-2010-0097CVE-2010-3613CVE-2010-3614CVE-2011-1910Play xbox on macbook air. CVE-2011-2464
- Certificate Trust PolicyAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1.Impact: Root certificates have been updatedDescription: Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.
- CFNetworkAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Safari may store cookies it is not configured to acceptDescription: A synchronization issue existed in CFNetwork's handling of cookie policies. Safari's cookie preferences may not be honored, allowing websites to set cookies that would be blocked were the preference enforced. This update addresses the issue through improved handling of cookie storage.CVE-IDCVE-2011-0231 : Martin Tessarek, Steve Riggins of Geeks R Us, Justin C. Walker, and Stephen Creswell
- CFNetworkAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive informationDescription: An issue existed in CFNetwork's handling of HTTP cookies. When accessing a maliciously crafted HTTP or HTTPS URL, CFNetwork could incorrectly send the cookies for a domain to a server outside that domain. This issue does not affect systems prior to OS X Lion.CVE-IDCVE-2011-3246 : Erling Ellingsen of Facebook
- CoreFoundationAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code executionDescription: A memory corruption issue existed in CoreFoundation's handling of string tokenization. This issue does not affect OS X Lion systems. This update addresses the issue through improved bounds checking.CVE-IDCVE-2011-0259 : Apple
- CoreMediaAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Visiting a maliciously crafted website may lead to the disclosure of video data from another siteDescription: A cross-origin issue existed in CoreMedia's handling of cross-site redirects. This issue is addressed through improved origin tracking.CVE-IDCVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
- CoreMediaAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code executionDescription: Multiple memory corruption issues existed in the handling of QuickTime movie files. These issues do not affect OS X Lion systems.CVE-IDCVE-2011-0224 : Apple
- CoreProcessesAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: A person with physical access to a system may partially bypass the screen lockDescription: A system window, such as a VPN password prompt, that appeared while the screen was locked may have accepted keystrokes while the screen was locked. This issue is addressed by preventing system windows from requesting keystrokes while the screen is locked. This issue does not affect systems prior to OS X Lion.CVE-IDCVE-2011-0260 : Clint Tseng of the University of Washington, Michael Kobb, and Adam Kemp
- CoreStorageAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Converting to FileVault does not erase all existing dataDescription: After enabling FileVault, approximately 250MB at the start of the volume was left unencrypted on the disk in an unused area. Only data which was present on the volume before FileVault was enabled was left unencrypted. This issue is addressed by erasing this area when enabling FileVault, and on the first use of an encrypted volume affected by this issue. This issue does not affect systems prior to OS X Lion.CVE-IDCVE-2011-3212 : Judson Powers of ATC-NY
- File SystemsAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: An attacker in a privileged network position may manipulate HTTPS server certificates, leading to the disclosure of sensitive informationDescription: An issue existed in the handling of WebDAV volumes on HTTPS servers. If the server presented a certificate chain that could not be automatically verified, a warning was displayed and the connection was closed. If the user clicked the 'Continue' button in the warning dialog, any certificate was accepted on the following connection to that server. An attacker in a privileged network position may have manipulated the connection to obtain sensitive information or take action on the server on the user's behalf. This update addresses the issue by validating that the certificate received on the second connection is the same certificate originally presented to the user.CVE-IDCVE-2011-3213 : Apple
- IOGraphicsAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: A person with physical access may be able to bypass the screen lockDescription: An issue existed with the screen lock when used with Apple Cinema Displays. When a password is required to wake from sleep, a person with physical access may be able to access the system without entering a password if the system is in display sleep mode. This update addresses the issue by ensuring that the lock screen is correctly activated in display sleep mode. This issue does not affect OS X Lion systems.CVE-IDCVE-2011-3214 : Apple
- iChat ServerAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: A remote attacker may cause the Jabber server to consume system resources disproportionatelyDescription: An issue existed in the handling of XML external entities in jabberd2, a server for the Extensible Messaging and Presence Protocol (XMPP). jabberd2 expands external entities in incoming requests. This allows an attacker to consume system resources very quickly, denying service to legitimate users of the server. This update addresses the issue by disabling entity expansion in incoming requests.CVE-IDCVE-2011-1755
- KernelAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: A person with physical access may be able to access the user's passwordDescription: A logic error in the kernel's DMA protection permitted firewire DMA at loginwindow, boot, and shutdown, although not at screen lock. This update addresses the issue by preventing firewire DMA at all states where the user is not logged in.CVE-IDCVE-2011-3215 : Passware, Inc.
![Download Download](https://i.ytimg.com/vi/NNELmTbw9yM/maxresdefault.jpg)
- KernelAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: An unprivileged user may be able to delete another user's files in a shared directoryDescription: A logic error existed in the kernel's handling of file deletions in directories with the sticky bit.CVE-IDCVE-2011-3216 : Gordon Davisson of Crywolf, Linc Davis, R. Dormer, and Allan Schmid and Oliver Jeckel of brainworks Training
- libsecurityAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code executionDescription: An error handling issue existed when parsing a nonstandard certificate revocation list extension.CVE-IDCVE-2011-3227 : Richard Godbee of Virginia Tech
- MailmanAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Multiple vulnerabilities in Mailman 2.1.14Description: Multiple cross-site scripting issues existed in Mailman 2.1.14. These issues are addressed by improved encoding of characters in HTML output. Further information is available via the Mailman site at http://mail.python.org/pipermail/mailman-announce/2011-February/000158.html This issue does not affect OS X Lion systems.CVE-IDCVE-2011-0707
- MediaKitAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Opening a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code executionDescription: Multiple memory corruption issues existed in the handling of disk images. These issues do not affect OS X Lion systems.CVE-IDCVE-2011-3217 : Apple
- Open DirectoryAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Any user may read another local user's password dataDescription: An access control issue existed in Open Directory. This issue does not affect systems prior to OS X Lion.CVE-IDCVE-2011-3435 : Arek Dreyer of Dreyer Network Consultants, Inc, and Patrick Dunstan at defenseindepth.net
- Open DirectoryAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: An authenticated user may change that account's password without providing the current passwordDescription: An access control issue existed in Open Directory. This issue does not affect systems prior to OS X Lion.CVE-IDCVE-2011-3436 : Patrick Dunstan at defenceindepth.net
- Open DirectoryAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1 Apple movies app.Impact: A user may be able to log in without a passwordDescription: When Open Directory is bound to an LDAPv3 server using RFC2307 or custom mappings, such that there is no AuthenticationAuthority attribute for a user, an LDAP user may be allowed to log in without a password. This issue does not affect systems prior to OS X Lion.CVE-IDCVE-2011-3226 : Jeffry Strunk of The University of Texas at Austin, Steven Eppler of Colorado Mesa University, Hugh Cole-Baker, and Frederic Metoz of Institut de Biologie Structurale
- PHPAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code executionDescription: A signedness issue existed in FreeType's handling of Type 1 fonts. This issue is addressed by updating FreeType to version 2.4.6. This issue does not affect systems prior to OS X Lion. Further information is available via the FreeType site at http://www.freetype.org/CVE-IDCVE-2011-0226
- PHPAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Multiple vulnerabilities in libpng 1.4.3Description: libpng is updated to version 1.5.4 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.htmlCVE-IDCVE-2011-2690CVE-2011-2691CVE-2011-2692
- PHPAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Multiple vulnerabilities in PHP 5.3.4Description: PHP is updated to version 5.3.6 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. This issues do not affect OS X Lion systems. Further information is available via the PHP website at http://www.php.net/CVE-IDCVE-2010-3436CVE-2010-4645CVE-2011-0420CVE-2011-0421CVE-2011-0708CVE-2011-1092CVE-2011-1153CVE-2011-1466CVE-2011-1467CVE-2011-1468CVE-2011-1469CVE-2011-1470CVE-2011-1471
- postfixAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Multiple vulnerabilities in PostfixDescription: Postfix is updated to version 2.5.14 to address multiple vulnerabilities, the most serious of which may allow an attacker in a privileged network position to manipulate the mail session to obtain sensitive information from the encrypted traffic. These issues should not affect OS X Lion systems. More information is available via the Postfix site at http://www.postfix.org/announcements/postfix-2.7.3.htmlCVE-IDCVE-2011-0411CVE-2011-1720
- pythonAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Multiple vulnerabilities in pythonDescription: Multiple vulnerabilities existed in python, the most serious of which may lead to arbitrary code execution. This update addresses the issues by applying patches from the python project. Further information is available via the python site at http://www.python.org/download/releases/CVE-IDCVE-2010-1634CVE-2010-2089Apple photos mac image editor. CVE-2011-1521
- QuickTimeAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code executionDescription: Multiple memory corruption issues existed in QuickTime's handling of movie files.CVE-IDCVE-2011-3228 : Apple
- QuickTimeAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code executionDescription: A heap buffer overflow existed in the handling of STSC atoms in QuickTime movie files. This issue does not affect OS X Lion systems.CVE-IDCVE-2011-0249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative
Apple Compliance Jobs
- QuickTimeAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code executionDescription: A heap buffer overflow existed in the handling of STSS atoms in QuickTime movie files. This issue does not affect OS X Lion systems.CVE-IDCVE-2011-0250 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative
- QuickTimeAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code executionDescription: A heap buffer overflow existed in the handling of STSZ atoms in QuickTime movie files. This issue does not affect OS X Lion systems.CVE-IDCVE-2011-0251 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative
- QuickTimeAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code executionDescription: A heap buffer overflow existed in the handling of STTS atoms in QuickTime movie files. This issue does not affect OS X Lion systems.CVE-IDCVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative
- QuickTimeAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: An attacker in a privileged network position may inject script in the local domain when viewing template HTMLDescription: A cross-site scripting issue existed in QuickTime Player's 'Save for Web' export. The template HTML files generated by this feature referenced a script file from a non-encrypted origin. An attacker in a privileged network position may be able to inject malicious scripts in the local domain if the user views a template file locally. This issue is resolved by removing the reference to an online script. This issue does not affect OS X Lion systems.CVE-IDCVE-2011-3218 : Aaron Sigel of vtty.com
- QuickTimeAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code executionDescription: A buffer overflow existed in QuickTime's handling of H.264 encoded movie files.CVE-IDCVE-2011-3219 : Damian Put working with TippingPoint's Zero Day Initiative
- QuickTimeAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Viewing a maliciously crafted movie file may lead to the disclosure of memory contentsDescription: An uninitialized memory access issue existed in QuickTime's handling of URL data handlers within movie files.CVE-IDCVE-2011-3220 : Luigi Auriemma working with TippingPoint's Zero Day Initiative
- QuickTimeAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code executionDescription: An implementation issue existed in QuickTime's handling of the atom hierarchy within a movie file.CVE-IDCVE-2011-3221 : an anonymous researcher working with TippingPoint's Zero Day Initiative
Apple Com Lion King 2019
- QuickTimeAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Viewing a maliciously crafted FlashPix file may lead to an unexpected application termination or arbitrary code executionDescription: A buffer overflow existed in QuickTime's handling of FlashPix files.CVE-IDCVE-2011-3222 : Damian Put working with TippingPoint's Zero Day Initiative
- QuickTimeAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code executionDescription: A buffer overflow existed in QuickTime's handling of FLIC files.CVE-IDCVE-2011-3223 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative
- SMB File ServerAvailable for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: A guest user may browse shared foldersDescription: An access control issue existed in the SMB File Server. Disallowing guest access to the share point record for a folder prevented the '_unknown' user from browsing the share point but not guests (user 'nobody'). This issue is addressed by applying the access control to the guest user. This issue does not affect systems prior to OS X Lion.CVE-IDCVE-2011-3225
- TomcatAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: Multiple vulnerabilities in Tomcat 6.0.24Description: Tomcat is updated to version 6.0.32 to address multiple vulnerabilities, the most serious of which may lead to a cross site scripting attack. Tomcat is only provided on Mac OS X Server systems. This issue does not affect OS X Lion systems. Further information is available via the Tomcat site at http://tomcat.apache.org/CVE-IDCVE-2010-1157CVE-2010-2227CVE-2010-3718CVE-2010-4172CVE-2011-0013CVE-2011-0534
- User DocumentationAvailable for: Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact: An attacker in a privileged network position may manipulate App Store help content, leading to arbitrary code executionDescription: App Store help content was updated over HTTP. This update addresses the issue by updating App Store help content over HTTPS. This issue does not affect OS X Lion systems.CVE-IDCVE-2011-3224 : Aaron Sigel of vtty.com and Brian Mastenbrook
Os X Lion Download
- Web ServerAvailable for: Mac OS X Server v10.6.8Impact: Clients may be unable to access web services that require digest authenticationDescription: An issue in the handling of HTTP Digest authentication was addressed. Users may be denied access to the server's resources, when the server configuration should have allowed the access. This issue does not represent a security risk, and was addressed to facilitate the use of stronger authentication mechanisms. Systems running OS X Lion Server are not affected by this issue.
- X11Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1Impact: Multiple vulnerabilities in libpngDescription: Multiple vulnerabilities existed in libpng, the most serious of which may lead to arbitrary code execution. These issues are addressed by updating libpng to version 1.5.4 on OS Lion systems, and to 1.2.46 on Mac OS X v10.6 systems. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.htmlCVE-IDCVE-2011-2690CVE-2011-2691CVE-2011-2692