Secunia

Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server.

Successful exploitation may allow execution of arbitrary code.

2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used.

3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system.

For more information:
SA18008
SA21197
SA26636
SA27906
SA28046

4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow.

5) An error in NSApplication in AppKit can potentially be exploited to execute code with escalated privileges by sending a maliciously crafted messages to privileged applications in the same bootstrap namespace.

6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed.

Successful exploitation may allow execution of arbitrary code.

7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server.

8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system.

For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907

9) An integer overflow error exists in CoreFoundation when handling time zone data. This can be exploited by a malicious, local user to execute arbitrary code with system privileges.

10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari.

11) A vulnerability in CUPS can be exploited to execute arbitrary code with system privileges.

For more information:
SA29431

12) Multiple input validation errors exist in CUPS, which can be exploited to execute arbitrary code with system privileges.

13) A boundary error in curl can be exploited to compromise a user's system.

For more information:
SA17907

14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system.

For more information:
SA27508

15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system.

For more information:
SA24548

16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name.

17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges.

18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure.

19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari).

20) A race condition error exists in NSXML. This can be exploited to execute arbitrary code by enticing a user to process an XML file in an application which uses NSXML.

21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript.

22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file.

23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system.

For more information:
SA29428

24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS.

25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string.

26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd.

27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code.

28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions.

For more information:
SA27648
SA28318

29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments.

30) Printing and Preview handle PDF files with weak encryption.

31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk.

32) An error in NetCfgTool can be exploited by a malicious, local user to execute arbitrary code with escalated privileges via a specially crafted message.

33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image.

34) An input validation error exists in the Mac OS X 10.5 Server Wiki Server. This can be exploited by malicious users to upload arbitrary files with privileges of the wiki server execute arbitrary code.

35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges.

For more information:
SA27040
SA28532

36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service).

For more information:
SA22900
SA25292
SA27093
SA27130

Solution
Apply Security Update 2008-002.
Further details available in Customer Area

Provided and/or discovered by
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega

34) Rodrigo Carvalho CORE Security Technologies

Changelog
Further details available in Customer Area

Original Advisory
Apple:
http://docs.info.apple.com/article.html?artnum=307562

CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area