Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.1019 -- [OSX] APPLE-SA-2007-12-17 Security Update 2007-009 18 December 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Address Book CFNetwork ColorSync Core Foundation CUPS Desktop Services Flash Player Plug-in GNU Tar iChat IO Storage Family Launch Services Mail perl python Quick Look ruby Safari Samba Shockwave Plug-in SMB Software Update Spin Tracer Spotlight tcpdump XQuery Publisher: Apple Operating System: Mac OS X Impact: Root Compromise Execute Arbitrary Code/Commands Overwrite Arbitrary Files Access Privileged Data Cross-site Scripting Denial of Service Provide Misleading Information Access: Remote/Unauthenticated Existing Account CVE Names: CVE-2007-6165 CVE-2007-6077 CVE-2007-5863 CVE-2007-5861 CVE-2007-5860 CVE-2007-5859 CVE-2007-5858 CVE-2007-5857 CVE-2007-5856 CVE-2007-5855 CVE-2007-5854 CVE-2007-5853 CVE-2007-5851 CVE-2007-5850 CVE-2007-5849 CVE-2007-5848 CVE-2007-5847 CVE-2007-5770 CVE-2007-5476 CVE-2007-5398 CVE-2007-5380 CVE-2007-5379 CVE-2007-5116 CVE-2007-4965 CVE-2007-4768 CVE-2007-4767 CVE-2007-4766 CVE-2007-4710 CVE-2007-4709 CVE-2007-4708 CVE-2007-4572 CVE-2007-4351 CVE-2007-4138 CVE-2007-4131 CVE-2007-3876 CVE-2007-3798 CVE-2007-1662 CVE-2007-1661 CVE-2007-1660 CVE-2007-1659 CVE-2007-1218 CVE-2006-0024 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-12-17 Security Update 2007-009 Security Update 2007-009 is now available and addresses the following issues: Address Book CVE-ID: CVE-2007-4708 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A format string vulnerability exists in Address Book's URL handler. By enticing a user to visit a maliciously crafted website, a remote attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings. This issue does not affect systems running Mac OS X 10.5 or later. CFNetwork CVE-ID: CVE-2007-4709 Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: Visiting a malicious website could allow the automatic download of files to arbitrary folders to which the user has write permission Description: A path traversal issue exists in CFNetwork's handling of downloaded files. By enticing a user to visit a malicious website, an attacker may cause the automatic download of files to arbitrary folders to which the user has write permission. This update addresses the issue through improved processing of HTTP responses. This issue does not affect systems prior to Mac OS X 10.5. Credit to Sean Harding for reporting this issue. ColorSync CVE-ID: CVE-2007-4710 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in the handling of images with an embedded ColorSync profile. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of images. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Tom Ferris of Adobe Secure Software Engineering Team (ASSET) for reporting this issue. Core Foundation CVE-ID: CVE-2007-5847 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Usage of CFURLWriteDataAndPropertiesToResource API may lead to the disclosure of sensitive information Description: A race condition exists in the CFURLWriteDataAndPropertiesToResource API, which may cause files to be created with insecure permissions. This may lead to the disclosure of sensitive information. This update addresses the issue through improved file handling. This issue does not affect systems running Mac OS X 10.5 or later. CUPS CVE-ID: CVE-2007-5848 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: A local admin user may be able to gain system privileges Description: A buffer overflow issue exists in the printer driver for CUPS. This may allow a local admin user to gain system privileges by passing a maliciously crafted URI to the CUPS service. This update addresses the issue by ensuring that the destination buffer is sized to contain the data. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Dave Camp at Critical Path Software for reporting this issue. CUPS CVE-ID: CVE-2007-4351 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in the handling of Internet Printing Protocol (IPP) tags, which may allow a remote attacker to cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. CUPS CVE-ID: CVE-2007-5849 Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: If SNMP is enabled, a remote attacker may cause an unexpected application termination or arbitrary code execution Description: The CUPS backend SNMP program broadcasts SNMP requests to discover network print servers. A stack buffer overflow may result from an integer underflow in the handling of SNMP responses. If SNMP is enabled, a remote attacker may exploit this issue by sending a maliciously crafted SNMP response, which may cause an application termination or arbitrary code execution. This update addresses the issue by performing additional validation of SNMP responses. This issue does not affect systems prior to Mac OS X 10.5. Credit to Wei Wang of McAfee Avert Labs for reporting this issue. Desktop Services CVE-ID: CVE-2007-5850 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Opening a directory containing a maliciously-crafted .DS_Store file in Finder may lead to arbitrary code execution Description: A heap buffer overflow exists in Desktop Services. By enticing a user to open a directory containing a maliciously crafted .DS_Store file, an attacker may cause arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X 10.5 or later. Flash Player Plug-in CVE-ID: CVE-2007-5476 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: Multiple vulnerabilities in Adobe Flash Player Plug-in Description: Adobe Flash Player is updated to version 9.0.115.0 to address CVE-2007-5476. Further information is available via the Adobe site at http://www.adobe.com/support/security/advisories/apsa07-05.html Credit to Opera Software for reporting this issue. GNU Tar CVE-ID: CVE-2007-4131 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Extracting a maliciously crafted tar archive could overwrite arbitrary files Description: A directory traversal issue exists in GNU Tar. By enticing a local user to extract a maliciously crafted tar archive, an attacker may cause arbitrary files to be overwritten. This issue has been addressed by performing additional validation of tar files. This issue does not affect systems running Mac OS X 10.5 or later. iChat CVE-ID: CVE-2007-5851 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: A person on the local network may initiate a video connection without the user's approval Description: An attacker on the local network may initiate a video conference with a user without the user's approval. This update addresses the issue by requiring user interaction to initiate a video conference. This issue does not affect systems running Mac OS X 10.5 or later. IO Storage Family CVE-ID: CVE-2007-5853 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Opening a maliciously crafted disk image may lead to an unexpected system shutdown or arbitrary code execution Description: A memory corruption issue exists in the handling of GUID partition maps within a disk image. By enticing a user to open a maliciously crafted disk image, an attacker may cause an enexpected system shutdown or arbitrary code execution. This update addresses the issue through additional validation of GUID partition maps. This issue does not affect systems running Mac OS X 10.5 or later. Launch Services CVE-ID: CVE-2007-5854 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: Opening a maliciously crafted HTML file may lead to information disclosure or cross-site scripting Description: Launch Services does not handle HTML files as potentially unsafe content. By enticing a user to open a maliciously crafted HTML file, an attacker may cause the disclosure of sensitive information or cross-site scripting. This update addresses the issue by handling HTML files as potentially unsafe content. Credit to Michal Zalewski of Google Inc. for reporting this issue. Launch Services CVE-ID: CVE-2007-6165 Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: Opening an executable mail attachment may lead to arbitrary code execution with no warning Description: An implementation issue exists in Launch Services, which may allow executable mail attachments to be run without warning when a user opens a mail attachment. This update addresses the issue by warning the user before launching executable mail attachments. This issue does not affect systems prior to Mac OS X 10.5. Credit to Xeno Kovah for reporting this issue. Mail CVE-ID: CVE-2007-5855 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: SMTP accounts set up through Account Assistant may use plaintext authentication even when MD5 Challenge-Response authentication is available Description: When setting up an SMTP account through Account Assistant, if SMTP authentication is selected, and if the server supports only MD5 Challenge-Response authentication and plaintext authentication, Mail defaults to using plaintext authentication. This update addresses the issue by ensuring that the most secure available mechanism is used. This issue does not affect systems running Mac OS X 10.5 or later. perl CVE-ID: CVE-2007-5116 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: Parsing regular expressions may lead to arbitrary code execution Description: A length calculation issue exists in the polymorphic opcode support in the Perl Regular Expression compiler. This may allow an attacker to cause memory corruption leading to arbitrary code execution by switching from byte to Unicode (UTF) characters in a regular expression. This update addresses the issue by recomputing the length if the character encoding changes. Credit to Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue. python CVE-ID: CVE-2007-4965 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: Processing image content with imageop module may lead to an unexpected application termination or arbitrary code execution Description: Multiple integer overflows exist in python's imageop module. These may cause a buffer overflow to occur in applications which use the module to process maliciously crafted image content. This may lead to an unexpected application termination or arbitrary code execution. This updated addresses the issue by performing additional validation of image content. Quick Look CVE-ID: CVE-2007-5856 Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: Previewing a file with QuickLook enabled may lead to the disclosure of sensitive information Description: When previewing an HTML file, plug-ins are not restricted from making network requests. This may lead to the disclosure of sensitive information. This update addresses the issue by disabling plug-ins. This issue does not affect systems prior to Mac OS X 10.5. Quick Look CVE-ID: CVE-2007-5857 Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: Previewing a movie file may access URLs contained in the movie Description: Creating an icon for a movie file, or previewing that file using QuickLook may access URLs contained in the movie. This update addresses the issue by disabling HREFTrack while browsing movie files. This issue does not affect systems prior to Mac OS X 10.5, or systems with QuickTime 7.3 installed. Credit to Lukhnos D. Liu of Lithoglyph Inc. for reporting this issue. ruby CVE-ID: CVE-2007-5770 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: Multiple SSL certificate validation issues exist in ruby libraries Description: Multiple ruby libraries are affected by SSL certificate validation issues. This may lead to man-in-the-middle attacks against applications that use an affected library. This update addresses the issues by applying the ruby patch. ruby CVE-ID: CVE-2007-5379, CVE-2007-5380, CVE-2007-6077 Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: Multiple vulnerabilities exist in Rails 1.2.3 Description: Multiple vulnerabilities exist in Rails 1.2.3, which may lead to the disclosure of sensitive information. This update addresses the issue by updating Rails to version 1.2.6. This issue does not affect systems prior to Mac OS X 10.5. Safari CVE-ID: CVE-2007-5858 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: Visiting a malicious website may result in the disclosure of sensitive information Description: WebKit allows a page to navigate the subframes of any other page. Visiting a maliciously crafted web page could trigger a cross-site scripting attack, which may lead to the disclosure of sensitive information. This update addresses the issue by implementing a stricter frame navigation policy. Safari RSS CVE-ID: CVE-2007-5859 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Accessing a maliciously crafted feed: URL may lead to an application termination or arbitrary code execution Description: A memory corruption issue exists in Safari's handling of feed: URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of feed: URLs and providing an error message in case of an invalid URL. This issue does not affect systems running Mac OS X 10.5 or later. Samba CVE-ID: CVE-2007-4572, CVE-2007-5398 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: Multiple vulnerabilities in Samba Description: Multiple vulnerabilities exist in Samba, the most serious of which is remote code execution. This update addresses the issues by applying patches from the Samba project. Further information is available via the Samba web site at http://www.samba.org/samba/history/security.html CVE-2007-4138 does not affect systems prior to Mac OS X 10.5. Credit to Alin Rad Pop of Secunia Research for reporting this issue. Shockwave Plug-in CVE-ID: CVE-2006-0024 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: Opening maliciously crafted Shockwave content may lead to arbitrary code execution Description: Multiple vulnerabilities exist in Shockwave Player. By enticing a user to open maliciously crafted Shockwave content, an attacker may cause arbitrary code execution. This update addresses the issues by updating Shockwave Player to version 10.1.1.016. Credit to Jan Hacker of ETH Zurich for reporting the problem in Shockwave. SMB CVE-ID: CVE-2007-3876 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: A local user may be able to execute arbitrary code with system privileges Description: A stack buffer overflow issue exists in the code used by the mount_smbfs and smbutil applications to parse command line arguments, which may allow a local user to cause arbitrary code execution with system privileges. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Sean Larsson of VeriSign iDefense Labs for reporting this issue. Software Update CVE-ID: CVE-2007-5863 Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: A man-in-the-middle attack could cause Software Update to execute arbitrary commands Description: When Software Update checks for new updates, it processes a distribution definition file which was sent by the update server. By intercepting requests to the update server, an attacker can provide a maliciously crafted distribution definition file with the "allow-external-scripts" option, which may cause arbitrary command execution when a system checks for new updates. This update addresses the issue by disallowing the "allow-external-scripts" option in Software Update. This issue does not affect systems prior to Mac OS X 10.5. Credit to Moritz Jodeit for reporting this issue. Spin Tracer CVE-ID: CVE-2007-5860 Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1 Impact: A local user may be able to execute arbitrary code with system privileges Description: An insecure file operation exists in SpinTracer's handling of output files, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issue through improved handling of output files. This issue does not affect systems prior to Mac OS X 10.5. Credit to Kevin Finisterre of DigitalMunition for reporting this issue. Spotlight CVE-ID: CVE-2007-5861 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Downloading a maliciously crafted .xls file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in the Microsoft Office Spotlight Importer. By enticing a user to download a maliciously crafted .xls file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of .xls files. This issue does not affect systems running Mac OS X 10.5 or later. tcpdump CVE-ID: CVE-2007-1218, CVE-2007-3798 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Multiple vulnerabilities in tcpdump Description: Multiple vulnerabilities exist in tcpdump, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating tcpdump to version 3.9.7. This issue does not affect systems running Mac OS X 10.5 or later. XQuery CVE-ID: CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Multiple vulnerabilities in the handling of regular expressions Description: Multiple vulnerabilities exist in the Perl Compatible Regular Expressions (PCRE) library used by XQuery, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating PCRE to version 7.3. Further information is available via the PCRE web site at http://www.pcre.org/ This issue does not affect systems running Mac OS X 10.5 or later. Credit to Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue. Security Update 2007-009 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.5.1 The download file is named: "SecUpd2007-009.dmg" Its SHA-1 digest is: 9d1743b2cd15f3934d82cc6341c3142a3d16becf For Mac OS X v10.4.11 (Universal) The download file is named: "SecUpd2007-009Univ.dmg" Its SHA-1 digest is: ac07f4850b812af0761f859bb4d63c2e0f2a6113 For Mac OS X v10.4.11 (PPC) The download file is named: "SecUpd2007-009Ti.dmg" Its SHA-1 digest is: 2e75b99b1a10fb973807cba14b99080da38ad288 Information will also be posted to the Apple Security Updates web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: 9.7.0.867 wsBVAwUBR2bb8cgAoqu4Rp5tAQiLfAgAgpfERDpCFRl9h0wgbMdVRb614ImnUGQ+ E+N2/7XJrZo7/JgHs9Vwg7r3FhDrR23DYUKi9ldCZ437lwPGjSOAAG7ZNBYqPEYf 31w5l2QAYXPf1tmVjAOHgKovpsF/yLY/EPfsA2UbGgE1A9TpsCi6W0l2+KyP3/u1 MGKHa8JUNt0MegObdcySJsY8qWtpYPUIeEvbA9kkFP9CzwHT4cviwrcIXHxf5jku AcvKnwBG9UKV/hiaJTv19CKP7zltnhkSVcok0MVBUvGAsttT20ipyeRnlQMfTIvE ratDjXxkAhsNnPQbzVPvvyJcVa6eSmngqWnQhWYGe1cVV/IhcEWThA== =2Wg5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR2cIcSh9+71yA2DNAQIT3gP9Gtu0jJG4DmaMOaSFnMiJjIfO0I9dd3m4 rVgdquvrk0dSQemz7T8UQaLMWVg54Hahff8TIg5F8TOaY19pDwXAUR0VldOCjUZB 9+xGSr+x0YWzkgsoRSxYYmO45UjwUZAhvzUKiccrorUqXGtHA25gdBT/T3awdmZo levQzJ/fA2w= =wgdi -----END PGP SIGNATURE-----