Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) A boundary error in AppKit within the feature used by Cocoa applications to spell check documents can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

2) A timing error in the Application Firewall may result in certain rules becoming inactive after restart.

3) An access control error in AFP Server may allow mounting of AFP shares as a guest even though guest access is disabled.

4) An error exists in the path validation for shares in AFP Server and can be exploited via directory traversal attacks to read or write files accessible by the "nobody" user.

5) An error in Apache can be exploited to bypass certain security restrictions.

For more information:
SA36675

6) A configuration error in ClamAV introduced by a previous Security Update may prevent freshclam from running, causing virus definitions to not receive updates.

7) Two boundary errors in CoreAudio when handling QDM2 and QDMC encoded audio content can be exploited to corrupt memory.

Successful exploitation may allow execution of arbitrary code.

8) An error in CoreMedia when playing H.263 encoded movie files can be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

9) Missing checks in CoreTypes for ".ibplugin" and ".url" content types may result in users not being warned before opening potentially unsafe content via e.g. Safari.

Successful exploitation may allow execution of arbitrary code.

10) An error in the "lppasswd" CUPS utility can be exploited to gain escalated privileges.

For more information:
SA38789

11) An error exists in curl when processing X.509 certificate fields and can be exploited to conduct spoofing attacks.

For more information:
SA36238

12) A security issue in curl when handling the HTTP "Location" header can potentially be exploited to execute arbitrary commands.

For more information:
SA34138

13) A boundary error in Cyrus IMAP when handling Sieve scripts can potentially be exploited to execute arbitrary code.

For more information:
SA36629

14) A boundary error in the authentication module of Cyrus SASL can potentially be exploited to execute arbitrary code.

For more information:
SA35094

15) A security issue in DesktopServices when performing an authenticated copy in the Finder may result in items copied to be assigned an unexpected file owner.

16) A security issue in DesktopServices may result in files being saved to a malicious share if a user has been tricked into mounting it via an URL scheme and then e.g. saves a file using the default save panel in any application, uses "Go to folder", or drags a folder to the save panel.

17) An error in the Disk Images component when handling bzip2 compressed disk images can be exploited to corrupt memory when a specially crafted disk image is mounted.

Successful exploitation may allow execution of arbitrary code.

18) A design error in the Disk Images component when handling Internet-enabled disk images containing a package file type causes it to be opened instead of displayed in the Finder.

Successful exploitation may allow execution of arbitrary code.

19) A security issue when handling record names in Directory Services can be exploited to gain escalated privileges.

20) An access control error in Dovecot when Kerberos authentication is enabled allows users to send and receive mails even if the user is not permitted to do so in the service access control list (SACL).

21) A security issue in Event Monitor when handling resolved DNS names of remote ssh clients can be exploited to add arbitrary hosts to the firewall blacklist.

22) An error in the default configuration of FreeRADIUS allows using EAP-TLS with an arbitrary valid certificate to authenticate.

23) An input validation error in FTP Server can be exploited by malicious users to retrieve files outside the FTP root directory via directory traversal attacks.

24) An error in iChat Server within jabberd's handling of SASL negotiation can be exploited to cause a DoS (Denial of Service).

For more information:
SA19281

25) A design error in iChat Server within the support for configurable group chat logging causes only certain message types to be logged.

26) Unspecified boundary errors and a use-after-free error in iChat Server can be exploited to corrupt memory or cause stack-based buffer overflows.

Successful exploitation may allow execution of arbitrary code.

27) An error in the "CGImageReadGetBytesAtOffset()" ImageIO function when parsing JP2 images can be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

28) Multiple vulnerabilities in ImageIO when handling BMP and TIFF images can be exploited to disclose certain data from the browser's memory or cause memory corruption.

For more information see vulnerability #2, #3, #4:
SA38932

29) Two errors in Image RAW when handling NEF and PEF images can be exploited to cause buffer overflows.

Successful exploitation may allow execution of arbitrary code.

30) An error in Libsystem when converting data between binary floating point and text can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

31) An error in Mail causes user-defined rules associated with a deleted mail account to remain in effect.

32) A logic error in Mail when handling encryption certificates where multiple certificates exist in the keychain for a recipient may result in use of a weaker encryption key for outgoing mail.

33) Various vulnerabilities in Mailman can be exploited to conduct script insertion attacks.

For more information:
SA28794

34) Various vulnerabilities exist in the bundled version of MySQL.

For more information:
SA30134
SA32072
SA35767
SA37372

35) An error exists in OS Services as SFLServer runs as group "wheel" and accesses files in users' home directories.

Successful exploitation may allow a malicious, local users to gain escalated privileges.

36) An error in Password Server when handling replication may result in passwords not being replicated, allowing log-in with outdated passwords.

37) Various race condition errors exist in the bundled version of perl.

For more information:
SA13643
SA14531

38) Various vulnerabilities exist in the bundled versions of PHP.

For more information:
SA37412
SA37821

39) An error in Podcast Producer results in access restrictions being removed when overwriting a Podcast Composer workflow.

40) A security issue exists in Preferences when handling logins of network accounts at the Login Window which can be exploit to bypass login restrictions.

Successful exploitation requires network accounts to be identified by group membership only.

41) An error in PS Normalizer when parsing PostScript files can be exploited to cause a stack-based buffer overflow.

42) Multiple vulnerabilities in QuickTime when handling H.261, H.263, H.264, RLE, M-JPEG, Sorenson, FlashPix, FLC, and MPEG encoded movie files can be exploited to corrupt memory or cause heap-based buffer overflows.

For more information:
SA39133

43) Various vulnerabilities exist in the bundled version of Ruby.

For more information:
SA35399
SA35702
SA36600
SA37446

44) A design error in Server Admin can be exploited to anonymously extract information from Open Directory even if the "Require authenticated binding between directory and clients" option is enabled.

45) An error in Server Admin allows former members of the "admin" group to connect to the server using screen sharing.

46) An error in SMB can be exploited to cause a DoS (Denial of Service).

For more information see vulnerability #2:
SA36893

47) Multiple vulnerabilities exist in the bundled version of Tomcat.

For more information:
SA35326
SA38346

48) An uninitialised pointer error exists in unzip when extracting zip files.

For more information:
SA29415

49) Various vulnerabilities exist in the bundled version of vim.

For more information:
SA30731
SA31592

50) An error in Wiki Server can be exploited to gain knowledge of sensitive information by uploading active content (e.g. Java applets).

51) An error in Wiki Server can be exploited to bypass weblog creation restrictions as the weblog SACL is not consulted during the creation of a user's weblog.

52) Vulnerabilities exist in the bundled versions of libpng and xterm in X11.

For more information:
SA35346
SA8146

53) A design error in xar when validating package signatures may result in manipulated packages appearing as validly signed.

Solution
Apply Security Update 2010-002 or update to version 10.6.3.
Further details available to Secunia VIM customers

Provided and/or discovered by
1,3,17,19,21,23,25,26,29,41,45,53) Reported by the vendor.
18) Brian Mastenbrook, reported via ZDI.
27) 85319bb6e6ab398b334509c50afce5259d42756e, reported via ZDI

The vendor credits:
2) Michael Kisor of OrganicOrb.com
4) Patrik Karlsson of cqure.net
6) Bayard Bell, Wil Shipley of Delicious Monster, and David Ferrero of Zion Software, LLC
7) anonymous researcher working with the TippingPoint Zero Day Initiative
8) Damian Put working with the TippingPoint Zero Day Initiative
9) Clint Ruoho of Laconic Security
10) Ronald Volgers
12) Daniel Stenberg of Haxx AB
15) Gerrit DeWitt of Auburn University (Auburn, AL)
16) Sidney San Martin working with DeepTech, Inc.
22) Chris Linstruth of Qnet
27) Chris Ries of Carnegie Mellon University Computing Service
28) Matthew 'j00ru' Jurczyk of Hispasec and Gus Mueller of Flying Meat
29) Chris Ries of Carnegie Mellon University Computing Services
30) Maksymilian Arciemowicz of SecurityReason.com
32) Paul Suh of ps Enable, Inc.
35) Kevin Finisterre of DigitalMunition
36) Jack Johnson of Anchorage School District
40) Christopher D. Grieb of University of Michigan MSIS
42) anonymous researcher, Moritz Jodeit of n.runs AG, and Damian Put working with the TippingPoint Zero Day Initiative, Nicolas Joly of Vupen, and Will Dormann of the CERT/CC.
44) Scott Gruby of Gruby Solutions and Mathias Haack of GRAVIS Computervertriebsgesellschaft mbH

Changelog
Further details available to Secunia VIM customers

Original Advisory
Apple:
http://support.apple.com/kb/HT4077

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-039/
http://www.zerodayinitiative.com/advisories/ZDI-10-058/

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers