|
|
|
|
Mac OS X Security Update Fixes Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA21253
|
|
|
Release Date:
|
2006-08-02
|
|
Last Update:
|
2007-01-29
|
|
Popularity:
|
14,854 views
|
|
|
Critical:
|
Highly critical
|
|
Impact:
|
Security Bypass
Cross Site Scripting
Exposure of system information
Exposure of sensitive information
Privilege escalation
DoS
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| OS: | Apple Macintosh OS X
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
| | CVE reference: | CVE-2005-0488
CVE-2005-0988
CVE-2005-1228
CVE-2005-2335
CVE-2005-3088
CVE-2005-4348
CVE-2006-0321
CVE-2006-0392
CVE-2006-0393
CVE-2006-1472
CVE-2006-1473
CVE-2006-3459
CVE-2006-3461
CVE-2006-3462
CVE-2006-3465
CVE-2006-3495
CVE-2006-3496
CVE-2006-3497
CVE-2006-3498
CVE-2006-3499
CVE-2006-3500
CVE-2006-3501
CVE-2006-3502
CVE-2006-3503
CVE-2006-3504
CVE-2006-3505
|
|
Description:
Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
1) An error in the AFP server within the handling of users' search results can be exploited by malicious users to gain knowledge of the names of files and folders for which the user performing the search has no access to.
Successful exploitation requires that file sharing is enabled.
2) An integer overflow error in the AFP server may be exploited by an authenticated user to execute arbitrary code with system privileges.
Successful exploitation requires that file sharing is enabled.
3) An error in the AFP server where the reconnect keys for file sharing sessions are stored world-readable can be exploited by local users to access files and folders with the privileges of another user.
Successful exploitation requires that file sharing is enabled.
4) An error in the AFP server caused due to an unchecked error condition can be exploited to crash the AFP server by sending a specially crafted invalid AFP request.
Successful exploitation requires that file sharing is enabled.
5) An error in Bom's compression state handling may be exploited to cause a heap corruption by tricking a user into opening a specially crafted corrupted ZIP archive.
Successful exploitation may allow execution of arbitrary code.
NOTE: This can be exploited automatically via the Safari browser if the "Open safe files after downloading" setting is enabled.
6) A boundary error in bootpd can be exploited to cause a stack-based buffer overflow by sending a specially crafted BOOTP request.
Successful exploitation may allow execution of arbitrary code with system privileges, but requires that bootpd is enabled (not enabled by default).
7) An error in the processing of dynamic linker options in privileged applications may be exploited by local users to influence the behavior of privileged applications by specifying options which causes output to standard error.
8) An error in the dynamic linker may be exploited by local users to specify paths used when loading libraries into an privileged application.
Successful exploitation may allow execution of arbitrary code with escalated privileges.
9) Various errors exists in the fetchmail utility.
For more information:
SA16176
SA17293
SA17891
SA18571
10) An input validation error when extracting a file with the "-N" flag using "gunzip" makes it possible to have a file extracted to an arbitrary location outside the current directory via directory traversal attacks.
For more information:
SA15047
A race condition when setting file permissions has also been reported.
11) An error in the processing of corrupted Canon RAW images can be exploited to cause a buffer overflow by tricking a user into viewing a specially crafted Canon RAW image.
Successful exploitation may allow execution of arbitrary code.
12) An integer overflow error in the processing of corrupted Radiance images may be exploited to execute arbitrary code by tricking a user into viewing a specially crafted Radiance image.
13) An error in the processing of corrupted GIF images can be exploited to cause an undetected memory allocation failure by tricking a user into viewing a specially crafted GIF image.
Successful exploitation may allow execution of arbitrary code.
14) An integer overflow error in the processing of corrupted GIF images may be exploited to execute arbitrary code by tricking a user into viewing a specially crafted GIF image.
15) An error exists in the download validation of safe files in the LaunchServices where certain files containing HTML may incorrectly be classified as safe. This may be exploited to execute arbitrary HTML and script code in a user's browser session in context of the local domain.
NOTE: This can be exploited automatically via Safari if the "Open safe files after downloading" option is enabled.
16) An error exists in OpenSSH which is caused due to the authentication process hanging when processing login requests by non-existing users. This can be exploited to enumerate valid user accounts or cause a DoS (Denial of Service) via a large amount of login requests.
Successful exploitation requires that remote login is enabled.
17) A design error in the Telnet client when handling the NEW-ENVIRON command can be exploited to gain knowledge of the session variables for a user, who has an open connection to a malicious Telnet server.
For more information:
SA15709
18) An error when processing HTML documents can be exploited to access a previously deallocated object.
Successful exploitation may allow execution of arbitrary code, but requires that the user is tricked into visiting a malicious web site.
19) Some errors in the processing of corrupted TIFF images can be exploited to cause buffer overflows (TIFF tag handling, TIFF PixarLog decoder, and TIFF NeXT RLE decoder).
Successful exploitation may allow execution of arbitrary code, but requires that the user is tricked into viewing a specially crafted TIFF image.
Solution:
Apply Security Update 2006-004.
Mac OS X 10.3.9 Client:
http://www.apple.com/support/downloads/securityupdate20060041039client.html
Mac OS X 10.3.9 Server:
http://www.apple.com/support/downloads/securityupdate20060041039server.html
Mac OS X 10.4.7 Client (Intel):
http://www.apple.com/support/download...date2006004macosx1047clientintel.html
Mac OS X 10.4.7 Client (PPC):
http://www.apple.com/support/download...update2006004macosx1047clientppc.html
Users running Mac OS X 10.4.7 (build 8K1079) on Mac Pro computers or Mac OS X Server 10.4.7 (build 8K1079) on Xserve hardware can instead install this update:
http://www.apple.com/support/download...proandmacosxserverv1047universal.html
Provided and/or discovered by:
2) The vendor credits Dino Dai Zovi, Matasano Security.
5) Tom Ferris.
7, 8) The vendor credits Neil Archibald, Suresec LTD.
14) Tom Ferris.
16) The vendor credits Rob Middleton, Centenary Institute.
18) The vendor credits Jesse Ruderman, Mozilla Corporation.
19) The vendor credits Tavis Ormandy, Google Security Team.
Changelog:
2006-08-03: Added links to US-CERT vulnerability notes.
2006-08-10: Updated "Solution" section.
2007-01-29: Added link to US-CERT.
Original Advisory:
Apple:
http://docs.info.apple.com/article.html?artnum=304063
Tom Ferris:
http://www.security-protocols.com/sp-x32-advisory.php
http://www.security-protocols.com/sp-x33-advisory.php
Other References:
SA15047:
http://secunia.com/advisories/15047/
SA15709:
http://secunia.com/advisories/15709/
SA16176:
http://secunia.com/advisories/16176/
SA17293:
http://secunia.com/advisories/17293/
SA17891:
http://secunia.com/advisories/17891/
SA18571:
http://secunia.com/advisories/18571/
US-CERT VU#172244:
http://www.kb.cert.org/vuls/id/172244
US-CERT VU#514740:
http://www.kb.cert.org/vuls/id/514740
US-CERT VU#566132:
http://www.kb.cert.org/vuls/id/566132
US-CERT VU#651844:
http://www.kb.cert.org/vuls/id/651844
US-CERT VU#605908:
http://www.kb.cert.org/vuls/id/605908
US-CERT VU#776628:
http://www.kb.cert.org/vuls/id/776628
US-CERT VU#708340:
http://www.kb.cert.org/vuls/id/708340
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
Today
|
New advisories:
|
19 |
|
New vulnerabilities:
|
31 |
|
Updated advisories:
|
28 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 Solutions | More...
|
|
|
|
Send Feedback to Secunia
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
|
