Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) Multiple errors within the Adobe Flash Player plug-in can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system.

For more information:
SA26027

2) A null-pointer dereference error exists within AppleRAID when handling disk images. This can be exploited to cause a system shutdown when a specially crafted disk image is mounted e.g. automatically via Safari if the option "Open 'safe' files after downloading" is enabled.

3) An error in BIND can be exploited by malicious people to poison the DNS cache.

For more information:
SA26152

4) An error in bzip2 can be exploited to cause a DoS (Denial of Service).

For more information:
SA15447

This also fixes a race condition when setting file permissions.

5) An unspecified error in the implementation of FTP of CFNetwork can be exploited by a malicious FTP server to cause the client to connect to other hosts by sending specially crafted replies to FTP PASV (passive) commands.

6) An error exists in the validation of certificates within CFNetwork. This can be exploited via a Man-in-the-Middle (MitM) attack to spoof a web site with a trusted certificate.

7) A null pointer dereference error in the CFNetwork framework can lead to an unexpected application termination when a vulnerable application connects to a malicious server.

8) A boundary error in CoreFoundation can be exploited to cause a one-byte buffer overflow when a user is enticed to read a specially crafted directory hierarchy.

Successful exploitation allows execution of arbitrary code.

9) An error exists in CoreText due to the use of an uninitialised pointer and can be exploited to execute arbitrary code when a user is tricked into reading a specially crafted text.

10) Some vulnerabilities in Kerberos can be exploited by malicious users and malicious people to compromise a vulnerable system.

For more information:
SA26676

11) An error in the handling of the current Mach thread port or thread exception port in the Kernel can be exploited by a malicious, local user to execute arbitrary code with root privileges.

Successful exploitation requires permission to execute a setuid binary.

12) An unspecified error in the Kernel can be exploited to bypass the chroot mechanism by changing the working directory using a relative path.

13) An integer overflow error in the "i386_set_ldt" system call can be exploited by malicious, local users to cause a buffer overflow and execute arbitrary code with escalated privileges.

14) An error exists in the handling of standard file descriptors while executing setuid and setgid programs. This can be exploited by malicious, local users to gain system privileges by executing setuid programs with the standard file descriptors in an unexpected state.

15) A signedness error exists in the Kernel when handling ioctl requests. This can be exploited to execute arbitrary code with system privileges by sending a specially crafted ioctl request.

16) The default configuration of tftpd allows clients to access any path on the system.

17) An error in the Node Information Query mechanism may allow a remote user to query for all addresses of a host, including link-local addresses.

18) An integer overflow exists in the handling of ASP messages with AppleTalk. This can be exploited by malicious, local users to cause a heap-based buffer overflow and to execute arbitrary code with system privileges by sending a maliciously crafted ASP message on an AppleTalk socket.

19) A double-free error in the handling of certain IPV6 packets can potentially be exploited to execute arbitrary code with system privileges.

20) A boundary error exists when adding a new AppleTalk zone. This can be exploited to cause a stack-based buffer overflow by sending a maliciously crafted ioctl request to an AppleTalk socket and allows execution of arbitrary code with system privileges.

21) An arithmetic error exists in AppleTalk when handling memory allocations. This can be exploited by malicious, local users to cause a heap-based buffer overflow and execute arbitrary code with system privileges by sending a maliciously crafted AppleTalk message.

22) A double free error in NFS exists when processing an AUTH_UNIX RPC call. This can be exploited by malicious people to execute arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call via TCP or UDP.

23) An unspecified case-sensitivity error exists in NSURL when determining if a URL references the local file system.

24) A format string error in Safari can be exploited by malicious people to execute arbitrary code when a user is tricked into opening a .download file with a specially crafted name.

25) An implementation error exists in the tabbed browsing feature of Safari. If HTTP authentication is used by a site being loaded in a tab other than the active tab, an authentication sheet may be displayed although the tab and its corresponding page are not visible.

26) A person with physical access to a system may be able to bypass the screen saver authentication dialog by sending keystrokes to a process running behind the screen saver authentication dialog.

27) Safari does not block "file://" URLs when loading resources. This can be exploited to view the content of local files by enticing a user to visit a specially crafted web page.

28) An input validation error exists in WebCore when handling HTML forms. This can be exploited to alter the values of form fields by enticing a user to upload a specially crafted file.

29) A race condition error exists in Safari when handling page transitions. This can be exploited to obtain information entered in forms on other web sites by enticing a user to visit a malicious web page.

30) An unspecified error exists in the handling of the browser's history. This can be exploited to execute arbitrary code by enticing a user to visit a specially crafted web page.

31) An error in Safari allows malicious websites to set Javascript window properties of websites served from a different domain. This can be exploited to get or set the window status and location of pages served from other websites by enticing a user to visit a specially crafted web page.

32) An error in Safari allows a malicious website to bypass the same origin policy by hosting embedded objects with javascript URLs. This can be exploited to execute arbitrary HTML and script code in context of another site by enticing a user to visit a specially crafted web page.

33) An error in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. This can be exploited to execute Javascript code in context of HTTPS web pages in that domain when a user visits a malicious web page.

34) An error in Safari in the handling of new browser windows can be exploited to disclose the URL of an unrelated page.

For more information see vulnerability #2 in:
SA23893

35) An error in WebKit may allow unauthorised applications to access private keys added to the keychain by Safari.

36) An unspecified error in Safari may allow a malicious website to send remotely specified data to arbitrary TCP ports.

37) WebKit/Safari creates temporary files insecurely when previewing a PDF file, which may allow a local user to access the file's content.

Solution
Update to Mac OS X 10.4.11 or apply Security Update 2007-008.
Further details available to Secunia VIM customers

Provided and/or discovered by
2) The vendor credits Mark Tull, University of Hertfordshire and Joel Vink, Zetera Corporation.
5) The vendor credits Dr Bob Lopez PhD.
6) Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) Adriano Lima and Ramon de Carvalho Valle, RISE Security.
14) The vendor credits Ilja van Sprundel.
15) Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort" Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH Zurich.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Apple:
http://docs.info.apple.com/article.html?artnum=307041

US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628

Marko Karppinen:
http://www.karppinen.fi/2007/11/15/scary-ssl-certificate-bug-in-mac-os-x-is-now-fixed/

Trapkit:
http://www.trapkit.de/advisories/TKADV2007-001.txt

RISE Security:
http://risesecurity.org/advisory/RISE-2007004/

LAC Co.:
http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/96_e.html

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers