Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.1123 -- [Mac][OSX] Security Update 2008-008 / Mac OS X v10.5.6 16 December 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ATS BOM CoreGraphics CoreServices CoreTypes Flash Player Kernel Libsystem Managed Client network_cmds Podcast Producer UDF Publisher: Apple Operating System: Mac OS X 10.5 to 10.5.5 Mac OS X 10.4.11 Impact: Execute Arbitrary Code/Commands Increased Privileges Access Privileged Data Access Confidential Data Modify Arbitrary Files Cross-site Scripting Denial of Service Provide Misleading Information Reduced Security Access: Remote/Unauthenticated CVE Names: CVE-2008-4824 CVE-2008-4823 CVE-2008-4822 CVE-2008-4821 CVE-2008-4820 CVE-2008-4819 CVE-2008-4818 CVE-2008-4237 CVE-2008-4236 CVE-2008-4234 CVE-2008-4224 CVE-2008-4223 CVE-2008-4222 CVE-2008-4221 CVE-2008-4220 CVE-2008-4219 CVE-2008-4218 CVE-2008-4217 CVE-2008-3623 CVE-2008-3170 CVE-2008-1391 Ref: ESB-2008.1028 Original Bulletin: http://support.apple.com/kb/HT3338 Comment: Note that this does not address AL-2008.0128. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2008-12-15 Security Update 2008-008 / Mac OS X v10.5.6 Security Update 2008-008 / Mac OS X v10.5.6 is now available and addresses the following issues: ATS CVE-ID: CVE-2008-4236 Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Viewing or downloading a PDF file containing a maliciously crafted embedded font may lead to a denial of service Description: An infinite loop may occur in the Apple Type Services server's handling of embedded fonts in PDF files. Viewing or downloading a PDF file containing a maliciously crafted embedded font may lead to a denial of service. This update addresses the issue by performing additional validation of embedded fonts. This issue does not affect systems prior to Mac OS X v10.5. Credit to Michael Samarin and Mikko Vihonen of Futurice Ltd. for reporting this issue. BOM CVE-ID: CVE-2008-4217 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Downloading or viewing a maliciously crafted CPIO archive may lead to arbitrary code execution or unexpected application termination Description: A signedness issue exists in BOM's handling of CPIO headers which may result in a stack buffer overflow. Downloading or viewing a maliciously crafted CPIO archive may lead to arbitrary code execution or unexpected application termination. This update addresses the issue by performing additional validation of CPIO headers. Credit: Apple. CoreGraphics CVE-ID: CVE-2008-3623 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in the handling of color spaces within CoreGraphics. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit: Apple. CoreServices CVE-ID: CVE-2008-3170 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Visiting a maliciously crafted website may lead to the disclosure of user credentials Description: Safari allows web sites to set cookies for country- specific top-level domains, which may allow a remote attacker to perform a session fixation attack and hijack a user's credentials. This update addresses the issue by performing additional validation of domain names. Credit to Alexander Clauss of iCab.de for reporting this issue. CoreTypes CVE-ID: CVE-2008-4234 Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Attempting to launch unsafe downloaded content may not lead to a warning Description: Mac OS X provides the Download Validation capability to indicate potentially unsafe files. Applications such as Safari and others use Download Validation to help warn users prior to launching files marked as potentially unsafe. This update adds to the list of potentially unsafe types. It adds the content type for files that have executable permissions and no specific application association. These files are potentially unsafe as they will launch in Terminal and their content will be executed as commands. While these files are not automatically launched, if manually opened they could lead to the execution of arbitrary code. This issue does not affect systems prior to Mac OS X v10.5. Flash Player Plug-in CVE-ID: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823, CVE-2008-4824 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Multiple vulnerabilities in Adobe Flash Player plug-in Description: Multiple issues exist in the Adobe Flash Player plug- in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 9.0.151.0. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb08-20.html Kernel CVE-ID: CVE-2008-4218 Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: A local user may obtain system privileges Description: Integer overflow issues exist within the i386_set_ldt and i386_get_ldt system calls, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issues through improved bounds checking. These issues do not affect PowerPC systems. Credit to Richard Vaneeden of IOActive, Inc. for reporting these issues. Kernel CVE-ID: CVE-2008-4219 Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Running an executable that links dynamic libraries on an NFS share may lead to an unexpected system shutdown Description: An infinite loop may occur when a program located on an NFS share receives an exception. This may lead to an unexpected system shutdown. This update addresses the issue through improved handling of exceptions. Credit to Ben Loer of Princeton University for reporting this issue. Libsystem CVE-ID: CVE-2008-4220 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Applications that use the inet_net_pton API may be vulnerable to arbitrary code execution or an unexpected application termination Description: An integer overflow exists in Libsystem's inet_net_pton API, which may lead to arbitrary code execution or the unexpected termination of the application using the API. This update addresses the issue through improved bounds checking. This API is not normally called with untrusted data, and no exploitable cases of this issue are known. This update is provided to help mitigate potential attacks against any application using this API. Libsystem CVE-ID: CVE-2008-4221 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Applications that use the strptime API may be vulnerable to arbitrary code execution or unexpected application termination Description: A memory corruption issue exists in Libsystem's strptime API. Parsing a maliciously crafted date string may lead to arbitrary code execution or unexpected application termination. This update addresses the issue through improved memory allocation. Credit: Apple. Libsystem CVE-ID: CVE-2008-1391 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Applications that use the strfmon API may be exposed to an unexpected application termination or arbitrary code execution Description: Multiple integer overflows exist in Libsystem's strfmon implementation. An application calling strfmon with large values of certain integer fields in the format string argument may unexpectedly terminate or lead to arbitrary code execution. This update addresses the issues through improved bounds checking. Managed Client CVE-ID: CVE-2008-4237 Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: The managed screen saver settings are not applied Description: The method by which the software on a managed client system installs per-host configuration information does not always correctly identify the system. On a misidentified system, per-host settings are not applied, including the screen saver lock. This update addresses the issue by having Managed Client use the correct system identification. This issue does not affect systems with built- in Ethernet. Credit to John Barnes of ESRI, and Trevor Lalish-Menagh of Tamman Technologies, Inc. for reporting this issue. network_cmds CVE-ID: CVE-2008-4222 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: A remote attacker may be able to cause a denial of service if Internet Sharing is enabled Description: An infinite loop may occur in the handling of TCP packets in natd. By sending a maliciously crafted TCP packet, a remote attacker may be able to cause a denial of service if Internet Sharing is enabled. This update addresses the issue by performing additional validation of TCP packets. Credit to Alex Rosenberg of Ohmantics, and Gary Teter of Paizo Publishing for reporting this issue. Podcast Producer CVE-ID: CVE-2008-4223 Available for: Mac OS X Server v10.5 through v10.5.5 Impact: A remote attacker may be able to access the administrative functions of Podcast Producer Description: An authentication bypass issue exists in the Podcast Producer server, which may allow an unauthorized user to access administrative functions in the server. This update addresses the issue through improved handling of access restrictions. Podcast Producer was introduced in Mac OS X Server v10.5. UDF CVE-ID: CVE-2008-4224 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Opening an ISO file may lead to an unexpected system shutdown Description: An input validation issue exists in the handling of malformed UDF volumes. Opening a maliciously crafted ISO file may lead to an unexpected system shutdown. This update addresses the issue through improved input validation. Credit to Mauro Notarianni of PCAX Solutions for reporting this issue. Security Update 2008-008 and Mac OS X v10.5.6 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2008-008 or Mac OS X v10.5.6. For Mac OS X v10.5.5 The download file is named: "MacOSXUpd10.5.6.dmg" Its SHA-1 digest is: 684f67524a92b4314a4bdd52498fb3b6af8f9ded For Mac OS X v10.5 - v10.5.4 The download file is named: "MacOSXUpdCombo10.5.6.dmg" Its SHA-1 digest is: 09de4ac2c5591ab75d51ef37dc70f9e5630150d4 For Mac OS X Server v10.5.5 The download file is named: "MacOSXServerUpd10.5.6.dmg" Its SHA-1 digest is: bd14ab94b9bcc896da1613ac761171b54286bcac For Mac OS X Server v10.5 - v10.5.4 The download file is named: "MacOSXServerUpdCombo10.5.6.dmg" Its SHA-1 digest is: e20d8d458be3ec51b0083ff823ce27def00dbca7 For Mac OS X v10.4.11 (Intel) The download file is named: "SecUpd2008-008Intel.dmg" Its SHA-1 digest is: 651e592fad1bd158a76459a81d2ebede1f3bedea For Mac OS X v10.4.11 (PowerPC) The download file is named: "SecUpd2008-008PPC.dmg" Its SHA-1 digest is: 9bb2aa7fcc924715b6442e808fc778789f359906 For Mac OS X Server v10.4.11 (Universal) The download file is named: "SecUpdSrvr2008-008Univ.dmg" Its SHA-1 digest is: 21702064037150cdeb9d708304ee91eb254c7371 For Mac OS X Server v10.4.11 (PowerPC) The download file is named: "SecUpdSrvr2008-008PPC.dmg" Its SHA-1 digest is: d0e4720051ea27b8edf0ab2a124d6e9f0e16534c Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJJRoLMAAoJEHkodeiKZIkB64kIAKWDMSDEqM/NEmMpkdIqNzcb eZT1iPzXMgJPka04kmZismqN5+FHXa47+w/QYntp9uF+FxX+3aw/ip6v/sQ6Mm15 9wmfFgCddbas04g/9JjCh+UgOHUiUKOHmBElROwoLcJNAZBPgMsTQMZYQSqRTwWI 9+Nqqr7ajZvujo6ajIIQp/Lv48PIWZw/sI2CJzKS0zt5u7ctFvAJUjKaKsXZKvei /0bqcIRCy/TGjB+yI4p30OZVup/IAp21tFaaRBc+lWHZ2bvCSQ7ZpwlLJtlL/FOC jSZoVhNwYJPH2v+cG5mZ6aX2ntZgU2FD6mZyzsrUcS7fpG5fnxgU4lEnX55ntME= =pIcv - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSUboeCh9+71yA2DNAQKwbQP+JEgXkLKUFTHW/AjyVU49VrMiKgCrjiA/ P08DnPdgdzEpMTVe/+exuikIPrTP9Q8+U37Md9ziJecIPDO2p/tlvYtTnY5XiaPN VRvnjnxW66RS9/1P6GD1ARWpzMv/ZDIvS9jPYq62K50Xa+Uc9KeIo+LabgmQcdok CYAZ5i/PbiY= =8uOu -----END PGP SIGNATURE-----