From: Secunia Security Advisories (sec-advsecunia.com)
Date: Wed Mar 14 2007 - 08:17:05 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----------------------------------------------------------------------

Want a new job?
http://secunia.com/secunia_vacancies/

Secunia is looking for new researchers with a reversing background
and experience in writing exploit code:
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
http://secunia.com/Disassembling_og_Reversing/

----------------------------------------------------------------------

TITLE:
Mac OS X Security Update Fixes Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA24479

VERIFY ADVISORY:
http://secunia.com/advisories/24479/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Cross Site Scripting, Manipulation of data, Exposure
of sensitive information, Privilege escalation, DoS, System access

WHERE:
From remote

OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/

DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.

1) A boundary error exists in the handling of embedded ColorSync
profiles. This can be exploited by malicious people to cause a stack
based buffer overflow by enticing a user to open a specially crafted
image.

Successful exploitation may allow execution of arbitrary code.

2) An error in Crash Reporter can be exploited by a process with
admin privileges to write to arbitrary files with root privileges.

3) An unspecified error in CUPS can be exploited to prevent other
requests from being served via a partially negotiated SSL
connection.

4) An unspecified error in diskimages-helper can be exploited by
malicious people to cause a memory corruption via a specially crafted
disk image and may allow execution of arbitrary code.

5) An integer overflow in the handler for AppleSingleEncoding disk
images can potentially be exploited by malicious people to execute
arbitrary code by tricking a user to mount a specially crafted disk
image.

6) Various errors exist in the processing of disk images, which can
be exploited to gain escalated privileges, cause a DoS (Denial of
Service), or to compromise a user's system.

For more information:
SA22736
SA23012
SA23703
SA23721
SA23725

7) An unspecified error in DS Plug-Ins can be exploited by malicious
users to change the local root password.

8) An error in Flash Player can be exploited by malicious people to
bypass certain restrictions.

For more information:
SA22467

9) Multiple errors in GNU Tar can be exploited by malicious people to
cause a DoS, overwrite arbitrary files, or to compromise a vulnerable
system.

For more information:
SA18973
SA23115

10) An error in the handling of HFS+ file systems can be exploited by
malicious people to cause a DoS.

For more information:
SA23742

11) An error in the IOKit HID interface can be exploited by
malicious, local users to capture console keystrokes from other
users.

12) An integer overflow error in the handling of GIF files in ImageIO
can potentially be exploited by malicious people to execute arbitrary
code by tricking a users to open a specially crafted GIF file.

NOTE: Systems prior to Mac OS X v10.4 are not affected.

13) An error in the handling of RAW images can be exploited by
malicious people to cause a memory corruption and may allow execution
of arbitrary code by tricking a user to open a specially crafted RAW
image.

NOTE: Systems prior to Mac OS X v10.4 are not affected.

14) An error in the kernel can be exploited by malicious, local users
to cause a DoS.

For more information:
SA22808

15) An error in the kernel can be exploited by malicious, local users
to cause a DoS or potentially gain escalated privileges.

For more information:
SA23088

16) An error in the kernel can be exploited by malicious, local users
to gain escalated privileges.

For more information:
SA23120

17) Some vulnerabilities in MySQL can be exploited by malicious users
to disclose potentially sensitive information, bypass certain security
restrictions, cause a DoS, and compromise a vulnerable system, and by
malicious people to conduct SQL injection attacks

For more information:
SA19929
SA20365
SA21259
SA21506

18) Errors in the AppleTalk protocol handler can be exploited by
malicious, local users to cause a DoS or potentially gain escalated
privileges.

For more information:
SA23134
SA23708

19) An error in the handling of SSH key generation in OpenSSH can be
exploited by malicious people to destroy established trust between
SSH hosts. Systems that have already enabled SSH and rebooted at
least once are not vulnerable to this issue.

20) Errors in OpenSSH can be exploited by malicious, local users to
perform certain actions with escalated privileges, and by malicious
people to cause a DoS or potentially compromise a vulnerable system.

For more information:
SA18579
SA22091
SA22173

21) An error in the print system can be exploited by malicious, local
users to overwrite arbitrary files with system privileges.

22) An error in Apple QuickDraw can be exploited by malicious people
to cause a heap based buffer overflow and may allow execution of
arbitrary code via a specially crafted PICT file.

23) An error in Apple QuickDraw can be exploited by malicious people
to cause a DoS.

For more information:
SA23859

24) An error in servermgrd can be exploited by malicious people to
access Server Manager without valid credentials

25) A boundary error in SMB File Server can be exploited by malicious
users to cause stack based buffer overflow, which results in a DoS or
potentially in arbitrary code execution.

26) A format string error in Software Update can be exploited by
malicious people to execute arbitrary code by tricking a user to open
a specially crafted Software Update Catalog.

27) An error in sudo can be exploited by malicious, local users to
gain escalated privileges.

For more information:
SA17318

28) An error in WebLog can be exploited by malicious people to
conduct cross-site scripting attacks.

For more information:
SA21935

SOLUTION:
Update to Mac OS X 10.4.9 or install Security Update 2007-003:

Security Update 2007-003 (10.3.9 Client):
http://www.apple.com/support/downloads/securityupdate20070031039client.html

Security Update 2007-003 (10.3.9 Server):
http://www.apple.com/support/downloads/securityupdate20070031039server.html

Mac OS X Server 10.4.9 Update (PPC):
http://www.apple.com/support/downloads/macosxserver1049updateppc.html

Mac OS X 10.4.9 Combo Update (PPC):
http://www.apple.com/support/downloads/macosx1049comboupdateppc.html

Mac OS X 10.4.9 Combo Update (Intel):
http://www.apple.com/support/downloads/macosx1049comboupdateintel.html

Mac OS X 10.4.9 Update (PPC):
http://www.apple.com/support/downloads/macosx1049updateppc.html

Mac OS X 10.4.9 Update (Intel):
http://www.apple.com/support/downloads/macosx1049updateintel.html

Mac OS X Server 10.4.9 Update (Universal):
http://www.apple.com/support/downloads/macosxserver1049updateuniversal.html

Mac OS X Server 10.4.9 Combo Update (Universal):
http://www.apple.com/support/downloads/macosxserver1049comboupdateuniversal.html

Mac OS X Server 10.4.9 Combo Update (PPC):
http://www.apple.com/support/downloads/macosxserver1049comboupdateppc.html

PROVIDED AND/OR DISCOVERED BY:
The vendor credits:

1, 12) Tom Ferris, Security-Protocols
2) KF
11) Andrew Garber of University of Victoria, Alex Harper, and Michael
Evans
13) Luke Church, University of Cambridge
19) Jeff Mccune, The Ohio State University
22) Tom Ferris, Security-Protocols and Mike Price, McAfee AVERT Labs
25) Cameron Kay of Massey University, New Zealand
26) Kevin Finisterre, DigitalMunition

ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=305214

MOAB:
2) http://projects.info-pull.com/moab/MOAB-28-01-2007.html
26) http://projects.info-pull.com/moab/MOAB-24-01-2007.html

OTHER REFERENCES:
SA17318:
http://secunia.com/advisories/17318/

SA18579:
http://secunia.com/advisories/18579/

SA18973:
http://secunia.com/advisories/18973/

SA19929:
http://secunia.com/advisories/19929/

SA20365:
http://secunia.com/advisories/20365/

SA21259:
http://secunia.com/advisories/21259/

SA21506:
http://secunia.com/advisories/21506/

SA21935:
http://secunia.com/advisories/21935/

SA22091:
http://secunia.com/advisories/22091/

SA22173:
http://secunia.com/advisories/22173/

SA22467:
http://secunia.com/advisories/22467/

SA22736:
http://secunia.com/advisories/22736/

SA22808:
http://secunia.com/advisories/22808/

SA23012:
http://secunia.com/advisories/23012/

SA23088:
http://secunia.com/advisories/23088/

SA23115:
http://secunia.com/advisories/23115/

SA23120:
http://secunia.com/advisories/23120/

SA23134:
http://secunia.com/advisories/23134/

SA23703:
http://secunia.com/advisories/23703/

SA23708:
http://secunia.com/advisories/23708/

SA23721:
http://secunia.com/advisories/23721/

SA23725:
http://secunia.com/advisories/23725/

SA23742:
http://secunia.com/advisories/23742/

SA23859:
http://secunia.com/advisories/23859/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]