Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0761 -- [OSX] Security Update 2008-005 1 August 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Open Scripting Architecture BIND CarbonCore CoreGraphics Data Detectors Engine Disk Utility OpenLDAP OpenSSL PHP QuickLook rsync Publisher: Apple Operating System: Mac OS X Mac OS X Server Impact: Execute Arbitrary Code/Commands Increased Privileges Provide Misleading Information Read-only Data Access Overwrite Arbitrary Files Denial of Service Access: Remote/Unauthenticated Existing Account CVE Names: CVE-2008-2952 CVE-2008-2830 CVE-2008-2325 CVE-2008-2324 CVE-2008-2323 CVE-2008-2322 CVE-2008-2321 CVE-2008-2320 CVE-2008-2051 CVE-2008-2050 CVE-2008-1447 CVE-2008-0674 CVE-2008-0599 CVE-2007-6200 CVE-2007-6199 CVE-2007-5135 CVE-2007-4850 Original Bulletin: http://support.apple.com/kb/HT1222 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2008-07-31 Security Update 2008-005 Security Update 2008-005 is now available and addresses the following issues: Open Scripting Architecture CVE-ID: CVE-2008-2830 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4 Impact: A local user may execute commands with elevated privileges Description: A design issue exists in the Open Scripting Architecture libraries when determining whether to load scripting addition plugins into applications running with elevated privileges. Sending scripting addition commands to a privileged application may allow the execution of arbitrary code with those privileges. This update addresses the issue by not loading scripting addition plugins into applications running with system privileges. The recently reported ARDAgent and SecurityAgent issues are addressed by this update. Credit to Charles Srstka for reporting this issue. BIND CVE-ID: CVE-2008-1447 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4 Impact: BIND is susceptible to DNS cache poisoning and may return forged information Description: The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue. CarbonCore CVE-ID: CVE-2008-2320 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4 Impact: Processing long filenames may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow exists in the handling of long filenames. Processing long filenames may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Thomas Raffetseder of the International Secure Systems Lab and Sergio 'shadown' Alvarez of n.runs AG for reporting this issue. CoreGraphics CVE-ID: CVE-2008-2321 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Michal Zalewski of Google for reporting this issue. CoreGraphics CVE-ID: CVE-2008-2322 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow in the handling of PDF files may result in a heap buffer overflow. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through additional validation of PDF files. Credit to Pariente Kobi working with the iDefense VCP for reporting this issue. Data Detectors Engine CVE-ID: CVE-2008-2323 Available for: Mac OS X v10.5.4, Mac OS X Server v10.5.4 Impact: Viewing maliciously crafted messages with Data Detectors may lead to an unexpected application termination Description: Data Detectors are used to extract reference information from textual content or archives. A resource consumption issue exists in Data Detectors' handling of textual content. Viewing maliciously crafted content in an application that uses Data Detectors may lead to a denial of service, but not arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.5. Disk Utility CVE-ID: CVE-2008-2324 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: A local user may obtain system privileges Description: The "Repair Permissions" tool in Disk Utility makes /usr/bin/emacs setuid. After the Repair Permissions tool has been run, a local user may use emacs to run commands with system privileges. This update addresses the issue by correcting the permissions applied to emacs in the Repair Permissions tool. This issue does not affect systems running Mac OS X v10.5 and later. Credit to Anton Rang and Brian Timares for reporting this issue. OpenLDAP CVE-ID: CVE-2008-2952 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4 Impact: A remote attacker may be able to cause an unexpected application termination Description: An issue exists in OpenLDAP's ASN.1 BER decoding. Processing a maliciously crafted LDAP message may trigger an assertion and lead to an unexpected application termination of the OpenLDAP daemon, slapd. This update addresses the issue by performing additional validation of LDAP messages. OpenSSL CVE-ID: CVE-2007-5135 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4 Impact: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution Description: A range checking issue exists in the SSL_get_shared_ciphers() utility function within OpenSSL. In an application using this function, processing maliciously crafted packets may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. PHP CVE-ID: CVE-2008-2051, CVE-2008-2050, CVE-2007-4850, CVE-2008-0599, CVE-2008-0674 Available for: Mac OS X v10.5.4, Mac OS X Server v10.5.4 Impact: Multiple vulnerabilities in PHP 5.2.5 Description: PHP is updated to version 5.2.6 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ PHP version 5.2.x is only provided with Mac OS X v10.5 systems. QuickLook CVE-ID: CVE-2008-2325 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4 Impact: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues exist in QuickLook's handling of Microsoft Office files. Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5. rsync CVE-ID: CVE-2007-6199, CVE-2007-6200 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4 Impact: Files outside the module root may be accessed or overwritten remotely Description: Path validation issues exist in rsync's handling of symbolic links when running in daemon mode. Placing symbolic links in an rsync module may allow files outside of the module root to be accessed or overwritten. This update addresses the issue through improved handling of symbolic links. Further information on the patches applied is available via the rsync web site at http://rsync.samba.org/ Security Update 2008-005 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.5.4 and Mac OS X Server 10.5.4 The download file is named: "SecUpd2008-005.dmg" Its SHA-1 digest is: 9c4fd4ee59965819427445f6de172c42b223e6e1 For Mac OS X v10.4.11 (Intel) The download file is named: "SecUpd2008-005Intel.dmg" Its SHA-1 digest is: 1ff3242935c98325769b33148a2a8b1e72db567c For Mac OS X v10.4.11 (PPC) The download file is named: "SecUpd2008-005PPC.dmg" Its SHA-1 digest is: 2f56ea4311d5b85de3c494f6fee46360e5b7317e For Mac OS X Server v10.4.11 (Universal) The download file is named: "SecUpdSrvr2008-005Univ.dmg" Its SHA-1 digest is: 256401659308a634cee06b00d1a6ae9dc20b5467 For Mac OS X Server v10.4.11 (PPC) The download file is named: "SecUpdSrvr2008-005PPC.dmg" Its SHA-1 digest is: d310d471bd39df92cb5580e18f356a222824d7d2 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.3 (Build 2932) iQEVAwUBSJJ9c3kodeiKZIkBAQiWmggAmx3HBLe2vwoDmCr+ycU+orkLNDvRW0zJ Kq8rJZNRC4HwoDvAdduzNcwL9vudnJqcY0ZEGaXp6USRPjvioFUZJNUoDG/1goj5 E6q9velCEgu67WBT66ampy9oyqaHFP5YdWKKDg4AvGeFiJqgplFsBEaCqr7xigoh T+xbPAzWt5aXp8rlAnZPhEFbK7ZAQEGEtoc5UnSdTlm4mwDdMRszG8JhgpoiII72 8LIjZpf7cMf0neUua2pvGDNITHoZfNWg2a11CyIDilIPUj7Vl4Rhfw6b+bcSK6Po FMS1ZF0D9I58j6KLQ2LuSr0lB0Xd1tfsZGlCNdWQzK5RH/UrmbEMXg== =k/dw - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSJKIcih9+71yA2DNAQIk8QQAk4xVN2ijp3tJ1obJiYyV1/NKymfxT945 Ab/d5YZBarfxJXPVabOVbvu7aANsg8ceA8TQa6UvT4eyn/a+b2j5s9rTuvvso3RP Jhdw3mnUQBDtkl14aZirAwa3WcwihagqDSZYXadXzGcN5K0JEO9GNSAAHrYQvcmZ j9NxG8A6exg= =vY0g -----END PGP SIGNATURE-----