Secunia Logo
 
Mac OS X Security Update Fixes Multiple Vulnerabilities
Secunia Advisory: SA20077
Release Date: 2006-05-12
Last Update: 2006-05-15
Popularity: 14,247 views

Critical:
Highly critical
Impact: Security Bypass
Exposure of sensitive information
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS:Apple Macintosh OS X

Subscribe: Instant alerts on relevant vulnerabilities

CVE reference:CVE-2005-2337
CVE-2005-2628
CVE-2005-4077
CVE-2006-0024
CVE-2006-1439
CVE-2006-1440
CVE-2006-1441
CVE-2006-1442
CVE-2006-1443
CVE-2006-1444
CVE-2006-1445
CVE-2006-1446
CVE-2006-1447
CVE-2006-1448
CVE-2006-1449
CVE-2006-1450
CVE-2006-1451
CVE-2006-1452
CVE-2006-1453
CVE-2006-1454
CVE-2006-1455
CVE-2006-1456
CVE-2006-1457
CVE-2006-1552
CVE-2006-1614
CVE-2006-1982
CVE-2006-1983
CVE-2006-1984
CVE-2006-1985


Description:
Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) An error in the AppKit framework allows an application to read characters entered into secure text field in the same window session.

2) Errors in the AppKit and ImageIO framework when processing GIF and TIFF images can be exploited to crash an application or potentially execute arbitrary code.

For more information:
SA19686

3) A boundary error within the BOM component when expanding archives can be exploited to crash an application or potentially execute arbitrary code.

For more information:
SA19686

4) An input validation error in the BOM component when expanding archives can be exploited to cause files to be written to arbitrary locations outside the specified directory via directory traversal attacks.

5) An integer overflow error in the CFNetwork component when handling chunked transfer encoding may allow execution of arbitrary code if a user is tricked into visiting a malicious web site.

6) Errors in ClamAV when processing specially crafted email messages may allow execution of arbitrary code.

For more information:
SA19534

7) An error in the CoreFoundation component allows dynamic libraries to load and execute when a bundle is registered. This can be exploited to execute arbitrary code if an untrusted bundle is registered.

8) An integer underflow error within the "CFStringGetFileSystemRepresentation()" API during string conversion may allow execution of arbitrary code.

9) An error in the CoreGraphics component allows an application in the same window session to read characters entered into secure text field when "Enable access for assistive devices" is enabled.

10) An error in Finder within the handling of Internet Location items makes it possible to specify a different Internet Location type than the actual URL scheme used. This may allow execution of arbitrary code when launching an Internet Location item.

11) Boundary errors in the FTPServer component when handling path names can be exploited to malicious users to cause a buffer overflow, which may allow execution of arbitrary code.

12) Various errors in the Flash Player makes it possible to compromise a user's system via specially crafted Flash files.

For more information:
SA17430
SA19218

13) An integer overflow error in the ImageIO framework when processing JPEG images can be exploited to crash an application or potentially execute arbitrary code.

14) An error in the Keychain component allows an application to use Keychain items even when the Keychain is locked. This requires that the application has obtained a reference to a Keychain item before the Keychain was locked.

15) An error in the LaunchServices component when processing long filename extensions may allow bypassing of the Download Validation functionality.

16) Boundary errors in the libcurl URL handling may allow execution of arbitrary code.

For more information:
SA17907

17) An integer overflow error in the Mail component may allow execution of arbitrary code when viewing a specially crafted email message with MacMIME encapsulated attachments.

18) An error in the Mail component when handling invalid colour information in enriched text email messages may allow execution of arbitrary code.

19) An design error in MySQL Manager makes it possible to access the MySQL database with an empty password as the MySQL password supplying during initial setup is not used.

20) A boundary error in the Preview component may allow execution of arbitrary code via a stack-based buffer overflow when navigating a specially crafted directory hierarchy.

21) Two boundary errors in the QuickDraw component when processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash an application and potentially execute arbitrary code.

22) A NULL pointer dereference error in QuickTime Streaming Server when processing QuickTime movies with a missing track can be exploited to crash the application.

23) A boundary error in QuickTime Streaming Server when processing RTSP requests can be exploited to crash the application or potentially execute arbitrary code.

24) An error in Ruby can be exploited to bypass safe level restrictions.

For more information:
SA16904

25) An error in Safari when handling archives with symbolic links may place the symbolic links on a user's desktop. This requires that the "Open 'safe' files after downloading" option is enabled.

Solution:
Apply Security Update 2006-003.

Mac OS X 10.4.6 Client (PPC):
http://www.apple.com/support/download...update2006003macosx1046clientppc.html

Mac OS X 10.4.6 Client (Intel):
http://www.apple.com/support/download...date2006003macosx1046clientintel.html

Mac OS X 10.3.9 Client:
http://www.apple.com/support/downloads/securityupdate20060031039client.html

Mac OS X 10.4.6 Server:
http://www.apple.com/support/downloads/securityupdate20060031046server.html

Mac OS X 10.3.9 Server:
http://www.apple.com/support/downloads/securityupdate20060031039server.html

Provided and/or discovered by:
9) The vendor credits Damien Bobillot.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team

Changelog:
2006-05-15: Added link to US-CERT vulnerability note.

Original Advisory:
Apple:
http://docs.info.apple.com/article.html?artnum=303737

Other References:
SA19686:
http://secunia.com/advisories/19686/

SA19534:
http://secunia.com/advisories/19534/

SA17430:
http://secunia.com/advisories/17430/

SA19218:
http://secunia.com/advisories/19218/

SA17907:
http://secunia.com/advisories/17907/

SA16904:
http://secunia.com/advisories/16904/

US-CERT VU#519473:
http://www.kb.cert.org/vuls/id/519473


Track this Secunia Advisory
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.

Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.

About this Secunia Advisory
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
  
Latest Advisories

Send Feedback to Secunia
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.

Ideas, suggestions, and other feedback are most welcome.

Most Popular - 3 Hours

1. VLC Media Player Real Demuxer Integer Overflow Vulnerability // 84 views
2. Sun Java JDK / JRE Multiple Vulnerabilities // 52 views
3. Microsoft Office Communications Server SIP INVITE Denial of Service // 50 views
4. Debian update for wireshark // 42 views
5. Slackware update for ruby // 39 views
6. Ocean12 FAQ Manager Pro "ID" SQL Injection Vulnerability // 39 views
7. Basic PHP CMS "id" SQL Injection Vulnerability // 39 views
8. RakhiSoftware Shopping Cart Multiple Vulnerabilities // 38 views
9. ASPReferral "AccountID" SQL Injection Vulnerability // 37 views
10. Active Trade "username" and "password" SQL Injection Vulnerabilities // 37 views