Mac OS X Security Update Fixes Multiple Vulnerabilities
Secunia Advisory: SA29420
Release Date: 2008-03-19
Last Update: 2008-03-27
Popularity: 7,209 views

Critical:
Highly critical
Impact: Unknown
Security Bypass
Cross Site Scripting
Spoofing
Exposure of sensitive information
Privilege escalation
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS:Apple Macintosh OS X

Subscribe: Instant alerts on relevant vulnerabilities

CVE reference:CVE-2005-3352
CVE-2006-3334
CVE-2006-3747
CVE-2006-5793
CVE-2006-6481
CVE-2007-0897
CVE-2007-0898
CVE-2007-3725
CVE-2007-1659
CVE-2007-1660
CVE-2007-1661
CVE-2007-1662
CVE-2007-1745
CVE-2007-1997
CVE-2007-2445
CVE-2007-2799
CVE-2007-3378
CVE-2007-3799
CVE-2007-3847
CVE-2007-4510
CVE-2007-4560
CVE-2007-4568
CVE-2007-4752
CVE-2007-4766
CVE-2007-4767
CVE-2007-4768
CVE-2007-4887
CVE-2007-4990
CVE-2007-5000
CVE-2007-5266
CVE-2007-5267
CVE-2007-5268
CVE-2007-5269
CVE-2007-5795
CVE-2007-5958
CVE-2007-5971
CVE-2007-6109
CVE-2007-6203
CVE-2007-6335
CVE-2007-6336
CVE-2007-6337
CVE-2007-6388
CVE-2007-6421
CVE-2007-6427
CVE-2007-6428
CVE-2007-6429
CVE-2008-0005
CVE-2008-0006
CVE-2008-0044
CVE-2008-0045
CVE-2008-0046
CVE-2008-0047
CVE-2008-0048
CVE-2008-0049
CVE-2008-0050
CVE-2008-0051
CVE-2008-0052
CVE-2008-0053
CVE-2008-0054
CVE-2008-0055
CVE-2008-0056
CVE-2008-0058
CVE-2008-0059
CVE-2008-0060
CVE-2008-0062
CVE-2008-0063
CVE-2008-0318
CVE-2008-0596
CVE-2008-0728
CVE-2008-0882
CVE-2008-0987
CVE-2008-0988
CVE-2008-0989
CVE-2008-0990
CVE-2008-0992
CVE-2008-0993
CVE-2008-0994
CVE-2008-0995
CVE-2008-0996
CVE-2008-0998
CVE-2008-0999
CVE-2008-1000
CVE-2008-0997
CVE-2008-1001
CVE-2008-0057


Description:
Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server.

Successful exploitation may allow execution of arbitrary code.

2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used.

3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system.

For more information:
SA18008
SA21197
SA26636
SA27906
SA28046

4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow.

5) An error in NSApplication in AppKit can potentially be exploited to execute code with escalated privileges by sending a maliciously crafted messages to privileged applications in the same bootstrap namespace.

6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed.

Successful exploitation may allow execution of arbitrary code.

7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server.

8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system.

For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907

9) An integer overflow error exists in CoreFoundation when handling time zone data. This can be exploited by a malicious, local user to execute arbitrary code with system privileges.

10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari.

11) A vulnerability in CUPS can be exploited to execute arbitrary code with system privileges.

For more information:
SA29431

12) Multiple input validation errors exist in CUPS, which can be exploited to execute arbitrary code with system privileges.

13) A boundary error in curl can be exploited to compromise a user's system.

For more information:
SA17907

14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system.

For more information:
SA27508

15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system.

For more information:
SA24548

16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name.

17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges.

18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure.

19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari).

20) A race condition error exists in NSXML. This can be exploited to execute arbitrary code by enticing a user to process an XML file in an application which uses NSXML.

21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript.

22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file.

23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system.

For more information:
SA29428

24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS.

25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string.

26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd.

27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code.

28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions.

For more information:
SA27648
SA28318

29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments.

30) Printing and Preview handle PDF files with weak encryption.

31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk.

32) An error in NetCfgTool can be exploited by a malicious, local user to execute arbitrary code with escalated privileges via a specially crafted message.

33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image.

34) An input validation error exists in the Mac OS X 10.5 Server Wiki Server. This can be exploited by malicious users to upload arbitrary files with privileges of the wiki server execute arbitrary code.

35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges.

For more information:
SA27040
SA28532

36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service).

For more information:
SA22900
SA25292
SA27093
SA27130

Solution:
Apply Security Update 2008-002.

Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html

Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html

Security Update 2008-002 v1.1 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v11leopard.html

Security Update 2008-002 v1.1 Server (Leopard):
http://www.apple.com/support/download...ityupdate2008002v11serverleopard.html

Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html

Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/download...yupdate2008002v10serveruniversal.html

Provided and/or discovered by:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega

34) Rodrigo Carvalho CORE Security Technologies

Changelog:
2008-03-24: Added CVE reference.
2008-03-27: Updated "Solution" section. The vendor has issued "Security Update 2008-002 v1.1 (Leopard)" and "Security Update 2008-002 v1.1 Server (Leopard)". Reportedly, previous security updates have been incorporated into this security update.

Original Advisory:
Apple:
http://docs.info.apple.com/article.html?artnum=307562

CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189

Other References:
SA17907:
http://secunia.com/advisories/17907/

SA18008:
http://secunia.com/advisories/18008/

SA21187:
http://secunia.com/advisories/21197/

SA22900:
http://secunia.com/advisories/22900/

SA23347:
http://secunia.com/advisories/23347/

SA24187:
http://secunia.com/advisories/24187/

SA24548:
http://secunia.com/advisories/24548/

SA24891:
http://secunia.com/advisories/24891/

SA25292:
http://secunia.com/advisories/25292/

SA26038:
http://secunia.com/advisories/26038/

SA26530:
http://secunia.com/advisories/26530/

SA26636:
http://secunia.com/advisories/26636/

SA27040:
http://secunia.com/advisories/27040/

SA27093:
http://secunia.com/advisories/27093/

SA27130:
http://secunia.com/advisories/27130/

SA27648:
http://secunia.com/advisories/27648/

SA27508:
http://secunia.com/advisories/27508/

SA27906:
http://secunia.com/advisories/27906/

SA28046:
http://secunia.com/advisories/28046/

SA28117:
http://secunia.com/advisories/28117/

SAS28318:
http://secunia.com/advisories/28318/

SA28532:
http://secunia.com/advisories/28532/

SA28907:
http://secunia.com/advisories/28907/

SA29428:
http://secunia.com/advisories/29428/

SA29431:
http://secunia.com/advisories/29431/


Track this Secunia Advisory
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.

Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.

About this Secunia Advisory
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
  
Latest Advisories

Send Feedback to Secunia
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.

Ideas, suggestions, and other feedback are most welcome.

Most Popular - 3 Hours

1. Subdreamer Light Global Variables SQL Injection Vulnerability // 69 views
2. Adobe Flash Player Multiple Vulnerabilities // 41 views
3. Microsoft Office Two Code Execution Vulnerabilities // 22 views
4. Microsoft Word Malformed Object Pointer Vulnerability // 18 views
5. VLC Media Player Multiple Vulnerabilities // 17 views
6. Sun Java System Web Proxy Server SOCKS Module Buffer Overflows // 16 views
7. Opera Multiple Vulnerabilities // 16 views
8. phpBB "cur_password" Cross-Site Scripting Vulnerability // 14 views
9. Sun Java JDK / JRE Multiple Vulnerabilities // 14 views
10. Netgear WN802T Wireless Access Point Two Vulnerabilities // 13 views