Apple has issued a security update for Mac OS X, which fixes more than 40 vulnerabilities.

1) A boundary error in htdigest can be exploited to cause a buffer overflow by passing an overly long realm argument.

NOTE: htdigest is by default only locally accessible and not setuid / setgid.

2) Two vulnerabilities in Apache 2 can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service).

For more information:
SA12787
SA13045

3) A security issue in Apache 2 results in access to ".DS_Store" files and files starting with ".ht" not being fully blocked. The problem is that the Apache configuration blocks access in a case sensitive way, but the Apple HFS+ filesystem performs file access in a case insensitive way.

4) A security issue in Apache 2 makes it possible to bypass the normal Apache file handlers and retrieve file data and resource fork content via HTTP. The problem is that the Apple HFS+ filesystem permits files to have multiple data streams.

NOTE: This issue may also affect other products installed on the HFS+ filesystem.

5) A boundary error in the AppKit component can be exploited to cause a buffer overflow and execute arbitrary code on a user's system when a specially crafted rich text file is opened.

6) A boundary error in the AppKit component can be exploited to cause a buffer overflow and execute arbitrary code on a user's system when a specially crafted Microsoft Word .doc file is opened in e.g. TextEdit.

7) An error in the AppKit component allows malicious, local users with physical access to create additional local accounts.

8) A bug in the System Profiler causes it to display misleading information about whether or not a Bluetooth device requires authentication.

9) A boundary error in the CoreFoundation framework when processing command line arguments can be exploited to cause a buffer overflow and execute arbitrary code.

10) An error in the CoreFoundation framework when parsing Gregorian date information can cause applications to stall.

11) Errors in the CUPS printing service can cause it to stop printing when handling multiple, simultaneous print jobs.

12) A boundary error in Directory Services during the authentication handling can be exploited to cause a buffer overflow and execute arbitrary code.

13) Various errors in the privileged tool dsidentity can be exploited by unprivileged users to add or remove identity user accounts in Directory Services.

14) The slpd program in Directory Services creates temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with root privileges.

15) An error in Hltoolbox may allow VoiceOver services to read contents from secure input fields.

16) An error in Kerberos can potentially be exploited by malicious users to compromise a vulnerable system.

For more information:
SA13592

17) Multiple boundary errors in Kerberos can be exploited by malicious people to cause a DoS or potentially compromise a vulnerable system.

For more information:
SA16041

18) An error in Kerberos when Kerberos authentication is enabled in addition to LDAP can be exploited to gain access to the root Terminal window.

19) An error in loginwindow can be exploited by malicious users with knowledge of two passwords to access other logged-in accounts when "Fast User Switching" is enabled without knowing these passwords.

20) The Mail component loads remote images in HTML emails (even with this disabled in the user's preferences), which can be exploited to enumerate valid email addresses.

21) Various errors in MySQL can potentially be exploited by malicious users to compromise a vulnerable system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges.

For more information:
SA14547

22) Three vulnerabilities in OpenSSL can be exploited by malicious people to cause a DoS (Denial-of-Service).

For more information:
SA11139

23) An unspecified boundary error in the ping utility can be exploited to cause a buffer overflow and potentially gain escalated privileges.

24) An error in QuartzComposerScreenSaver can be exploited by malicious people with physical access to open web pages while the RSS Visualizer screen saver is locked.

25) An error in Safari can be exploited to bypass the normal browser security checks and execute arbitrary commands when a link in a specially crafted rich text file is clicked.

26) A security issue in Safari when submitting forms on a XSL formatted page may cause the information to be submitted to the next visited web page.

27) A security issue in the SecurityInterface component may cause recently used passwords to be visible in the password assistant.

28) A boundary error in servermgrd during the authentication process can be exploited to cause a buffer overflow and execute arbitrary code.

29) A security issue in servermgr_ipfilter may cause certain firewall policies created with the Server Admin tool to not be written to the Active Rules.

30) Some vulnerabilities in Squirrelmail can be exploited to conduct cross-site scripting attacks or disclose and manipulate sensitive information.

For more information:
SA15721
SA16058

31) A boundary error in the traceroute utility can be exploited to cause a buffer overflow and execute arbitrary code.

32) An error in WebKit can be exploited to bypass normal browser security checks and execute arbitrary commands when a link in a specially crafted PDF document is clicked.

33) Various errors in Weblog Server can be exploited to conduct cross-site scripting attacks.

34) A vulnerability in X11 can potentially be exploited by malicious people to compromise a vulnerable system.

For more information:
SA14460

35) Errors in zlib can be exploited by malicious people to conduct a DoS against a vulnerable application or potentially to execute arbitrary code.

For more information:
SA15949
SA16137

Solution
Apply Security Update 2005-007.
Further details available to Secunia VIM customers

Provided and/or discovered by
1) JxT, SNOsoft.
8) John M. Glenn
9) David Remahl
10) David Remahl
13) KF and Neil Archibald.
18) Jim Foraker
20) Brad Miller and John Pell
23) Neil Archibald, Suresec LTD.
24) Jay Craft, GrooVault Entertainment.
26) Bill Kuker
27) Andrew Langmead
29) Matt Richard and Chris Pepper
31) Neil Archibald, Suresec LTD.
33) Donnie Werner and Atsushi MATSUO.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Apple:
http://docs.info.apple.com/article.html?artnum=302163

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers