Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1138 Security Update 2009-003 / Mac OS X v10.5.8 6 August 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mac OS X prior to v10.5.8 Publisher: Apple Operating System: Mac OS X Impact/Access: Root Compromise -- Existing Account Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2009-2194 CVE-2009-2193 CVE-2009-2192 CVE-2009-2191 CVE-2009-2190 CVE-2009-2188 CVE-2009-1728 CVE-2009-1727 CVE-2009-1726 CVE-2009-1723 CVE-2009-1722 CVE-2009-1721 CVE-2009-1720 CVE-2009-1235 CVE-2009-0151 CVE-2009-0040 CVE-2008-1372 CVE-2008-0674 Reference: ESB-2009.0459 Original Bulletin: http://support.apple.com/kb/HT3757 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2009-08-05-1 Security Update 2009-003 / Mac OS X v10.5.8 Security Update 2009-003 / Mac OS X v10.5.8 is now available and addresses the following: bzip2 CVE-ID: CVE-2008-1372 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: Decompressing maliciously crafted data may lead to an unexpected application termination Description: An out-of-bounds memory access exists in bzip2. Opening a maliciously crafted compressed file may lead to an unexpected application termination. This update addresses the issue by updating bzip2 to version 1.0.5. Further information is available via the bzip2 web site at http://bzip.org/ CFNetwork CVE-ID: CVE-2009-1723 Available for: Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: A maliciously crafted website may control the displayed website URL in a certificate warning Description: When Safari reaches a website via a 302 redirection and a certificate warning is displayed, the warning will contain the original website URL instead of the current website URL. This may allow a maliciously crafted website that is reached via an open redirector on a user-trusted website to control the displayed website URL in a certificate warning. This issue was addressed by returning the correct URL in the underlying CFNetwork layer. This issue does not affect systems prior to Mac OS X v10.5. Credit to Kevin Day of Your.Org, and Jason Mueller of Indiana University for reporting this issue. ColorSync CVE-ID: CVE-2009-1726 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in the handling of images with an embedded ColorSync profile. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ColorSync profiles. Credit to Chris Evans of the Google Security Team for reporting this issue. CoreTypes CVE-ID: CVE-2009-1727 Available for: Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: Users are not warned before opening certain potentially unsafe content types Description: This update extends the system's list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious JavaScript payload. This update improves the system's ability to notify users before handling content types used by Safari. Credit to Brian Mastenbrook, and Clint Ruoho of Laconic Security for reporting this issue. Dock CVE-ID: CVE-2009-0151 Available for: Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: A person with physical access to a locked system may use four-finger Multi-Touch gestures Description: The screen saver does not block four-finger Multi-Touch gestures, which may allow a person with physical access to a locked system to manage applications or use Expose. This update addresses the issue by properly blocking Multi-Touch gestures when the screen saver is running. This issue only affects systems with a Multi-Touch trackpad. Image RAW CVE-ID: CVE-2009-1728 Available for: Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: Viewing a maliciously crafted Canon RAW image may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow exists in the handling of Canon RAW images. Viewing a maliciously crafted Canon RAW image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. For Mac OS X v10.4 systems, this issue is already addressed with Digital Camera RAW Compatibility Update 2.6. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue. ImageIO CVE-ID: CVE-2009-1722 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by updating OpenEXR to version 1.6.1. Credit to Lurene Grenier of Sourcefire VRT, and Chris Ries of Carnegie Mellon University Computing Services for reporting this issue. ImageIO CVE-ID: CVE-2009-1721 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue exists in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through proper memory initialization and additional validation of OpenEXR images. Credit: Apple. ImageIO CVE-ID: CVE-2009-1720 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution Description: Multiple integer overflows exist in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds checking. Credit: Apple. ImageIO CVE-ID: CVE-2009-2188 Available for: Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow exists in ImageIO's handling of EXIF metadata. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5. ImageIO CVE-ID: CVE-2009-0040 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized pointer issue exists in the handling of PNG images. Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PNG images. Credit to Tavis Ormandy of the Google Security Team for reporting this issue. Kernel CVE-ID: CVE-2009-1235 Available for: Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: A local user may obtain system privileges Description: An implementation issue exists in the kernel's handling of fcntl system calls. A local user may overwrite kernel memory and execute arbitrary code with system privileges. This update addresses the issue through improved handling of fcntl system calls. Credit to Razvan Musaloiu-E. of Johns Hopkins University, HiNRG for reporting this issue. launchd CVE-ID: CVE-2009-2190 Available for: Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: Opening many connections to an inetd-based launchd service may lead to a denial of service Description: Opening many connections to an inetd-based launchd service may cause launchd to stop servicing incoming connections to that service until the next system restart. This update addresses the issue through improved error handling. Login Window CVE-ID: CVE-2009-2191 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: A format string issue in Login Window may lead to an unexpected application termination or arbitrary code execution Description: A format string issue in Login Window's handling of application names may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of application names. Credit to Alfredo Pesoli of 0xcafebabe.it for reporting this issue. MobileMe CVE-ID: CVE-2009-2192 Available for: Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: Signing out of MobileMe does not remove all credentials Description: A logic issue exists in the MobileMe preference pane. Signing out of the preference pane does not delete all credentials. A person with access to the local user account may continue to access any other system associated with the MobileMe account which had previously been signed in for that local account. This update addresses the issue by deleting all the credentials on sign out. Networking CVE-ID: CVE-2009-2193 Available for: Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: Receiving a maliciously crafted AppleTalk response packet may lead to arbitrary code execution with system privileges or an unexpected system shutdown Description: A buffer overflow exists in the kernel's handling of AppleTalk response packets. Receiving a maliciously crafted AppleTalk response packet may lead to arbitrary code execution with system privileges or an unexpected system shutdown. This update addresses the issue through improved validation of AppleTalk response packets. Credit to Ilja van Sprundel from IOActive for reporting this issue. Networking CVE-ID: CVE-2009-2194 Available for: Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: A local user may cause an unexpected system shutdown Description: A synchronization issue exists in the handling of file descriptor sharing over local sockets. By sending messages containing file descriptors to a socket with no receiver, a local user may cause an unexpected system shutdown. This update addresses the issue through improved handling of file descriptor sharing. Credit to Bennet Yee of Google Inc. for reporting this issue. XQuery CVE-ID: CVE-2008-0674 Available for: Mac OS X v10.5 through v10.5.7, Mac OS X Server v10.5 through v10.5.7 Impact: Processing maliciously crafted XML content may lead to arbitrary code execution Description: A buffer overflow exists in the handling of character classes in regular expressions in the Perl Compatible Regular Expressions (PCRE) library used by XQuery. This may allow a remote attacker to execute arbitrary code via a regular expression containing a character class with a large number of characters with Unicode code points greater than 255. This update addresses the issue by updating PCRE to version 7.6. Security Update 2009-003 / Mac OS X v10.5.8 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2009-003 or Mac OS X v10.5.8. For Mac OS X v10.5.7 The download file is named: MacOSXUpd10.5.8.dmg Its SHA-1 digest is: 11e79fb9b0ba63f211a708a1bcf8b397077a2e5e For Mac OS X v10.5 - v10.5.6 The download file is named: MacOSXUpdCombo10.5.8.dmg Its SHA-1 digest is: 6a3a744626503a807dd0158c41d0350aa37fe6c7 For Mac OS X Server v10.5.7 The download file is named: MacOSXServerUpd10.5.8.dmg Its SHA-1 digest is: dbcbe49662d818cfbe796f8bfb2bfe21c64dbc9e For Mac OS X Server v10.5 - v10.5.6 The download file is named: MacOSXServerUpdCombo10.5.8.dmg Its SHA-1 digest is: 5f23c8253193c59562b3d39acc7daf498902e59d For Mac OS X v10.4.11 (Intel) The download file is named: SecUpd2009-003Intel.dmg Its SHA-1 digest is: 49cff2d44c1f4bce1848aadadaaa22ac8807824f For Mac OS X v10.4.11 (PowerPC) The download file is named: SecUpd2009-003PPC.dmg Its SHA-1 digest is: 29d8b4678bdc592b672d091cce2e6e7ef3d43b28 For Mac OS X Server v10.4.11 (Universal) The download file is named: SecUpdSrvr2009-003Univ.dmg Its SHA-1 digest is: e1fc266df664ea495b3b5b4cb978aa7d705b8f92 For Mac OS X Server v10.4.11 (PowerPC) The download file is named: SecUpdSrvr2009-003PPC.dmg Its SHA-1 digest is: ba204cf8d09d4d2c7fd30573e67e47bfd8e5f2ab Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJKedeJAAoJEHkodeiKZIkBN6MH/1CPnWDjLi2OMTNt0fLWKMsz LMXCXYFDijQwr/YFB3xSdvIilmy1NOryhEiPPTbBAYVLePx4y3kmkWjmMwk9rv2g XvDmY7xyjt9WwLj2ZbtO2GeAfIpBEkVQGYWgffdJ7YMDZpHGBA8YPKbZ9BCkbbEL OKvUfQB4q5NFP++cljrpY//L/s9SGCxWSV4hX7CxCoajVJu0ErhcVZ+NDdtvE2g3 t93liK50wVay0nWCFEbcBlgr7UhQamkmBn27o+VxTrDut+f+x9Wdv+bn/MjQObUq T2dpWgz8pRKgiR9Bbc5wfHCK8wjgCViB6zJ+59b5bin7lXbSHH30mUL+c/MFydE= =lWU5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKek+bNVH5XJJInbgRArSpAJ4gUZY4cD1iDHAN9ayAqEAv5aeTVQCfVzNU Rm4Xtr6J9mk2Im3Gl20sDOM= =t8GW -----END PGP SIGNATURE-----