-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                          ESB-2007.1019 -- [OSX]
               APPLE-SA-2007-12-17 Security Update 2007-009
                             18 December 2007

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Address Book
                      CFNetwork
                      ColorSync
                      Core Foundation
                      CUPS
                      Desktop Services
                      Flash Player Plug-in
                      GNU Tar
                      iChat
                      IO Storage Family
                      Launch Services
                      Mail
                      perl
                      python
                      Quick Look
                      ruby
                      Safari
                      Samba
                      Shockwave Plug-in
                      SMB
                      Software Update
                      Spin Tracer
                      Spotlight
                      tcpdump
                      XQuery
Publisher:            Apple
Operating System:     Mac OS X
Impact:               Root Compromise
                      Execute Arbitrary Code/Commands
                      Overwrite Arbitrary Files
                      Access Privileged Data
                      Cross-site Scripting
                      Denial of Service
                      Provide Misleading Information
Access:               Remote/Unauthenticated
                      Existing Account
CVE Names:            CVE-2007-6165 CVE-2007-6077 CVE-2007-5863
                      CVE-2007-5861 CVE-2007-5860 CVE-2007-5859
                      CVE-2007-5858 CVE-2007-5857 CVE-2007-5856
                      CVE-2007-5855 CVE-2007-5854 CVE-2007-5853
                      CVE-2007-5851 CVE-2007-5850 CVE-2007-5849
                      CVE-2007-5848 CVE-2007-5847 CVE-2007-5770
                      CVE-2007-5476 CVE-2007-5398 CVE-2007-5380
                      CVE-2007-5379 CVE-2007-5116 CVE-2007-4965
                      CVE-2007-4768 CVE-2007-4767 CVE-2007-4766
                      CVE-2007-4710 CVE-2007-4709 CVE-2007-4708
                      CVE-2007-4572 CVE-2007-4351 CVE-2007-4138
                      CVE-2007-4131 CVE-2007-3876 CVE-2007-3798
                      CVE-2007-1662 CVE-2007-1661 CVE-2007-1660
                      CVE-2007-1659 CVE-2007-1218 CVE-2006-0024

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2007-12-17 Security Update 2007-009

Security Update 2007-009 is now available and addresses the following
issues:

Address Book
CVE-ID:  CVE-2007-4708
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A format string vulnerability exists in Address Book's
URL handler. By enticing a user to visit a maliciously crafted
website, a remote attacker may cause an unexpected application
termination or arbitrary code execution. This update addresses the
issue through improved handling of format strings. This issue does
not affect systems running Mac OS X 10.5 or later.

CFNetwork
CVE-ID:  CVE-2007-4709
Available for:  Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  Visiting a malicious website could allow the automatic
download of files to arbitrary folders to which the user has write
permission
Description:  A path traversal issue exists in CFNetwork's handling
of downloaded files. By enticing a user to visit a malicious website,
an attacker may cause the automatic download of files to arbitrary
folders to which the user has write permission. This update addresses
the issue through improved processing of HTTP responses. This issue
does not affect systems prior to Mac OS X 10.5. Credit to Sean
Harding for reporting this issue.

ColorSync
CVE-ID:  CVE-2007-4710
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description:  A memory corruption issue exists in the handling of
images with an embedded ColorSync profile. By enticing a user to open
a maliciously crafted image, an attacker may cause an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of images.
This issue does not affect systems running Mac OS X 10.5 or later.
Credit to Tom Ferris of Adobe Secure Software Engineering Team
(ASSET) for reporting this issue.

Core Foundation
CVE-ID:  CVE-2007-5847
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  Usage of CFURLWriteDataAndPropertiesToResource API may lead
to the disclosure of sensitive information
Description:  A race condition exists in the
CFURLWriteDataAndPropertiesToResource API, which may cause files to
be created with insecure permissions. This may lead to the disclosure
of sensitive information. This update addresses the issue through
improved file handling. This issue does not affect systems running
Mac OS X 10.5 or later.

CUPS
CVE-ID:  CVE-2007-5848
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  A local admin user may be able to gain system privileges
Description:  A buffer overflow issue exists in the printer driver
for CUPS. This may allow a local admin user to gain system privileges
by passing a maliciously crafted URI to the CUPS service. This update
addresses the issue by ensuring that the destination buffer is sized
to contain the data. This issue does not affect systems running Mac
OS X 10.5 or later. Credit to Dave Camp at Critical Path Software for
reporting this issue.

CUPS
CVE-ID:  CVE-2007-4351
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description:  A memory corruption issue exists in the handling of
Internet Printing Protocol (IPP) tags, which may allow a remote
attacker to cause an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
bounds checking.

CUPS
CVE-ID:  CVE-2007-5849
Available for:  Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  If SNMP is enabled, a remote attacker may cause an
unexpected application termination or arbitrary code execution
Description:  The CUPS backend SNMP program broadcasts SNMP requests
to discover network print servers. A stack buffer overflow may result
from an integer underflow in the handling of SNMP responses. If SNMP
is enabled, a remote attacker may exploit this issue by sending a
maliciously crafted SNMP response, which may cause an application
termination or arbitrary code execution. This update addresses the
issue by performing additional validation of SNMP responses. This
issue does not affect systems prior to Mac OS X 10.5. Credit to Wei
Wang of McAfee Avert Labs for reporting this issue.

Desktop Services
CVE-ID:  CVE-2007-5850
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  Opening a directory containing a maliciously-crafted
.DS_Store file in Finder may lead to arbitrary code execution
Description:  A heap buffer overflow exists in Desktop Services. By
enticing a user to open a directory containing a maliciously crafted
.DS_Store file, an attacker may cause arbitrary code execution. This
update addresses the issue through improved bounds checking. This
issue does not affect systems running Mac OS X 10.5 or later.

Flash Player Plug-in
CVE-ID:  CVE-2007-5476
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  Multiple vulnerabilities in Adobe Flash Player Plug-in
Description:  Adobe Flash Player is updated to version 9.0.115.0 to
address CVE-2007-5476. Further information is available via the Adobe
site at
http://www.adobe.com/support/security/advisories/apsa07-05.html
Credit to Opera Software for reporting this issue.

GNU Tar
CVE-ID:  CVE-2007-4131
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  Extracting a maliciously crafted tar archive could overwrite
arbitrary files
Description:  A directory traversal issue exists in GNU Tar. By
enticing a local user to extract a maliciously crafted tar archive,
an attacker may cause arbitrary files to be overwritten. This issue
has been addressed by performing additional validation of tar files.
This issue does not affect systems running Mac OS X 10.5 or later.

iChat
CVE-ID:  CVE-2007-5851
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  A person on the local network may initiate a video
connection without the user's approval
Description:  An attacker on the local network may initiate a video
conference with a user without the user's approval. This update
addresses the issue by requiring user interaction to initiate a video
conference. This issue does not affect systems running Mac OS X 10.5
or later.

IO Storage Family
CVE-ID:  CVE-2007-5853
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  Opening a maliciously crafted disk image may lead to an
unexpected system shutdown or arbitrary code execution
Description:  A memory corruption issue exists in the handling of
GUID partition maps within a disk image. By enticing a user to open a
maliciously crafted disk image, an attacker may cause an enexpected
system shutdown or arbitrary code execution. This update addresses
the issue through additional validation of GUID partition maps. This
issue does not affect systems running Mac OS X 10.5 or later.

Launch Services
CVE-ID:  CVE-2007-5854
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  Opening a maliciously crafted HTML file may lead to
information disclosure or cross-site scripting
Description:  Launch Services does not handle HTML files as
potentially unsafe content. By enticing a user to open a maliciously
crafted HTML file, an attacker may cause the disclosure of sensitive
information or cross-site scripting. This update addresses the issue
by handling HTML files as potentially unsafe content. Credit to
Michal Zalewski of Google Inc. for reporting this issue.

Launch Services
CVE-ID:  CVE-2007-6165
Available for:  Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  Opening an executable mail attachment may lead to arbitrary
code execution with no warning
Description:  An implementation issue exists in Launch Services,
which may allow executable mail attachments to be run without warning
when a user opens a mail attachment. This update addresses the issue
by warning the user before launching executable mail attachments.
This issue does not affect systems prior to Mac OS X 10.5. Credit to
Xeno Kovah for reporting this issue.

Mail
CVE-ID:  CVE-2007-5855
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  SMTP accounts set up through Account Assistant may use
plaintext authentication even when MD5 Challenge-Response
authentication is available
Description:  When setting up an SMTP account through Account
Assistant, if SMTP authentication is selected, and if the server
supports only MD5 Challenge-Response authentication and plaintext
authentication, Mail defaults to using plaintext authentication. This
update addresses the issue by ensuring that the most secure available
mechanism is used. This issue does not affect systems running Mac OS
X 10.5 or later.

perl
CVE-ID:  CVE-2007-5116
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  Parsing regular expressions may lead to arbitrary code
execution
Description:  A length calculation issue exists in the polymorphic
opcode support in the Perl Regular Expression compiler. This may
allow an attacker to cause memory corruption leading to arbitrary
code execution by switching from byte to Unicode (UTF) characters in
a regular expression. This update addresses the issue by recomputing
the length if the character encoding changes. Credit to Tavis Ormandy
and Will Drewry of Google Security Team for reporting this issue.

python
CVE-ID:  CVE-2007-4965
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  Processing image content with imageop module may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple integer overflows exist in python's imageop
module. These may cause a buffer overflow to occur in applications
which use the module to process maliciously crafted image content.
This may lead to an unexpected application termination or arbitrary
code execution. This updated addresses the issue by performing
additional validation of image content.

Quick Look
CVE-ID:  CVE-2007-5856
Available for:  Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  Previewing a file with QuickLook enabled may lead to the
disclosure of sensitive information
Description:  When previewing an HTML file, plug-ins are not
restricted from making network requests. This may lead to the
disclosure of sensitive information. This update addresses the issue
by disabling plug-ins. This issue does not affect systems prior to
Mac OS X 10.5.

Quick Look
CVE-ID:  CVE-2007-5857
Available for:  Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  Previewing a movie file may access URLs contained in the
movie
Description:  Creating an icon for a movie file, or previewing that
file using QuickLook may access URLs contained in the movie. This
update addresses the issue by disabling HREFTrack while browsing
movie files. This issue does not affect systems prior to Mac OS X
10.5, or systems with QuickTime 7.3 installed. Credit to Lukhnos D.
Liu of Lithoglyph Inc. for reporting this issue.

ruby
CVE-ID:  CVE-2007-5770
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  Multiple SSL certificate validation issues exist in ruby
libraries
Description:  Multiple ruby libraries are affected by SSL certificate
validation issues. This may lead to man-in-the-middle attacks against
applications that use an affected library. This update addresses the
issues by applying the ruby patch.

ruby
CVE-ID:  CVE-2007-5379, CVE-2007-5380, CVE-2007-6077
Available for:  Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  Multiple vulnerabilities exist in Rails 1.2.3
Description:  Multiple vulnerabilities exist in Rails 1.2.3, which
may lead to the disclosure of sensitive information. This update
addresses the issue by updating Rails to version 1.2.6. This issue
does not affect systems prior to Mac OS X 10.5.

Safari
CVE-ID:  CVE-2007-5858
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  Visiting a malicious website may result in the disclosure of
sensitive information
Description:  WebKit allows a page to navigate the subframes of any
other page. Visiting a maliciously crafted web page could trigger a
cross-site scripting attack, which may lead to the disclosure of
sensitive information. This update addresses the issue by
implementing a stricter frame navigation policy.

Safari RSS
CVE-ID:  CVE-2007-5859
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  Accessing a maliciously crafted feed: URL may lead to an
application termination or arbitrary code execution
Description:  A memory corruption issue exists in Safari's handling
of feed: URLs. By enticing a user to access a maliciously crafted
URL, an attacker may cause an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of feed: URLs and providing an error
message in case of an invalid URL. This issue does not affect systems
running Mac OS X 10.5 or later.

Samba
CVE-ID:  CVE-2007-4572, CVE-2007-5398
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  Multiple vulnerabilities in Samba
Description:  Multiple vulnerabilities exist in Samba, the most
serious of which is remote code execution. This update addresses the
issues by applying patches from the Samba project. Further
information is available via the Samba web site at
http://www.samba.org/samba/history/security.html CVE-2007-4138 does
not affect systems prior to Mac OS X 10.5. Credit to Alin Rad Pop of
Secunia Research for reporting this issue.

Shockwave Plug-in
CVE-ID:  CVE-2006-0024
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  Opening maliciously crafted Shockwave content may lead to
arbitrary code execution
Description:  Multiple vulnerabilities exist in Shockwave Player. By
enticing a user to open maliciously crafted Shockwave content, an
attacker may cause arbitrary code execution. This update addresses
the issues by updating Shockwave Player to version 10.1.1.016. Credit
to Jan Hacker of ETH Zurich for reporting the problem in Shockwave.

SMB
CVE-ID:  CVE-2007-3876
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A stack buffer overflow issue exists in the code used
by the mount_smbfs and smbutil applications to parse command line
arguments, which may allow a local user to cause arbitrary code
execution with system privileges. This update addresses the issue
through improved bounds checking. This issue does not affect systems
running Mac OS X 10.5 or later. Credit to Sean Larsson of VeriSign
iDefense Labs for reporting this issue.

Software Update
CVE-ID:  CVE-2007-5863
Available for:  Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  A man-in-the-middle attack could cause Software Update to
execute arbitrary commands
Description:  When Software Update checks for new updates, it
processes a distribution definition file which was sent by the update
server. By intercepting requests to the update server, an attacker
can provide a maliciously crafted distribution definition file with
the "allow-external-scripts" option, which may cause arbitrary
command execution when a system checks for new updates. This update
addresses the issue by disallowing the "allow-external-scripts"
option in Software Update. This issue does not affect systems prior
to Mac OS X 10.5. Credit to Moritz Jodeit for reporting this issue.

Spin Tracer
CVE-ID:  CVE-2007-5860
Available for:  Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  An insecure file operation exists in SpinTracer's
handling of output files, which may allow a local user to execute
arbitrary code with system privileges. This update addresses the
issue through improved handling of output files. This issue does not
affect systems prior to Mac OS X 10.5. Credit to Kevin Finisterre of
DigitalMunition for reporting this issue.

Spotlight
CVE-ID:  CVE-2007-5861
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  Downloading a maliciously crafted .xls file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in the Microsoft
Office Spotlight Importer. By enticing a user to download a
maliciously crafted .xls file, an attacker may cause an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of .xls
files. This issue does not affect systems running Mac OS X 10.5 or
later.

tcpdump
CVE-ID:  CVE-2007-1218, CVE-2007-3798
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  Multiple vulnerabilities in tcpdump
Description:  Multiple vulnerabilities exist in tcpdump, the most
serious of which may lead to arbitrary code execution. This update
addresses the issue by updating tcpdump to version 3.9.7. This issue
does not affect systems running Mac OS X 10.5 or later.

XQuery
CVE-ID:  CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662,
CVE-2007-4766, CVE-2007-4767, CVE-2007-4768
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  Multiple vulnerabilities in the handling of regular
expressions
Description:  Multiple vulnerabilities exist in the Perl Compatible
Regular Expressions (PCRE) library used by XQuery, the most serious
of which may lead to arbitrary code execution. This update addresses
the issue by updating PCRE to version 7.3. Further information is
available via the PCRE web site at http://www.pcre.org/ This issue
does not affect systems running Mac OS X 10.5 or later. Credit to
Tavis Ormandy and Will Drewry of Google Security Team for reporting
this issue.

Security Update 2007-009 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.5.1
The download file is named:  "SecUpd2007-009.dmg"
Its SHA-1 digest is: 9d1743b2cd15f3934d82cc6341c3142a3d16becf

For Mac OS X v10.4.11 (Universal)
The download file is named:  "SecUpd2007-009Univ.dmg"
Its SHA-1 digest is: ac07f4850b812af0761f859bb4d63c2e0f2a6113

For Mac OS X v10.4.11 (PPC)
The download file is named:  "SecUpd2007-009Ti.dmg"
Its SHA-1 digest is: 2e75b99b1a10fb973807cba14b99080da38ad288

Information will also be posted to the Apple Security Updates
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: 9.7.0.867

wsBVAwUBR2bb8cgAoqu4Rp5tAQiLfAgAgpfERDpCFRl9h0wgbMdVRb614ImnUGQ+
E+N2/7XJrZo7/JgHs9Vwg7r3FhDrR23DYUKi9ldCZ437lwPGjSOAAG7ZNBYqPEYf
31w5l2QAYXPf1tmVjAOHgKovpsF/yLY/EPfsA2UbGgE1A9TpsCi6W0l2+KyP3/u1
MGKHa8JUNt0MegObdcySJsY8qWtpYPUIeEvbA9kkFP9CzwHT4cviwrcIXHxf5jku
AcvKnwBG9UKV/hiaJTv19CKP7zltnhkSVcok0MVBUvGAsttT20ipyeRnlQMfTIvE
ratDjXxkAhsNnPQbzVPvvyJcVa6eSmngqWnQhWYGe1cVV/IhcEWThA==
=2Wg5
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR2cIcSh9+71yA2DNAQIT3gP9Gtu0jJG4DmaMOaSFnMiJjIfO0I9dd3m4
rVgdquvrk0dSQemz7T8UQaLMWVg54Hahff8TIg5F8TOaY19pDwXAUR0VldOCjUZB
9+xGSr+x0YWzkgsoRSxYYmO45UjwUZAhvzUKiccrorUqXGtHA25gdBT/T3awdmZo
levQzJ/fA2w=
=wgdi
-----END PGP SIGNATURE-----