Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0660 -- [OSX]
Security Update 2008-004 and Mac OS X v10.5.4 released
1 July 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Alias Manager
CoreTypes
c++filt
Dock
Launch Services
Net-SNMP
Ruby
SMB File Server
System Configuration
Tomcat
VPN
WebKit
Publisher: Apple
Operating System: Mac OS X
Impact: Execute Arbitrary Code/Commands
Access Privileged Data
Cross-site Scripting
Denial of Service
Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2008-2726 CVE-2008-2725 CVE-2008-2664
CVE-2008-2663 CVE-2008-2662 CVE-2008-2314
CVE-2008-2313 CVE-2008-2311 CVE-2008-2310
CVE-2008-2309 CVE-2008-2308 CVE-2008-2307
CVE-2008-1145 CVE-2008-1105 CVE-2008-0960
CVE-2007-6276 CVE-2007-5461 CVE-2007-5333
CVE-2007-3385 CVE-2007-3383 CVE-2007-3382
CVE-2007-2450 CVE-2007-2449 CVE-2007-1355
CVE-2005-3164
Ref: ESB-2008.0622
ESB-2008.0641
AL-2008.0064
AA-2007.0092
ESB-2007.0629
ESB-2008.0659
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2008-06-30 Security Update 2008-004 and Mac OS X v10.5.4
Security Update 2008-004 and Mac OS X v10.5.4 are now available and
address the following issues:
Alias Manager
CVE-ID: CVE-2008-2308
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Resolving an alias containing maliciously crafted volume
mount information may lead to an unexpected application termination
or arbitrary code execution
Description: A memory corruption issue exists in the handling of AFP
volume mount information in an alias data structure. Resolving an
alias containing maliciously crafted volume mount information may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue by performing additional
validation of alias data structures. This issue only affects Intel-
based systems running Mac OS X 10.5.1 or earlier.
CoreTypes
CVE-ID: CVE-2008-2309
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: Users are not warned before opening certain potentially
unsafe content types
Description: This update adds .xht and .xhtm files to the system's
list of content types that will be flagged as potentially unsafe
under certain circumstances, such as when they are downloaded from a
web page. While these content types are not automatically launched,
if manually opened they could lead to the execution of a malicious
payload. This update improves the system's ability to notify users
before handling .xht and .xhtm files. On Mac OS X v10.4 this
functionality is provided by the Download Validation feature. On Mac
OS X v10.5 this functionality is provided by the Quarantine feature.
Credit to Brian Mastenbrook for reporting this issue.
c++filt
CVE-ID: CVE-2008-2310
Available for: Mac OS X v10.5 through v10.5.3,
Mac OS X Server v10.5 through v10.5.3
Impact: Passing a maliciously crafted string to c++filt may lead to
an unexpected application termination or arbitrary code execution
Description: A format string issue exists in c++filt, which is a
debugging tool used to demangle C++ and Java symbols. Passing a
maliciously crafted string to c++filt may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue through improved handling of format strings. This
issue does not affect systems prior to Mac OS X 10.5.
Dock
CVE-ID: CVE-2008-2314
Available for: Mac OS X v10.5 through v10.5.3,
Mac OS X Server v10.5 through v10.5.3
Impact: A person with physical access may be able to bypass the
screen lock
Description: When the system is set to require a password to wake
from sleep or screen saver, and hot corners are set for Expose, a
person with physical access may be able to access the system without
entering a password. This update addresses the issue by disabling hot
corners when the screen lock is active. This issue does not affect
systems prior to Mac OS X 10.5. Credit to Andrew Cassell of Marine
Spill Response Corporation for reporting this issue.
Launch Services
CVE-ID: CVE-2008-2311
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A race condition exists in the download validation of
symbolic links, when the target of the link changes during the narrow
time window of validation. If the "Open 'safe' files"
preference is enabled in Safari, visiting a maliciously crafted
website may cause a file to be opened on the user's system, resulting
in arbitrary code execution. This update addresses the issue by
performing additional validation of downloaded files. This issue does
not affect systems running Mac OS X 10.5 or later.
Net-SNMP
CVE-ID: CVE-2008-0960
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: A remote attacker may be able to spoof an authenticated
SNMPv3 packet
Description: An issue exists in Net-SNMP's SNMPv3 authentication,
which may allow maliciously crafted packets to bypass the
authentication check. This update addresses the issue by performing
additional validation of SNMPv3 packets. Additional information is
available via http://www.kb.cert.org/vuls/id/878044
Ruby
CVE-ID: CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725,
CVE-2008-2726
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: Running a Ruby script that uses untrusted input to access
strings or arrays may lead to an unexpected application termination
or arbitrary code execution
Description: Multiple memory corruption issues exist in Ruby's
handling of strings and arrays, the most serious of which may lead to
arbitrary code execution. This update addresses the issue by
performing additional validation of strings and arrays.
Ruby
CVE-ID: CVE-2008-1145
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: If WEBRick is running, a remote attacker may be able to
access files protected by WEBrick's :NondisclosureName option
Description: The :NondisclosureName option in the Ruby WEBrick
toolkit is used to restrict access to files. Requesting a file name
which uses unexpected capitalization may bypass the
:NondisclosureName restriction. This update addresses the issue by
additional validation of file names. Additional information is
available via http://www.ruby-lang.org/en/news/2008/03/03/webrick-
file-access-vulnerability/ The directory traversal issue described in
the advisory does not affect Mac OS X.
SMB File Server
CVE-ID: CVE-2008-1105
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.3, Mac OS X Server v10.5 through v10.5.3
Impact: A remote attacker may be able to cause an unexpected
application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of SMB
packets. Sending malicious SMB packets to a SMB server, or connecting
to a malicious SMB server, may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue through improved bounds checking on the length of received SMB
packets. Credit to Alin Rad Pop of Secunia Research for reporting
this issue.
System Configuration
CVE-ID: CVE-2008-2313
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A local user may be able to execute arbitrary code with the
privileges of new users
Description: A local user may be able to populate the User Template
directory with files that will become part of the home directory when
a new user is created. This could allow arbitrary code execution with
the privileges of the new user. This update addresses the issue by
applying more restrictive permissions on the User Template directory.
This issue does not affect systems running Mac OS X 10.5 or later.
Credit to Andrew Mortensen of the University of Michigan for
reporting this issue.
Tomcat
CVE-ID: CVE-2005-3164, CVE-2007-1355, CVE-2007-2449, CVE-2007-2450,
CVE-2007-3382, CVE-2007-3383, CVE-2007-5333, CVE-2007-3385,
CVE-2007-5461
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Multiple vulnerabilities in Tomcat 4.1.36
Description: Tomcat version 4.x is bundled on Mac OS X v10.4.11
systems. Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to
address several vulnerabilities, the most serious of which may lead
to a cross-site scripting attack. Further information is available
via the Tomcat site at http://tomcat.apache.org/ Tomcat version 6.x
is bundled with Mac OS X v10.5 systems.
VPN
CVE-ID: CVE-2007-6276
Available for: Mac OS X v10.5 through v10.5.3,
Mac OS X Server v10.5 through v10.5.3
Impact: Remote attackers may be able to cause an unexpected
application termination
Description: A divide by zero issue exists in the virtual private
network daemon's handling of load balancing information. Processing a
maliciously crafted UDP packet may lead to an unexpected application
termination. This issue does not lead to arbitrary code execution.
This update addresses the issue by performing additional validation
of load balancing information. This issue does not affect systems
prior to Mac OS X 10.5.
WebKit
CVE-ID: CVE-2008-2307
Available for: Mac OS X v10.5 through v10.5.3,
Mac OS X Server v10.5 through v10.5.3
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of JavaScript arrays. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved bounds checking.
Along with this fix, the version of Safari for Mac OS X v10.5.4 is
updated to 3.1.2. For Mac OS X v10.4.11 and Windows XP / Vista, this
issue is addressed in Safari v3.1.2 for those systems. Credit to
James Urquhart for reporting this issue.
Security Update 2008-004 and Mac OS X v10.5.4 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Security Update 2008-004 or Mac OS X v10.5.4.
For Mac OS X v10.5.3
The download file is named: "MacOSXUpd10.5.4.dmg"
Its SHA-1 digest is: 455d911a23ba222cc962298ad8ad15b2a234ca65
For Mac OS X v10.5 - v10.5.2
The download file is named: "MacOSXUpdCombo10.5.4.dmg"
Its SHA-1 digest is: 490962bf712b2d801d08f42ca66b8a4541e9da16
For Mac OS X Server v10.5.3
The download file is named: "MacOSXServerUpd10.5.4.dmg"
Its SHA-1 digest is: bfeda72164fa17564b25d205d14288fe795df127
For Mac OS X Server v10.5 - v10.5.2
The download file is named: "MacOSXServerUpdCombo10.5.4.dmg"
Its SHA-1 digest is: d2d2fb234333c11348eb90f91d9d1720a952605a
For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2008-004Intel.dmg"
Its SHA-1 digest is: a14f144316eb620ccd28e12887e13ec0d6f46e6a
For Mac OS X v10.4.11 (PowerPC)
The download file is named: "SecUpd2008-004PPC.dmg"
Its SHA-1 digest is: b5436e04ce30392bc5131272f6b7f5582bc9fe27
For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2008-004Univ.dmg"
Its SHA-1 digest is: 9b68b34f88ff8110166c1a57fd05756982f1e390
For Mac OS X Server v10.4.11 (PowerPC)
The download file is named: "SecUpdSrvr2008-004PPC.dmg"
Its SHA-1 digest is: 35ef81cc092a74af80b2ef792c72645c636a4ae5
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: 9.7.2.1608
wsBVAwUBSGk5pXkodeiKZIkBAQgzWwgAo3I2TgErwkXZMwlw9/Bk3uy//inoPSI5
2/WIC31SQgGF6S3ogzp7oDPApFvRyhZl4FMPulc2GL2UL9nJ5fSRF4JbKYmMqYyo
oF8D+rPbUUDUyx7tndZTcit+zHJ1OJU+LZ2QNkKX1NdsU0v6+Tv0dD8qEx6RhRuG
Nu+NZn8/3duceq/UzO+mir1HMIvXnGTYgGcj2L5SNauHla/XJtmARyfnCfDjE5c3
PUeHgvXJCLRIt/6a10RtbGcHWeY8tU2jCU/WmA41xUjdg3CkcDj6nbJfMn9t5PlU
knlC0rMoKBJiCBln3YX+DTWBp+xUhY7JAVOE8pBpWvmk98Ja8w4sLg==
=CXa3
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSGmJ5ih9+71yA2DNAQLjeQQAj3wiCLmmPBFRIwNoiX5i+dym/VNMaEHK
eMhhDNJQYwn4HSb9aaYka009myp+i7K8qQeArWBAmbvm6S5hoEPq0MilPbo/BSWd
m4pxxdeTrigUOr/089oQw/feYfOlXIT2IoozqLmCTGAB1Mvj9tzEnebzoBeveaKZ
muo9f0xsUIY=
=17rv
-----END PGP SIGNATURE-----