Security Update 2007-009

Apple has released Security Update 2007-009 for both Mac OS X Leopard and Tiger (Intel, PowerPC). The company recommends the update for all users. Among the included security enhancements are the closures of several bugs where visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. For instance, a Tiger-specific format string vulnerability exists in Address Book's URL handler. By enticing a user to visit a maliciously crafted website, a remote attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings. Another Tiger-specific issue, the potential for memory corruption in the handling of images with an embedded ColorSync profile is exploited by enticing a user to open a maliciously crafted image. This update addresses the issue by performing additional validation of images.

For Leopard, this update addresses an issue where, if SNMP is enabled, a remote attacker may cause an unexpected application termination or arbitrary code execution because of a stack buffer overflow. This update addresses the issue by performing additional validation of SNMP responses. The issue does not affect systems prior to Mac OS X 10.5.

Adobe Flash Player is updated to version 9.0.115.0 with this update to address a number of vulnerabilities, and an issue where an attacker on the local network may initiate an iChat video conference with a user without the user's approval has been resolved by requiring user interaction to initiate a video conference.

Also, prior to this update, Launch Services did not handle HTML files as potentially unsafe content. By enticing a user to open a maliciously crafted HTML file, an attacker may cause the disclosure of sensitive information or cross-site scripting. This update addresses the issue by handling HTML files as potentially unsafe content. An implementation issue in Launch Services, which may allow executable mail attachments to be run without warning when a user opens a mail attachment (Leopard-specific) is also addressed.

Another security issue addressed in this update affects QuickLook: When previewing an HTML file, plug-ins are not restricted from making network requests. This may lead to the disclosure of sensitive information. This update addresses the issue by disabling plug-ins. In addition, creating an icon for a movie file, or previewing that file using QuickLook may access URLs contained in the movie. This update addresses the issue by disabling HREFTrack while browsing movie files.

Finally, prior to this update, when Software Update checks for new updates, it processes a distribution definition file which was sent by the update server. Apple says: "By intercepting requests to the update server, an attacker can provide a maliciously crafted distribution definition file with the 'allow-external-scripts' option, which may cause arbitrary command execution when a system checks for new updates. This update addresses the issue by disallowing the "allow-external-scripts" option in Software Update."

by MacNN Staff