Secunia

Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) A boundary error in the handling of PostScript font names in Apple Type Services can be exploited to cause a heap-based buffer overflow when a document containing a specially crafted font is viewed.

Successful exploitation may allow execution of arbitrary code.

2) Some vulnerabilities in ClamAV can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), or compromise a vulnerable system.

For more information:
SA29000
SA30657

3) An error exists in Directory Services when it is configured to authenticate users with Active Directory. This can be exploited to disclose a list of user names from Active Directory in the Login Window by supplying wildcard characters in the user name field.

4) A vulnerability is caused due to an insecure file operation within the "slapconfig" tool, which can be exploited by a malicious, local user to disclose the password that are entered by administrative users using "slapconfig".

5) An weakness in Finder causes the "Get Info" window to incorrectly display the privileges for a file.

6) A null pointer dereference error exists in Finder when searching for a remote disc. This can be exploited by malicious people with access to the local network to cause Finder to exit immediately after it starts.

7) A vulnerability in ImageIO can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a user's system.

For more information:
SA31610

8) An unspecified error exists in ImageIO when handling TIFF images. This can be exploited to cause a memory corruption and allows crashing an application or potentially arbitrary code execution.

9) An unspecified error in ImageIO when processing embedded ICC profiles in JPEG images can be exploited to crash an application or potentially execute arbitrary code.

10) A vulnerability in ImageIO can be exploited by malicious people to cause a DoS (Denial of Service), disclose potentially sensitive information, or potentially compromise an application using the library.

For more information:
SA29792

11) An error in the Kernel when a vnode is recycled can be exploited by malicious, local users to read or write certain files without proper permissions.

12) A security issue exists in libresolv and mDNSResponder due to DNS query port number not being sufficiently randomised, which can be exploited to poison the DNS cache.

13) A race condition exists in Login Window, which can be exploited to log in as an arbitrary user without providing any credentials if the system has an account without password enabled, e.g. the "Guest" account.

14) A weakness exists due to Login Window not properly clearing the password after a failed password change, which can be exploited by malicious people with access to the Login Screen to reset a user's password.

Successful exploitation requires that a user leaves a system with the error message displayed after a failed password change.

15) A vulnerability and a weakness in OpenSSH can be exploited by malicious, local users to disclose sensitive information or to bypass certain security restrictions.

For more information:
SA29522
SA29602

16) A vulnerability in QuickDraw Manager can be exploited by malicious people to compromise a user's system.

For more information see vulnerability #5 in:
SA31821

17) A vulnerability in Ruby can be exploited by malicious people to cause a DoS (Denial of Service).

For more information:
SA30924

18) Integer overflow errors exist in unspecified functions within the SearchKit framework. These can be exploited to crash an application or execute arbitrary code when an application passes untrusted input to SearchKit.

19) An error in System Configuration exists due to PPP passwords being stored unencrypted in a world readable file.

20) An error exists in Time Machine due to log files being stored with insecure permissions on the backup drive , which can lead to disclosure of sensitive information.

21) A memory corruption error exists in the handling of H.264 encoded media within the VideoConference framework. This can be exploited to crash an application and potentially execute arbitrary code e.g. when a user starts a video conference with a malicious person.

22) Certain input in emails is not properly sanitised before being used in the mailing list archive in Wiki Server. This can be exploited to insert arbitrary HTML and script code, which will be executed in another user's browser session in context of an affected site e.g. when a malicious mail is viewed.

Solution
Update to Mac OS X 10.5.5 or apply Security Update 2008-006.
Further details available in Customer Area

Provided and/or discovered by
1) The vendor credits Chris Ries, Carnegie Mellon University Computing Services.
3) The vendor credits IT Department of the West Seneca Central School District
5) The vendor credits Michel Colman.
6) The vendor credits Yuxuan Wang, Sogou.
8) The vendor credits Robert Swiecki, Google Security Team.
11) The vendor credits Nevin Liber, Thomas Pelaia of Oak Ridge National Lab, Thomas Tempelmann, and Ram Kolli.
12) Dan Kaminsky, IOActive
14) The vendor credits Christopher A. Grande, Middlesex Community College
15) The vendor credits an anonymous person via iDefense VCP.
19) The vendor credits Hernan Ochoa of Core Security Technologies, Tore Halset of pvv.org, and Matt Johnston of the University Computer Club.
20) The vendor credits Edwin McKenzie.
22) The vendor credits Leon von Tippelskirch and Matthias Wieczorek of the Chair for Applied Software Engineering, TU Munich

Original Advisory
Apple:
http://support.apple.com/kb/HT3137

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area