|
Mac OS X Security Update Fixes Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA24966
|
|
|
Release Date:
|
2007-04-20
|
|
Last Update:
|
2007-05-02
|
|
Popularity:
|
10,926 views
|
|
|
Critical:
|
Highly critical
|
|
Impact:
|
Security Bypass
Manipulation of data
Exposure of sensitive information
Privilege escalation
DoS
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| OS: | Apple Macintosh OS X
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
| | CVE reference: | CVE-2006-0300
CVE-2006-5867
CVE-2006-6143
CVE-2006-6652
CVE-2007-0022
CVE-2007-0465
CVE-2007-0646
CVE-2007-0724
CVE-2007-0725
CVE-2007-0729
CVE-2007-0732
CVE-2007-0735
CVE-2007-0736
CVE-2007-0737
CVE-2007-0738
CVE-2007-0739
CVE-2007-0741
CVE-2007-0742
CVE-2007-0743
CVE-2007-0744
CVE-2007-0745
CVE-2007-0746
CVE-2007-0747
CVE-2007-0957
CVE-2007-1216
|
|
Description:
Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
1) An error in the AFP Client can be exploited by malicious, local users to create files or execute commands with system privileges.
2) A boundary error exists in the AirPortDriver module, which can be exploited by malicious, local users to cause a buffer overflow.
Successful exploitation may allow execution of arbitrary code with escalated privileges.
NOTE: This does not affect systems with the AirPort Extreme card.
3) An error in the CoreServices daemon can be exploited by malicious, local users to obtain a send right to its Mach task port.
Successful exploitation may allow execution of arbitrary code with escalated privileges.
4) An error in fsck can be exploited to cause memory corruption via a specially crafted UFS file system.
Successful exploitation may allow execution of arbitrary code, when a malicious UFS file system is opened.
5) An error in fetchmail can be exploited by malicious people to gain knowledge of sensitive information.
For more information:
SA23631
6) An error in ftpd can be exploited by malicious users to compromise a vulnerable system.
For more information:
SA23178
7) A boundary error in GNU Tar can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system.
For more information:
SA18973
8) A format string error in the Help Viewer application can be exploited by malicious people to execute arbitrary code.
Successful exploitation requires that a user is tricked into downloading and opening a help file with a specially crafted name.
9) An error in the IOKit HID interface can be exploited by malicious, local users to capture console keystrokes from other users.
NOTE: This fix was originally distributed via the Mac OS X v10.4.9 update. However, due to a packaging issue it may not have been delivered to all systems.
10) A format string error in the Installer application can be exploited by malicious people to execute arbitrary code.
Successful exploitation requires that a user is tricked into downloading and opening an installer package with a specially crafted name.
11) An error in Kerberos can be exploited by malicious people to cause an DoS (Denial of Service) or to compromise a vulnerable system.
For more information:
SA23696
12) Some errors in Kerberos can be exploited by malicious users to cause a DoS or to compromise a vulnerable system.
For more information see vulnerabilities #2 and #3 in:
SA24740
13) An error in Libinfo can cause a previously deallocated object to be accessed when a specially crafted web page is viewed.
Successful exploitation may allow execution of arbitrary code.
14) An integer overflow exists in the RPC library when processing XDR strings. This can be exploited by malicious people to cause a DoS or to execute arbitrary code as the user "daemon" by sending a specially crafted AUTH_UNIX packet to any enabled RPC service.
15) An error in Login Window in the processing of environment variables can be exploited by malicious, local users to execute arbitrary code with system privileges.
16) Under certain conditions it is possible to bypass the screen saver authentication dialog.
17) Under certain conditions it is possible for a person with physical access to the system to log in without authentication when the software update window appears beneath the Login Window.
18) An error in natd within the handling of RTSP packets can be exploited by malicious people to cause a buffer overflow by sending a specially crafted packet to an affected system.
Successful exploitation may allow execution of arbitrary code, but requires that Internet Sharing is enabled.
19) An error in SMB can be exploited by malicious, local users to create files or execute commands with system privileges.
20) A weakness in the System Configuration can be exploited by malicious, local users to gain escalated privileges.
For more information:
SA23793
21) The username and password used to mount remote file systems via SMB are passed to the mount_smb command as command line arguments. This can be exploited by malicious, local users to gain knowledge of other users' credentials.
22) An error in the VideoConference framework can be exploited by malicious people to cause a heap-based buffer overflow by sending a specially crafted SIP packet when initialising a conference.
Successful exploitation may allow execution of arbitrary code.
23) An error in the load_webdav program when mounting a WebDAV filesystem can be exploited by malicious, local users to create files or to execute commands with system privileges.
24) An error in WebFoundation allows cookies set by subdomains to be accessible to the parent domain.
NOTE: This does not affect systems running Mac OS X v10.4.
Solution:
Apply Security Update 2007-004 v1.1.
Security Update 2007-004 v1.1 (Universal):
http://www.apple.com/support/downloads/securityupdate2007004v11universal.html
Security Update 2007-004 v1.1 (PPC):
http://www.apple.com/support/downloads/securityupdate2007004v11ppc.html
Security Update 2007-004 v1.1 (10.3.9 Client):
http://www.apple.com/support/downloads/securityupdate2007004v111039client.html
Security Update 2007-004 (10.3.9 Server):
http://www.apple.com/support/downloads/securityupdate20070041039server.html
NOTE: Security Update 2007-004 applied an incorrect ftp configuration file for Mac OS X Server v10.4.9 systems, which allowed ftp users to access directories outside the normal scope. It also introduced an error in AirPort for Mac OS X v10.3.9 systems. Apple released Security Update 2007-004 v1.1 to fix these errors.
Provided and/or discovered by:
The vendor credits:
6) Kevin Finisterre, DigitalMunition
8) KF and LMH
9) Andrew Garber of University of Victoria, Alex Harper, and Michael Evans
10) LMH
13) Landon Fuller of Three Rings Design
14) Mu Security Research Team
21) Daniel Ball of Pittsburgh Technical Institute, Geoff Franks of Hauptman Woodward Medical Research Institute, and Jamie Cox of Sophos Plc
24) Bradley Schwoerer of University of Wisconsin-Madison
Changelog:
2007-04-23: Updated vulnerability #14 in "Description" section. Added "Original Advisory" from Mu Security. Updated vulnerability #6. Added link in "Other References".
2007-05-02: Updated "Solution" section. Apple has issued version 1.1 of Security Update 2007-004 to correct some errors. Added CVE reference.
Original Advisory:
Apple:
http://docs.info.apple.com/article.html?artnum=305391
http://docs.info.apple.com/article.html?artnum=305445
MoAB:
8) http://projects.info-pull.com/moab/MOAB-30-01-2007.html
10) http://projects.info-pull.com/moab/MOAB-26-01-2007.html
Mu Security:
14) http://labs.musecurity.com/advisories/MU-200704-01.txt
Other References:
SA18973:
http://secunia.com/advisories/18973/
SA23178:
http://secunia.com/advisories/23178/
SA23631:
http://secunia.com/advisories/23631/
SA23696:
http://secunia.com/advisories/23696/
SA23793:
http://secunia.com/advisories/23793/
SA24740:
http://secunia.com/advisories/24740/
US-CERT VU#312424:
http://www.kb.cert.org/vuls/id/312424
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
5th Sep, 2008
|
New advisories:
|
14 |
|
New vulnerabilities:
|
18 |
|
Updated advisories:
|
22 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 Solutions | More...
|
|
