Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Highly critical

Mac OS X Security Update Fixes Multiple Vulnerabilities

-

Release Date:  2007-04-20    Last Update:  2007-05-02    Views:  18,941

Secunia Advisory SA24966

Where:

From remote

Impact:

Security Bypass, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access

Solution Status:

Vendor Patch

Operating System:

CVE Reference(s):

Description


Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) An error in the AFP Client can be exploited by malicious, local users to create files or execute commands with system privileges.

2) A boundary error exists in the AirPortDriver module, which can be exploited by malicious, local users to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code with escalated privileges.

NOTE: This does not affect systems with the AirPort Extreme card.

3) An error in the CoreServices daemon can be exploited by malicious, local users to obtain a send right to its Mach task port.

Successful exploitation may allow execution of arbitrary code with escalated privileges.

4) An error in fsck can be exploited to cause memory corruption via a specially crafted UFS file system.

Successful exploitation may allow execution of arbitrary code, when a malicious UFS file system is opened.

5) An error in fetchmail can be exploited by malicious people to gain knowledge of sensitive information.

For more information:
SA23631

6) An error in ftpd can be exploited by malicious users to compromise a vulnerable system.

For more information:
SA23178

7) A boundary error in GNU Tar can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system.

For more information:
SA18973

8) A format string error in the Help Viewer application can be exploited by malicious people to execute arbitrary code.

Successful exploitation requires that a user is tricked into downloading and opening a help file with a specially crafted name.

9) An error in the IOKit HID interface can be exploited by malicious, local users to capture console keystrokes from other users.

NOTE: This fix was originally distributed via the Mac OS X v10.4.9 update. However, due to a packaging issue it may not have been delivered to all systems.

10) A format string error in the Installer application can be exploited by malicious people to execute arbitrary code.

Successful exploitation requires that a user is tricked into downloading and opening an installer package with a specially crafted name.

11) An error in Kerberos can be exploited by malicious people to cause an DoS (Denial of Service) or to compromise a vulnerable system.

For more information:
SA23696

12) Some errors in Kerberos can be exploited by malicious users to cause a DoS or to compromise a vulnerable system.

For more information see vulnerabilities #2 and #3 in:
SA24740

13) An error in Libinfo can cause a previously deallocated object to be accessed when a specially crafted web page is viewed.

Successful exploitation may allow execution of arbitrary code.

14) An integer overflow exists in the RPC library when processing XDR strings. This can be exploited by malicious people to cause a DoS or to execute arbitrary code as the user "daemon" by sending a specially crafted AUTH_UNIX packet to any enabled RPC service.

15) An error in Login Window in the processing of environment variables can be exploited by malicious, local users to execute arbitrary code with system privileges.

16) Under certain conditions it is possible to bypass the screen saver authentication dialog.

17) Under certain conditions it is possible for a person with physical access to the system to log in without authentication when the software update window appears beneath the Login Window.

18) An error in natd within the handling of RTSP packets can be exploited by malicious people to cause a buffer overflow by sending a specially crafted packet to an affected system.

Successful exploitation may allow execution of arbitrary code, but requires that Internet Sharing is enabled.

19) An error in SMB can be exploited by malicious, local users to create files or execute commands with system privileges.

20) A weakness in the System Configuration can be exploited by malicious, local users to gain escalated privileges.

For more information:
SA23793

21) The username and password used to mount remote file systems via SMB are passed to the mount_smb command as command line arguments. This can be exploited by malicious, local users to gain knowledge of other users' credentials.

22) An error in the VideoConference framework can be exploited by malicious people to cause a heap-based buffer overflow by sending a specially crafted SIP packet when initialising a conference.

Successful exploitation may allow execution of arbitrary code.

23) An error in the load_webdav program when mounting a WebDAV filesystem can be exploited by malicious, local users to create files or to execute commands with system privileges.

24) An error in WebFoundation allows cookies set by subdomains to be accessible to the parent domain.

NOTE: This does not affect systems running Mac OS X v10.4.


Solution:
Apply Security Update 2007-004 v1.1.

Further details available to Secunia VIM customers

Provided and/or discovered by:
The vendor credits:

6) Kevin Finisterre, DigitalMunition
8) KF and LMH
9) Andrew Garber of University of Victoria, Alex Harper, and Michael Evans
10) LMH
13) Landon Fuller of Three Rings Design
14) Mu Security Research Team
21) Daniel Ball of Pittsburgh Technical Institute, Geoff Franks of Hauptman Woodward Medical Research Institute, and Jamie Cox of Sophos Plc
24) Bradley Schwoerer of University of Wisconsin-Madison

Original Advisory:
Apple:
http://docs.info.apple.com/article.html?artnum=305391
http://docs.info.apple.com/article.html?artnum=305445

MoAB:
8) http://projects.info-pull.com/moab/MOAB-30-01-2007.html
10) http://projects.info-pull.com/moab/MOAB-26-01-2007.html

Mu Security:
14) http://labs.musecurity.com/advisories/MU-200704-01.txt

Deep Links:
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Mac OS X Security Update Fixes Multiple Vulnerabilities

No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability