Secunia Logo
 Vulnerability IntelligenceVulnerability ScanningCommunityBlog - new entry!Corporate InformationOnline ShopCustomer Login  
 Secunia AdvisoriesSecunia ResearchBinary Analysis  
Home > Vulnerability Intelligence > Secunia Advisories > Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
Secunia Advisories
Advisories
Search
Advisories by Product
Advisories by Vendor
Historic Advisories
Mailing Lists & RSS
Report Vulnerability
Contact Form
Business Solutions Restricted
Partner Solutions Restricted
About
 
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
Secunia Advisory: SA27643
Advisory Toolbox:
Issue ticket
Save in to-do list
Mark as handled
Exploit information
Download as PDF
Review actions
Add comment
Release Date: 2007-11-15
Last Update: 2007-11-21
Popularity: 11,118 views

Critical:
Highly critical
Impact: Security Bypass
Cross Site Scripting
Spoofing
Exposure of sensitive information
Privilege escalation
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS:Apple Macintosh OS X
Subscribe: Instant alerts on relevant vulnerabilities

CVE reference:CVE-2005-0953
CVE-2005-1260
CVE-2007-0464
CVE-2007-0646
CVE-2007-2926
CVE-2007-3456
CVE-2007-3749
CVE-2007-3756
CVE-2007-3758
CVE-2007-3760
CVE-2007-3999
CVE-2007-4267
CVE-2007-4268
CVE-2007-4269
CVE-2007-4671
CVE-2007-4678
CVE-2007-4679
CVE-2007-4680
CVE-2007-4681
CVE-2007-4682
CVE-2007-4683
CVE-2007-4684
CVE-2007-4685
CVE-2007-4686
CVE-2007-4687
CVE-2007-4688
CVE-2007-4689
CVE-2007-4690
CVE-2007-4691
CVE-2007-4692
CVE-2007-4693
CVE-2007-4694
CVE-2007-4695
CVE-2007-4696
CVE-2007-4697
CVE-2007-4698
CVE-2007-4699
CVE-2007-4700
CVE-2007-4701
CVE-2007-4743
Description:
Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) Multiple errors within the Adobe Flash Player plug-in can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system.

For more information:
SA26027

2) A null-pointer dereference error exists within AppleRAID when handling disk images. This can be exploited to cause a system shutdown when a specially crafted disk image is mounted e.g. automatically via Safari if the option "Open 'safe' files after downloading" is enabled.

3) An error in BIND can be exploited by malicious people to poison the DNS cache.

For more information:
SA26152

4) An error in bzip2 can be exploited to cause a DoS (Denial of Service).

For more information:
SA15447

This also fixes a race condition when setting file permissions.

5) An unspecified error in the implementation of FTP of CFNetwork can be exploited by a malicious FTP server to cause the client to connect to other hosts by sending specially crafted replies to FTP PASV (passive) commands.

6) An error exists in the validation of certificates within CFNetwork. This can be exploited via a Man-in-the-Middle (MitM) attack to spoof a web site with a trusted certificate.

7) A null pointer dereference error in the CFNetwork framework can lead to an unexpected application termination when a vulnerable application connects to a malicious server.

8) A boundary error in CoreFoundation can be exploited to cause a one-byte buffer overflow when a user is enticed to read a specially crafted directory hierarchy.

Successful exploitation allows execution of arbitrary code.

9) An error exists in CoreText due to the use of an uninitialised pointer and can be exploited to execute arbitrary code when a user is tricked into reading a specially crafted text.

10) Some vulnerabilities in Kerberos can be exploited by malicious users and malicious people to compromise a vulnerable system.

For more information:
SA26676

11) An error in the handling of the current Mach thread port or thread exception port in the Kernel can be exploited by a malicious, local user to execute arbitrary code with root privileges.

Successful exploitation requires permission to execute a setuid binary.

12) An unspecified error in the Kernel can be exploited to bypass the chroot mechanism by changing the working directory using a relative path.

13) An integer overflow error in the "i386_set_ldt" system call can be exploited by malicious, local users to cause a buffer overflow and execute arbitrary code with escalated privileges.

14) An error exists in the handling of standard file descriptors while executing setuid and setgid programs. This can be exploited by malicious, local users to gain system privileges by executing setuid programs with the standard file descriptors in an unexpected state.

15) A signedness error exists in the Kernel when handling ioctl requests. This can be exploited to execute arbitrary code with system privileges by sending a specially crafted ioctl request.

16) The default configuration of tftpd allows clients to access any path on the system.

17) An error in the Node Information Query mechanism may allow a remote user to query for all addresses of a host, including link-local addresses.

18) An integer overflow exists in the handling of ASP messages with AppleTalk. This can be exploited by malicious, local users to cause a heap-based buffer overflow and to execute arbitrary code with system privileges by sending a maliciously crafted ASP message on an AppleTalk socket.

19) A double-free error in the handling of certain IPV6 packets can potentially be exploited to execute arbitrary code with system privileges.

20) A boundary error exists when adding a new AppleTalk zone. This can be exploited to cause a stack-based buffer overflow by sending a maliciously crafted ioctl request to an AppleTalk socket and allows execution of arbitrary code with system privileges.

21) An arithmetic error exists in AppleTalk when handling memory allocations. This can be exploited by malicious, local users to cause a heap-based buffer overflow and execute arbitrary code with system privileges by sending a maliciously crafted AppleTalk message.

22) A double free error in NFS exists when processing an AUTH_UNIX RPC call. This can be exploited by malicious people to execute arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call via TCP or UDP.

23) An unspecified case-sensitivity error exists in NSURL when determining if a URL references the local file system.

24) A format string error in Safari can be exploited by malicious people to execute arbitrary code when a user is tricked into opening a .download file with a specially crafted name.

25) An implementation error exists in the tabbed browsing feature of Safari. If HTTP authentication is used by a site being loaded in a tab other than the active tab, an authentication sheet may be displayed although the tab and its corresponding page are not visible.

26) A person with physical access to a system may be able to bypass the screen saver authentication dialog by sending keystrokes to a process running behind the screen saver authentication dialog.

27) Safari does not block "file://" URLs when loading resources. This can be exploited to view the content of local files by enticing a user to visit a specially crafted web page.

28) An input validation error exists in WebCore when handling HTML forms. This can be exploited to alter the values of form fields by enticing a user to upload a specially crafted file.

29) A race condition error exists in Safari when handling page transitions. This can be exploited to obtain information entered in forms on other web sites by enticing a user to visit a malicious web page.

30) An unspecified error exists in the handling of the browser's history. This can be exploited to execute arbitrary code by enticing a user to visit a specially crafted web page.

31) An error in Safari allows malicious websites to set Javascript window properties of websites served from a different domain. This can be exploited to get or set the window status and location of pages served from other websites by enticing a user to visit a specially crafted web page.

32) An error in Safari allows a malicious website to bypass the same origin policy by hosting embedded objects with javascript URLs. This can be exploited to execute arbitrary HTML and script code in context of another site by enticing a user to visit a specially crafted web page.

33) An error in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. This can be exploited to execute Javascript code in context of HTTPS web pages in that domain when a user visits a malicious web page.

34) An error in Safari in the handling of new browser windows can be exploited to disclose the URL of an unrelated page.

For more information see vulnerability #2 in:
SA23893

35) An error in WebKit may allow unauthorised applications to access private keys added to the keychain by Safari.

36) An unspecified error in Safari may allow a malicious website to send remotely specified data to arbitrary TCP ports.

37) WebKit/Safari creates temporary files insecurely when previewing a PDF file, which may allow a local user to access the file's content.

Solution:
Update to Mac OS X 10.4.11 or apply Security Update 2007-008.

Security Update 2007-008 (10.3.9 Client):
http://www.apple.com/support/downloads/securityupdate20070081039client.html

Security Update 2007-008 (10.3.9 Server):
http://www.apple.com/support/downloads/securityupdate20070081039server.html

Mac OS X 10.4.11 Combo Update (PPC):
http://www.apple.com/support/downloads/macosx10411comboupdateppc.html

Mac OS X 10.4.11 Update (Intel):
http://www.apple.com/support/downloads/macosx10411updateintel.html

Mac OS X 10.4.11 Combo Update (Intel):
http://www.apple.com/support/downloads/macosx10411comboupdateintel.html

Mac OS X 10.4.11 Update (PPC):
http://www.apple.com/support/downloads/macosx10411updateppc.html

Mac OS X Server 10.4.11 Update (Universal):
http://www.apple.com/support/downloads/macosx10411updateppc.html

Mac OS X Server 10.4.11 Combo Update (Universal):
http://www.apple.com/support/download...xserver10411comboupdateuniversal.html

Mac OS X Server 10.4.11 Update (PPC):
http://www.apple.com/support/downloads/macosxserver10411updateppc.html

Mac OS X Server 10.4.11 Combo Update (PPC):
http://www.apple.com/support/downloads/macosxserver10411comboupdateppc.html

Provided and/or discovered by:
2) The vendor credits Mark Tull, University of Hertfordshire and Joel Vink, Zetera Corporation.
5) The vendor credits Dr Bob Lopez PhD.
6) Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) Adriano Lima and Ramon de Carvalho Valle, RISE Security.
14) The vendor credits Ilja van Sprundel.
15) Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort" Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH Zurich.

Changelog:
2007-11-16: Updated "Description" and credits section. Added additional links to "Original Advisory" section.
2007-11-21: Added link to "Original Advisory" section.

Original Advisory:
Apple:
http://docs.info.apple.com/article.html?artnum=307041

US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628

Marko Karppinen:
http://www.karppinen.fi/2007/11/15/sc...ificate-bug-in-mac-os-x-is-now-fixed/

Trapkit:
http://www.trapkit.de/advisories/TKADV2007-001.txt

RISE Security:
http://risesecurity.org/advisory/RISE-2007004/

LAC Co.:
http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/96_e.html

Other References:
SA15447:
http://secunia.com/advisories/15447/

SA23893:
http://secunia.com/advisories/23893/

SA26027:
http://secunia.com/advisories/26027/

SA26152:
http://secunia.com/advisories/26152/

SA26676:
http://secunia.com/advisories/26676/

Track this Secunia Advisory
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.

Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.

About this Secunia Advisory
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
  
Latest Advisories

Today
New advisories: 20
New vulnerabilities: 45
Updated advisories: 31

Not // 85 views
Linux Kernel PARISC "parisc_show_stack() " Denial of Service
Not // 81 views
IBM HMC HTTP TRACE Response Cross-Site Scripting Weakness
Moderately // 166 views
PHP ZipArchive::extractT o() Directory Traversal Vulnerability
Moderately // 123 views
RSyslog "AllowedSender" Security Bypass Vulnerability
Moderately // 199 views
Nagios Unspecified CGI Vulnerability
Highly // 166 views
RadAsm ".rap" Processing Buffer Overflow Vulnerability
Highly // 152 views
Multi SEO phpBB "pfad" File Inclusion Vulnerability
Moderately // 161 views
PowerDNS CH HINFO Denial of Service Vulnerability
Less // 166 views
Drupal Storm Module SQL Injection Vulnerabilities
Moderately // 153 views
Check Up System for Thai Healthcare "search" SQL Injection

Solutions | More...  

Send Feedback to Secunia
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.

Ideas, suggestions, and other feedback are most welcome.

Most Popular - 3 Hours

1. Sun Java JDK / JRE Multiple Vulnerabilities // 536 views
2. Adobe Flash Player Multiple Security Issues and Vulnerabilities // 156 views
3. PHP ZipArchive::extractTo() Directory Traversal Vulnerability // 110 views
4. Nagios Unspecified CGI Vulnerability // 110 views
5. RadAsm ".rap" Processing Buffer Overflow Vulnerability // 75 views
6. Apple QuickTime Multiple Vulnerabilities // 70 views
7. Drupal Storm Module SQL Injection Vulnerabilities // 70 views
8. RSyslog "AllowedSender" Security Bypass Vulnerability // 70 views
9. PowerDNS CH HINFO Denial of Service Vulnerability // 64 views
10. Check Up System for Thai Healthcare "search" SQL Injection // 63 views



Contact | Terms & Conditions and Copyright | Report Vulnerability | Press | Jobs | About Secunia
Copyright Secunia 2002-2008