Tiger security bolstered

Apple's latest update to Mac OS X 10.4.9 (PPC, Intel) contains 30 security fixes to repair vulnerabilities related to numerous portions of the operating system. Security Update 2007-003 includes fixes for ColorSync, CoreGraphics, Crash Reporter, CUPS, disk images, DS plug-ins, flash player, GNU Tar, HFS, HID family, ImageIO, the kernel, MySQL Server, general networking, OpenSSH, printing, QuickDraw Manager, servermgrd, SMB file server, Software Update, sudo, and WebLog. The security update installs on systems running Mac OS X 10.4.9 or later or Mac OS X Server 10.4.9 or later.

ColorSync

CVE-ID: CVE-2007-0719

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Viewing a maliciously-crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution

Description: A stack buffer overflow exists in the handling of embedded ColorSync profiles. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ColorSync profiles. Credit to Tom Ferris of Security-Protocols for reporting this issue.

CoreGraphics

Available for: Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Viewing a malformed PDF Document may lead to an application hang

Description: CoreGraphics has been updated to address the issue described on the Month of Apple Bugs web site (MOAB-06-01-2007), which may lead to an application hang.

Crash Reporter

CVE-ID: CVE-2007-0467

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Crash Reporter may allow a local admin user to obtain system privileges

Description: Crash Reporter uses an admin-writable system directory to store logs of processes that have been unexpectedly terminated. A malicious process running as an admin can cause these logs to be written to arbitrary files as root, which could result in the execution of commands with elevated privileges. This issue has been described on the Month of Apple Bugs web site (MOAB-28-01-2007). This update addresses the issue by performing additional validation prior to writing to log files.

CUPS

CVE-ID: CVE-2007-0720

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Remote attackers may cause a denial of service during SSL negotiation

Description: A partially-negotiated SSL connection with the CUPS service may prevent other requests from being served until the connection is closed. This update addresses the issue by implementing timeouts during SSL negotiation.

Disk Images

CVE-ID: CVE-2007-0721

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Mounting a maliciously-crafted disk image may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption vulnerability exists in diskimages-helper. By enticing a user to open a maliciously-crafted compressed disk image, an attacker could trigger this issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of disk images.

Disk Images

CVE-ID: CVE-2007-0722

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Mounting a maliciously-crafted AppleSingleEncoding disk image may lead to an unexpected application termination or arbitrary code execution

Description: An integer overflow vulnerability exists in the handler for AppleSingleEncoding disk images. By enticing a local user to open a maliciously-crafted disk image, an attacker could trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of AppleSingleEncoding disk images.

Disk Images

CVE-ID: CVE-2006-6061, CVE-2006-6062, CVE-2006-5679, CVE-2007-0229, CVE-2007-0267, CVE-2007-0299

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4.8, Mac OS X Server 10.4.8

Impact: Downloading a maliciously-crafted disk image may lead to an unexpected system shutdown or arbitrary code execution

Description: Several vulnerabilities exist in the processing of disk images that may lead to an unexpected termination of system operations or arbitrary code execution. These have been described on the Month of Kernel Bugs and Month of Apple Bugs web sites (MOKB-03-11-2006, MOKB-20-11-2006, MOKB-21-11-2006, MOAB-10-01-2007, MOAB-11-01-2007 and MOAB-12-01-2007). Since a disk image may be automatically mounted when visiting web sites, this allows a malicious web site to cause a denial of service. This update addresses the issue by performing additional validation of downloaded disk images prior to mounting them.

DS Plug-Ins

CVE-ID: CVE-2007-0723

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Unprivileged LDAP users may be able to change the local root password

Description: An implementation flaw in DirectoryService allows an unprivileged LDAP user to change the local root password. The authentication mechanism in DirectoryService has been fixed to address this issue.

Flash Player

CVE-ID: CVE-2006-5330

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Playing maliciously-crafted Flash content could allow an HTTP request splitting attack

Description: Adobe Flash Player is updated to version 9.0.28.0 to fix a potential vulnerability that could allow HTTP request splitting attacks. This issue is described as APSB06-18 on the Adobe web site at http://www.adobe.com/support/security/

GNU Tar

CVE-ID: CVE-2006-0300, CVE-2006-6097

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Multiple vulnerabilities in GNU Tar, the most serious of which is arbitrary code execution

Description: GNU Tar is updated from version 1.14 to 1.16.1. Further information is available via the GNU web site at http://www.gnu.org/software/tar/

HFS

CVE-ID: CVE-2007-0318

Available for: Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Removing a file from a maliciously-crafted mounted filesystem may lead to a denial of service

Description: An HFS+ filesystem in a mounted disk image can be constructed to trigger a kernel panic when attempting to remove a file from a mounted filesystem. This has been described on the Month of Apple Bugs web site (MOAB-13-11-2006). This update addresses the issue by performing additional validation of the HFS+ filesystem.

HID Family

CVE-ID: CVE-2007-0724

Available for: Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Console keyboard events are exposed to other users on the local system

Description: Insufficient controls in the IOKit HID interface allow any logged in user to capture console keystrokes, including passwords and other sensitive information. This update addresses the issue by limiting HID device events to processes belonging to the current console user. Credit to Andrew Garber of University of Victoria, Alex Harper, and Michael Evans for reporting this issue.

ImageIO

CVE-ID: CVE-2007-1071

Available for: Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Viewing a maliciously-crafted GIF file may lead to an unexpected application termination or arbitrary code execution

Description: An integer overflow vulnerability exists in the process of handling GIF files. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of GIF files. This issue does not affect systems prior to Mac OS X 10.4. Credit to Tom Ferris of Security-Protocols for reporting this issue.

ImageIO

CVE-ID: CVE-2007-0733

Available for: Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Viewing a maliciously-crafted RAW Image may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in the process of handling RAW images. By enticing a user to open a maliciously-crafted image, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of RAW images. This issue does not affect systems prior to Mac OS X 10.4. Credit to Luke Church of the Computer Laboratory, University of Cambridge, for reporting this issue.

Kernel

CVE-ID: CVE-2006-5836

Available for: Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Malicious local users may be able to cause a denial of service

Description: Using the fpathconf() system call on certain file types will result in a kernel panic. This has been described on the Month of Kernel Bugs web site (MOKB-09-11-2006). This update addresses the issue through improved handling for all kernel defined file types. Credit to Ilja van Sprundel for reporting this issue.

Kernel

CVE-ID: CVE-2006-6129

Available for: Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Executing a maliciously-crafted Universal Mach-O binary may lead to an unexpected termination of system operations or arbitrary code execution with elevated privileges

Description: An integer overflow vulnerability exists in the loading of Universal Mach-O binaries. This could allow a malicious local user to cause a kernel panic or to obtain system privileges. This has been described on the Month of Kernel Bugs web site (MOKB-26-11-2006). This update addresses the issue by performing additional validation of Universal binaries.

Kernel

CVE-ID: CVE-2006-6173

Available for: Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Executing a maliciously-crafted program may lead to a system hang

Description: The shared_region_make_private_np() system call allows a program to request a large allocation of kernel memory. This could allow a malicious local user to cause a system hang. This issue does not allow an integer overflow to occur, and it cannot lead to arbitrary code execution. This issue has been described on the Month of Kernel Bugs web site (MOKB-28-11-2006). This update addresses the issue by additional validation of the arguments passed to shared_region_make_private_np().

MySQL Server

CVE-ID: CVE-2006-1516, CVE-2006-1517, CVE-2006-2753, CVE-2006-3081, CVE-2006-4031, CVE-2006-4226, CVE-2006-3469

Available for: Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Multiple vulnerabilities in MySQL, the most serious of which is arbitrary code execution

Description: MySQL is updated from version 4.1.13 to 4.1.22. Further information is available via the MySQL web site at http://dev.mysql.com/doc/refman/4.1/en/news-4-1-x.html

Networking

CVE-ID: CVE-2006-6130

Available for: Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Malicious local users may be able to cause an unexpected termination of system operations or execute arbitrary code with elevated privileges

Description: A memory corruption issue exists in the AppleTalk protocol handler. This could allow a malicious local user to cause a kernel panic or gain system privileges. This has been described on the Month of Kernel Bugs web site (MOKB-27-11-2006). This update addresses the issue by performing additional validation of the input data structures.

Networking

CVE-ID: CVE-2007-0236

Available for: Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Maliciously-crafted AppleTalk requests may lead to a local denial of service or arbitrary code execution

Description: A heap buffer overflow vulnerability exists in the AppleTalk protocol handler. By sending a maliciously-crafted request, a local user can trigger the overflow which may lead to a denial of service or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-14-01-2007). This update addresses the issue by performing additional validation of the input data.

OpenSSH

CVE-ID: CVE-2007-0726

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: A remote attacker can destroy established trust between SSH hosts by causing SSH Keys to be regenerated

Description: SSH keys are created on a server when the first SSH connection is established. An attacker connecting to the server before SSH has finished creating the keys could force the keys then to be recreated. This could result in a denial of service against processes that rely on a trust relationship with the server. Systems that already have SSH enabled and have rebooted at least once are not vulnerable to this issue. This issue is addressed by improving the SSH key generation process. This issue is specific to the Apple implementation of OpenSSH. Credit to Jeff Mccune of The Ohio State University for reporting this issue.

OpenSSH

CVE-ID: CVE-2006-0225, CVE-2006-4924, CVE-2006-5051, CVE-2006-5052

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Multiple vulnerabilities in OpenSSH, the most serious of which is arbitrary code execution

Description: OpenSSH is updated to version 4.5. Further information is available via the OpenSSH web site at http://www.openssh.org/txt/release-4.5.

Printing

CVE-ID: CVE-2007-0728

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: An unprivileged local user can overwrite arbitrary files with system privileges

Description: Insecure file operations may occur during the initialization of a USB printer. An attacker may leverage this issue to create or overwrite arbitrary files on the system. This update addresses the issue by improving the printer initialization process.

QuickDraw Manager

CVE-ID: CVE-2007-0588

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Opening a maliciously-crafted PICT image may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow vulnerability exists in QuickDraw's PICT image processing. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT files. Credit to Tom Ferris of Security-Protocols and Mike Price of McAfee AVERT Labs for reporting this issue.

QuickDraw Manager

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Opening a malformed PICT image may lead to an unexpected application termination

Description: QuickDraw Manager has been updated to address the issue described on the Month of Apple Bugs web site (MOAB-23-01-2007), which may lead to an unexpected application termination. This issue can not lead to arbitrary code execution.

servermgrd

CVE-ID: CVE-2007-0730

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Remote attackers may be able to access Server Manager without valid credentials

Description: An issue in Server Manager's validation of authentication credentials could allow a remote attacker to alter the system configuration. This update addresses the issue by additional validation of authentication credentials.

SMB File Server

CVE-ID: CVE-2007-0731

Available for: Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: A user with write access to an SMB share may be able to cause a denial of service or arbitrary code execution

Description: A stack buffer overflow vulnerability exists in an Apple-specific Samba module. A file with an overly-long ACL could trigger the overflow, which may lead to a denial of service or arbitary code execution. This update addresses the issue by performing additional validation of ACLs. This issue does not affect systems prior to Mac OS X 10.4. Credit to Cameron Kay of Massey University, New Zealand for reporting this issue.

Software Update

CVE-ID: CVE-2007-0463

Available for: Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: Opening a maliciously-crafted Software Update Catalog file may lead to an unexpected application termination or arbitrary code execution

Description: A format string vulnerability exists in the Software Update application. By enticing a user to download and open a Software Update Catalog file, an attacker can trigger the vulnerability which may lead to an unexpected application termination or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-24-01-2007). This update addresses the issue by removing document bindings for Software Update Catalogs. This issue does not affect systems prior to Mac OS X 10.4. Credit to Kevin Finisterre of DigitalMunition for reporting this issue.

sudo

CVE-ID: CVE-2005-2959

Available for: Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4 through Mac OS X 10.4.8, Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: A local user with sudo access to a bash script can run arbitrary commands with elevated privileges

Description: A user-modified sudo configuration could allow environment variables to be passed through to the program running as a privileged user. If sudo is configured to allow an otherwise unprivileged user to execute a given bash script with elevated privileges, the user may be able to execute arbitrary code with elevated privileges. Systems with the default sudo configuration are not vulnerable to this issue. This issue has been addressed by updating sudo to 1.6.8p12. Further information is available via the sudo web site at http://www.sudo.ws/sudo/current.html

WebLog

CVE-ID: CVE-2006-4829

Available for: Mac OS X Server 10.4 through Mac OS X Server 10.4.8

Impact: A remote attacker can conduct cross-site scripting attacks through Blojsom

Description: A cross-site scripting vulnerability exists in Blojsom. This allows remote attackers to inject JavaScript into blog content that will execute in the domain of the Blojsom server. This update addresses the issue by performing additional validation of the user input. This issue does not affect systems prior to Mac OS X 10.4.

by MacNN Staff