Home / mailingsPDF  

APPLE-SA-2007-12-17 Security Update 2007-009

Posted on 17 December 2007
Apple Security-announce

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2007-12-17 Security Update 2007-009

Security Update 2007-009 is now available and addresses the following
issues:

Address Book
CVE-ID: CVE-2007-4708
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A format string vulnerability exists in Address Book's
URL handler. By enticing a user to visit a maliciously crafted
website, a remote attacker may cause an unexpected application
termination or arbitrary code execution. This update addresses the
issue through improved handling of format strings. This issue does
not affect systems running Mac OS X 10.5 or later.

CFNetwork
CVE-ID: CVE-2007-4709
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Visiting a malicious website could allow the automatic
download of files to arbitrary folders to which the user has write
permission
Description: A path traversal issue exists in CFNetwork's handling
of downloaded files. By enticing a user to visit a malicious website,
an attacker may cause the automatic download of files to arbitrary
folders to which the user has write permission. This update addresses
the issue through improved processing of HTTP responses. This issue
does not affect systems prior to Mac OS X 10.5. Credit to Sean
Harding for reporting this issue.

ColorSync
CVE-ID: CVE-2007-4710
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: A memory corruption issue exists in the handling of
images with an embedded ColorSync profile. By enticing a user to open
a maliciously crafted image, an attacker may cause an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of images.
This issue does not affect systems running Mac OS X 10.5 or later.
Credit to Tom Ferris of Adobe Secure Software Engineering Team
(ASSET) for reporting this issue.

Core Foundation
CVE-ID: CVE-2007-5847
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Usage of CFURLWriteDataAndPropertiesToResource API may lead
to the disclosure of sensitive information
Description: A race condition exists in the
CFURLWriteDataAndPropertiesToResource API, which may cause files to
be created with insecure permissions. This may lead to the disclosure
of sensitive information. This update addresses the issue through
improved file handling. This issue does not affect systems running
Mac OS X 10.5 or later.

CUPS
CVE-ID: CVE-2007-5848
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A local admin user may be able to gain system privileges
Description: A buffer overflow issue exists in the printer driver
for CUPS. This may allow a local admin user to gain system privileges
by passing a maliciously crafted URI to the CUPS service. This update
addresses the issue by ensuring that the destination buffer is sized
to contain the data. This issue does not affect systems running Mac
OS X 10.5 or later. Credit to Dave Camp at Critical Path Software for
reporting this issue.

CUPS
CVE-ID: CVE-2007-4351
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
Internet Printing Protocol (IPP) tags, which may allow a remote
attacker to cause an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
bounds checking.

CUPS
CVE-ID: CVE-2007-5849
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: If SNMP is enabled, a remote attacker may cause an
unexpected application termination or arbitrary code execution
Description: The CUPS backend SNMP program broadcasts SNMP requests
to discover network print servers. A stack buffer overflow may result
from an integer underflow in the handling of SNMP responses. If SNMP
is enabled, a remote attacker may exploit this issue by sending a
maliciously crafted SNMP response, which may cause an application
termination or arbitrary code execution. This update addresses the
issue by performing additional validation of SNMP responses. This
issue does not affect systems prior to Mac OS X 10.5. Credit to Wei
Wang of McAfee Avert Labs for reporting this issue.

Desktop Services
CVE-ID: CVE-2007-5850
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Opening a directory containing a maliciously-crafted
.DS_Store file in Finder may lead to arbitrary code execution
Description: A heap buffer overflow exists in Desktop Services. By
enticing a user to open a directory containing a maliciously crafted
.DS_Store file, an attacker may cause arbitrary code execution. This
update addresses the issue through improved bounds checking. This
issue does not affect systems running Mac OS X 10.5 or later.

Flash Player Plug-in
CVE-ID: CVE-2007-5476
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Multiple vulnerabilities in Adobe Flash Player Plug-in
Description: Adobe Flash Player is updated to version 9.0.115.0 to
address CVE-2007-5476. Further information is available via the Adobe
site at
http://www.adobe.com/support/security/advisories/apsa07-05.html
Credit to Opera Software for reporting this issue.

GNU Tar
CVE-ID: CVE-2007-4131
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Extracting a maliciously crafted tar archive could overwrite
arbitrary files
Description: A directory traversal issue exists in GNU Tar. By
enticing a local user to extract a maliciously crafted tar archive,
an attacker may cause arbitrary files to be overwritten. This issue
has been addressed by performing additional validation of tar files.
This issue does not affect systems running Mac OS X 10.5 or later.

iChat
CVE-ID: CVE-2007-5851
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A person on the local network may initiate a video
connection without the user's approval
Description: An attacker on the local network may initiate a video
conference with a user without the user's approval. This update
addresses the issue by requiring user interaction to initiate a video
conference. This issue does not affect systems running Mac OS X 10.5
or later.

IO Storage Family
CVE-ID: CVE-2007-5853
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Opening a maliciously crafted disk image may lead to an
unexpected system shutdown or arbitrary code execution
Description: A memory corruption issue exists in the handling of
GUID partition maps within a disk image. By enticing a user to open a
maliciously crafted disk image, an attacker may cause an enexpected
system shutdown or arbitrary code execution. This update addresses
the issue through additional validation of GUID partition maps. This
issue does not affect systems running Mac OS X 10.5 or later.

Launch Services
CVE-ID: CVE-2007-5854
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Opening a maliciously crafted HTML file may lead to
information disclosure or cross-site scripting
Description: Launch Services does not handle HTML files as
potentially unsafe content. By enticing a user to open a maliciously
crafted HTML file, an attacker may cause the disclosure of sensitive
information or cross-site scripting. This update addresses the issue
by handling HTML files as potentially unsafe content. Credit to
Michal Zalewski of Google Inc. for reporting this issue.

Launch Services
CVE-ID: CVE-2007-6165
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Opening an executable mail attachment may lead to arbitrary
code execution with no warning
Description: An implementation issue exists in Launch Services,
which may allow executable mail attachments to be run without warning
when a user opens a mail attachment. This update addresses the issue
by warning the user before launching executable mail attachments.
This issue does not affect systems prior to Mac OS X 10.5. Credit to
Xeno Kovah for reporting this issue.

Mail
CVE-ID: CVE-2007-5855
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: SMTP accounts set up through Account Assistant may use
plaintext authentication even when MD5 Challenge-Response
authentication is available
Description: When setting up an SMTP account through Account
Assistant, if SMTP authentication is selected, and if the server
supports only MD5 Challenge-Response authentication and plaintext
authentication, Mail defaults to using plaintext authentication. This
update addresses the issue by ensuring that the most secure available
mechanism is used. This issue does not affect systems running Mac OS
X 10.5 or later.

perl
CVE-ID: CVE-2007-5116
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Parsing regular expressions may lead to arbitrary code
execution
Description: A length calculation issue exists in the polymorphic
opcode support in the Perl Regular Expression compiler. This may
allow an attacker to cause memory corruption leading to arbitrary
code execution by switching from byte to Unicode (UTF) characters in
a regular expression. This update addresses the issue by recomputing
the length if the character encoding changes. Credit to Tavis Ormandy
and Will Drewry of Google Security Team for reporting this issue.

python
CVE-ID: CVE-2007-4965
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Processing image content with imageop module may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple integer overflows exist in python's imageop
module. These may cause a buffer overflow to occur in applications
which use the module to process maliciously crafted image content.
This may lead to an unexpected application termination or arbitrary
code execution. This updated addresses the issue by performing
additional validation of image content.

Quick Look
CVE-ID: CVE-2007-5856
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Previewing a file with QuickLook enabled may lead to the
disclosure of sensitive information
Description: When previewing an HTML file, plug-ins are not
restricted from making network requests. This may lead to the
disclosure of sensitive information. This update addresses the issue
by disabling plug-ins. This issue does not affect systems prior to
Mac OS X 10.5.

Quick Look
CVE-ID: CVE-2007-5857
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Previewing a movie file may access URLs contained in the
movie
Description: Creating an icon for a movie file, or previewing that
file using QuickLook may access URLs contained in the movie. This
update addresses the issue by disabling HREFTrack while browsing
movie files. This issue does not affect systems prior to Mac OS X
10.5, or systems with QuickTime 7.3 installed. Credit to Lukhnos D.
Liu of Lithoglyph Inc. for reporting this issue.

ruby
CVE-ID: CVE-2007-5770
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Multiple SSL certificate validation issues exist in ruby
libraries
Description: Multiple ruby libraries are affected by SSL certificate
validation issues. This may lead to man-in-the-middle attacks against
applications that use an affected library. This update addresses the
issues by applying the ruby patch.

ruby
CVE-ID: CVE-2007-5379, CVE-2007-5380, CVE-2007-6077
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Multiple vulnerabilities exist in Rails 1.2.3
Description: Multiple vulnerabilities exist in Rails 1.2.3, which
may lead to the disclosure of sensitive information. This update
addresses the issue by updating Rails to version 1.2.6. This issue
does not affect systems prior to Mac OS X 10.5.

Safari
CVE-ID: CVE-2007-5858
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Visiting a malicious website may result in the disclosure of
sensitive information
Description: WebKit allows a page to navigate the subframes of any
other page. Visiting a maliciously crafted web page could trigger a
cross-site scripting attack, which may lead to the disclosure of
sensitive information. This update addresses the issue by
implementing a stricter frame navigation policy.

Safari RSS
CVE-ID: CVE-2007-5859
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Accessing a maliciously crafted feed: URL may lead to an
application termination or arbitrary code execution
Description: A memory corruption issue exists in Safari's handling
of feed: URLs. By enticing a user to access a maliciously crafted
URL, an attacker may cause an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of feed: URLs and providing an error
message in case of an invalid URL. This issue does not affect systems
running Mac OS X 10.5 or later.

Samba
CVE-ID: CVE-2007-4572, CVE-2007-5398
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Multiple vulnerabilities in Samba
Description: Multiple vulnerabilities exist in Samba, the most
serious of which is remote code execution. This update addresses the
issues by applying patches from the Samba project. Further
information is available via the Samba web site at
http://www.samba.org/samba/history/security.html CVE-2007-4138 does
not affect systems prior to Mac OS X 10.5. Credit to Alin Rad Pop of
Secunia Research for reporting this issue.

Shockwave Plug-in
CVE-ID: CVE-2006-0024
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Opening maliciously crafted Shockwave content may lead to
arbitrary code execution
Description: Multiple vulnerabilities exist in Shockwave Player. By
enticing a user to open maliciously crafted Shockwave content, an
attacker may cause arbitrary code execution. This update addresses
the issues by updating Shockwave Player to version 10.1.1.016. Credit
to Jan Hacker of ETH Zurich for reporting the problem in Shockwave.

SMB
CVE-ID: CVE-2007-3876
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A stack buffer overflow issue exists in the code used
by the mount_smbfs and smbutil applications to parse command line
arguments, which may allow a local user to cause arbitrary code
execution with system privileges. This update addresses the issue
through improved bounds checking. This issue does not affect systems
running Mac OS X 10.5 or later. Credit to Sean Larsson of VeriSign
iDefense Labs for reporting this issue.

Software Update
CVE-ID: CVE-2007-5863
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: A man-in-the-middle attack could cause Software Update to
execute arbitrary commands
Description: When Software Update checks for new updates, it
processes a distribution definition file which was sent by the update
server. By intercepting requests to the update server, an attacker
can provide a maliciously crafted distribution definition file with
the "allow-external-scripts" option, which may cause arbitrary
command execution when a system checks for new updates. This update
addresses the issue by disallowing the "allow-external-scripts"
option in Software Update. This issue does not affect systems prior
to Mac OS X 10.5. Credit to Moritz Jodeit for reporting this issue.

Spin Tracer
CVE-ID: CVE-2007-5860
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: An insecure file operation exists in SpinTracer's
handling of output files, which may allow a local user to execute
arbitrary code with system privileges. This update addresses the
issue through improved handling of output files. This issue does not
affect systems prior to Mac OS X 10.5. Credit to Kevin Finisterre of
DigitalMunition for reporting this issue.

Spotlight
CVE-ID: CVE-2007-5861
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Downloading a maliciously crafted .xls file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the Microsoft
Office Spotlight Importer. By enticing a user to download a
maliciously crafted .xls file, an attacker may cause an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of .xls
files. This issue does not affect systems running Mac OS X 10.5 or
later.

tcpdump
CVE-ID: CVE-2007-1218, CVE-2007-3798
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Multiple vulnerabilities in tcpdump
Description: Multiple vulnerabilities exist in tcpdump, the most
serious of which may lead to arbitrary code execution. This update
addresses the issue by updating tcpdump to version 3.9.7. This issue
does not affect systems running Mac OS X 10.5 or later.

XQuery
CVE-ID: CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662,
CVE-2007-4766, CVE-2007-4767, CVE-2007-4768
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Multiple vulnerabilities in the handling of regular
expressions
Description: Multiple vulnerabilities exist in the Perl Compatible
Regular Expressions (PCRE) library used by XQuery, the most serious
of which may lead to arbitrary code execution. This update addresses
the issue by updating PCRE to version 7.3. Further information is
available via the PCRE web site at http://www.pcre.org/ This issue
does not affect systems running Mac OS X 10.5 or later. Credit to
Tavis Ormandy and Will Drewry of Google Security Team for reporting
this issue.

Security Update 2007-009 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.5.1
The download file is named: "SecUpd2007-009.dmg"
Its SHA-1 digest is: 9d1743b2cd15f3934d82cc6341c3142a3d16becf

For Mac OS X v10.4.11 (Universal)
The download file is named: "SecUpd2007-009Univ.dmg"
Its SHA-1 digest is: ac07f4850b812af0761f859bb4d63c2e0f2a6113

For Mac OS X v10.4.11 (PPC)
The download file is named: "SecUpd2007-009Ti.dmg"
Its SHA-1 digest is: 2e75b99b1a10fb973807cba14b99080da38ad288

Information will also be posted to the Apple Security Updates
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

 

TOP