Date: 29 November 2006
References: ESB-2005.1005 AL-2006.0074 ESB-2006.0673 ESB-2006.0708 AL-2006.0084 ESB-2006.0775 AA-2006.0090 ESB-2006.0812 ESB-2006.0813 ESB-2012.1195
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2006.0113 -- AUSCERT ALERT
[OSX]
Apple Security Update 2006-007
29 November 2006
===========================================================================
AusCERT Alert Summary
---------------------
Product: AirPort
Apple Type Services
CFNetwork
ClamAV
Finder
ftpd
gunzip
Installer
OpenSSL
perl
PHP
PPP
Samba
Security Framework
VPN
WebKit
Publisher: Apple
Operating System: Mac OS X
Impact: Root Compromise
Execute Arbitrary Code/Commands
Overwrite Arbitrary Files
Create Arbitrary Files
Denial of Service
Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2006-5710 CVE-2006-5465 CVE-2006-4412
CVE-2006-4411 CVE-2006-4410 CVE-2006-4409
CVE-2006-4408 CVE-2006-4407 CVE-2006-4406
CVE-2006-4404 CVE-2006-4403 CVE-2006-4402
CVE-2006-4401 CVE-2006-4400 CVE-2006-4398
CVE-2006-4396 CVE-2006-4343 CVE-2006-4339
CVE-2006-4338 CVE-2006-4337 CVE-2006-4336
CVE-2006-4335 CVE-2006-4334 CVE-2006-4182
CVE-2006-3738 CVE-2006-3403 CVE-2006-2940
CVE-2006-2937 CVE-2006-1990 CVE-2006-1490
CVE-2005-3962
Ref: AL-2006.0084
AL-2006.0074
AA-2006.0090
ESB-2006.0813
ESB-2006.0812
ESB-2006.0775
ESB-2006.0708
ESB-2006.0673
ESB-2005.1005
Comment: This Security Update from Apple fixes a range of vulnerabilities,
including the AirPort vulnerability referenced in AA-2006.0090. It
does not appear to contain fixes for other the vulnerabilties
announced in November, such as the DMG image vulnerability described
in AL-2006.0109.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2006-11-28 Security Update 2006-007
Security Update 2006-007 is now available and provides fixes for the
following security issues:
AirPort
CVE-ID: CVE-2006-5710
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Attackers on the wireless network may cause arbitrary
code execution
Description: A heap buffer overflow exists in the AirPort
wireless driver's handling of probe response frames. An attacker
in local proximity may be able to trigger the overflow by
sending maliciously-crafted information elements in probe
responses. This issue affects eMac, iBook, iMac, PowerBook G3,
PowerBook G4, and Power Mac G4 systems equipped with an original
AirPort card. This issue does not affect systems with the
AirPort Extreme card. This update addresses the issue by
performing additional validation of probe response frames.
Credit to H D Moore of Metasploit for reporting this issue.
ATS
CVE-ID: CVE-2006-4396
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Local users may be able overwrite or create files with
system privileges
Description: The Apple Type Services server insecurely creates
error log files. As a result, a malicious local user may be able
to overwrite or create files with system privileges. This update
addresses the issue by creating error logs securely.
ATS
CVE-ID: CVE-2006-4398
Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Local users may be able to run arbitrary code with
raised privileges
Description: Multiple buffer overflows were discovered in Apple
Type Services server. By sending a maliciously-crafted service
request, a local user may trigger these overflows. This may lead
to a crash or arbitrary code execution with system privileges.
This update addresses the issue by performing additional
validation on service requests. This issue does not affect
systems prior to Mac OS X v10.4.
ATS
CVE-ID: CVE-2006-4400
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Viewing maliciously-crafted font files may lead to
arbitrary code execution
Description: The Apple Type Services server contains a stack
buffer overflow in font processing. By carefully crafting a
corrupt font file, an attacker can trigger the buffer overflow
which may lead to a crash or arbitrary code execution with
system privileges. Font files are processed when opened or
previewed in Finder. This update addresses the issue by
performing additional validation of font files.
CFNetwork
CVE-ID: CVE-2006-4401
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Visiting FTP URIs may inject arbitrary FTP commands
Description: By enticing a user to access a maliciously-crafted
FTP URI, an attacker can cause the user's FTP client to issue
arbitrary FTP commands to any accessible FTP server, using the
credentials of the victim. This issue may also facilitate
attacks of other line oriented protocols, such as SMTP. This
update addresses the issue by performing additional validation
of URIs.
ClamAV
CVE-ID: CVE-2006-4182
Available for: Mac OS X Server v10.4.8
Impact: Processing maliciously-crafted email messages with
ClamAV may lead to arbitrary code execution
Description: ClamAV is updated to version 0.88.5 to address
several security issues. ClamAV was introduced in Mac OS X
Server v10.4 for email scanning. The most severe of these issues
could lead to arbitrary code execution with the privileges of
ClamAV. Further information is available on the ClamAV project
web site (www.clamav.net).
Finder
CVE-ID: CVE-2006-4402
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Browsing a shared directory may lead to an application
crash or arbitrary code execution
Description: A heap buffer overflow may be triggered when the
Finder is used to browse a directory containing a corrupt
".DS_Store" file. By enticing a user to browse a directory
containing a maliciously-crafted ".DS_Store" file, an attacker
may be able to trigger the overflow. This could lead to an
application crash or arbitrary code execution with the
privileges of the user running Finder. ".DS_Store" files may be
included in archives, on disk images, and on network file
systems. This update addresses the issue by performing
additional validation of ".DS_Store" files.
ftpd
CVE-ID: CVE-2006-4403
Available for: Mac OS X v10.3.9
Impact: When FTP Access is enabled, unauthorized users may
determine account name validity
Description: When attempting to authenticate a valid user, the
FTP server may crash during a failed login attempt. The crash
does not occur when attempting to authenticate unknown users.
This behavior can be used to determine if an account name is
valid. This issue is addressed by resolving the crash condition.
FTP Access is not enabled by default. Mac OS X Server v10.3.9,
Mac OS X v10.4, Mac OS X Server v10.4, and later systems are not
affected. Credit to Benjamin Williams of the University of
Canterbury for reporting this issue.
gnuzip
CVE-ID: CVE-2006-4334, CVE-2006-4335, CVE-2006-4336,
CVE-2006-4337, CVE-2006-4338
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Uncompressing a file with gunzip may lead to an
application crash or arbitrary code execution
Description: By carefully crafting a malicious compressed file,
an attacker may be able to trigger any of several
vulnerabilities in gunzip when the file is processed. The most
severe of these issues could lead to an application crash or
arbitrary code execution. Many applications use the gunzip
command for decompression, including command-line tools such as
tar and services such as Mail Server. This update addresses the
issue by performing additional validation of compressed files.
Credit to Tavis Ormandy of the Google Security Team for
reporting this issue.
Installer
CVE-ID: CVE-2006-4404
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: When installing software as an Admin user, system
privileges may be used without explicit authorization
Description: Admin users are normally required to authenticate
before executing commands with system privileges. However, the
Installer allows system privileges to be used by Admin users
when installing certain packages without requiring
authentication. This update addresses the issue by requiring
authentication before installing software with system
privileges.
OpenSSL
CVE-ID: CVE-2006-2937, CVE-2006-2940, CVE-2006-3738,
CVE-2006-4339, CVE-2006-4343
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Multiple vulnerabilities in OpenSSL
Description: OpenSSL is updated to version 0.9.7l to address
several critical vulnerabilities. The most severe of these
vulnerabilities may lead to impersonation of services using SSL
or TLS, or to arbitrary code execution. Further information is
available via OpenSSL advisories at http://www.openssl.org/news/
vulnerabilities.html.
perl
CVE-ID: CVE-2005-3962
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Perl applications with unsafe string handling may be
vulnerable to arbitrary code execution
Description: An integer overflow exists in Perl's format string
functionality. This integer overflow may lead to arbitrary code
execution in Perl applications which use format strings
unsafely. This update addresses the issue by performing
additional validation of uses of format strings.
PHP
CVE-ID: CVE-2006-1490, CVE-2006-1990
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: PHP applications may be vulnerable to denial of service
or arbitrary code execution
Description: PHP is updated to version 4.4.4 to address several
security issues in the Apache module and scripting environment.
Applications using affected APIs may be vulnerable. The most
severe of the vulnerabilities may lead to arbitrary code
execution. Further information is available on the PHP project
web site (www.php.net).
PHP
CVE-ID: CVE-2006-5465
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: PHP applications may be vulnerable to arbitrary code
execution
Description: Buffer overflows exist in the htmlentities() and
htmlspecialchars() functions. These buffer overflows may lead to
arbitrary code execution in applications using the affected
APIs. This update addresses the issue by performing additional
validation of input to the affected APIs.
PPP
CVE-ID: CVE-2006-4406
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Using PPPoE on an untrusted local network may lead to
arbitrary code execution
Description: When PPPoE is enabled, an attacker on the local
network may be able to trigger a buffer overflow. This could
lead to a system crash or arbitrary code execution with system
privileges. This update addresses the issue by performing better
validation on PPPoE traffic. PPPoE is not enabled by default.
Credit to the Mu Security research team for reporting this
issue.
Samba
CVE-ID: CVE-2006-3403
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: When Windows Sharing is enabled, remote attackers may
cause a denial of service
Description: The list of active connections tracked by Windows
Sharing may grow unbounded. An attacker may be able to create
many connections, leading to memory exhaustion and a denial of
service. This update addresses the issue by limiting the number
of active connections. Windows Sharing is not enabled by
default.
Security Framework
CVE-ID: CVE-2006-4407
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Secure Transport may not negotiate the best cipher
available
Description: Secure Transport provides the ability to encrypt
and authenticate data using several ciphers. When a connection
is made, the best mutually-supported cipher should be used. Due
to the order they are evaluated, it is possible for Secure
Transport to use a cipher that provides no encryption or
authentication when better ciphers are available. This update
addresses the issue by giving priority to better ciphers.
Applications using Secure Transport through CFNetwork, such as
Safari, are not affected by this issue on systems with Security
Update 2006-006 or later. This issue does not affect systems
using Mac OS X v10.4.8 and later. Credit to Eric Cronin of
gizmolabs for reporting this issue.
Security Framework
CVE-ID: CVE-2006-4408
Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Processing X.509 certificates may lead to a denial of
service
Description: It is possible to create an X.509 certificate
containing a public key that could consume a significant amount
of system resources during signature verification. An attacker
may cause a system to process such a certificate, leading to a
denial of service. This issue does not affect systems prior to
Mac OS X v10.4. Credit to Dr. Stephen N. Henson of Open Network
Security for reporting this issue, and to NISCC for
coordinating.
Security Framework
CVE-ID: CVE-2006-4409
Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: When using an HTTP proxy, certificate revocation lists
cannot be retrieved
Description: On systems that are configured to use an HTTP
proxy, the Online Certificate Status Protocol (OCSP) service is
unable to retrieve certificate revocation lists. This update
addresses this issue by using the system proxy settings in
ocpsd. This issue does not affect systems prior to Mac OS X
v10.4. Credit to Timothy J. Miller of the MITRE Corporation for
reporting this issue.
Security Framework
CVE-ID: CVE-2006-4410
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Certain revoked certificates may be erroneously honored
Description: The revocation list from an issuing authority may
not be consulted for certain leaf certificates. This update
addresses the issue through improved handling of the certificate
revocation list. This issue does not affect Mac OS X v10.4.7 and
later systems. Credit to Jose Nazario of Arbor Networks for
reporting this issue.
VPN
CVE-ID: CVE-2006-4411
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Malicious local users may gain system privileges
Description: Under certain circumstances, the VPN server may
execute commands without properly cleaning the environment. This
may allow a malicious local user to create files or execute
commands with system privileges. This update addresses the issue
by ignoring the user's environment when executing commands.
WebKit
CVE-ID: CVE-2006-4412
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Visiting a malicious web site may lead to arbitrary code
execution
Description: A maliciously-crafted HTML document could cause a
previously deallocated object to be accessed. This may lead to
an application crash or arbitrary code execution. This update
addresses the issue by properly handling such documents. Credit
to Tom Ferris of Security-Protocols for reporting this issue.
Security Update 2006-007 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.3.9
The download file is named: "SecUpd2006-007Pan.dmg"
Its SHA-1 digest is: b4c9190964cf4f9f674ab7f8cbd2c1cbe196cb2d
For Mac OS X v10.4.8 (PowerPC)
The download file is named: "SecUpd2006-007Ti.dmg"
Its SHA-1 digest is: 994b13d0c36b18f3d30e2c0849b023393d714ef6
For Mac OS X v10.4.8 (Intel)
The download file is named: "SecUpd2006-007Intel.dmg"
Its SHA-1 digest is: a90bf763dc381f61839d6f55cdf3d5dd710d327f
For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2006-007Pan.dmg"
Its SHA-1 digest is: 4bd756bfa7b1fe927d34fc7a377a4b010008b866
For Mac OS X Server v10.4.8 (PowerPC)
The download file is named: "SecUpdSrvr2006-007Ti.dmg"
Its SHA-1 digest is: 0fa7e1041dd5a61393996a09081190d3343d7f34
For Mac OS X Server v10.4.8 (Universal)
The download file is named: "SecUpdSrvr2006-007Universal.dmg"
Its SHA-1 digest is: b9987a0fa591ccfd467b1ebec85367b140b8d789
Information will also be posted to the Apple Security Updates
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBRWx614mzP5/bU5rtAQhAIAgAgpBJxCJUvam2CovJzeixdUXM8lKuzhXy
t4H3m98YPbku+5WHIUNSgzgWZsLTEhgm1b0IjkEwdLGO3Zl3B11q+GknUadmgINT
P/yvpyfxxDwkYkqqZD6yYgyRnWGk6kD9/1MR4h0wz3FBncH5qbjsj7pZrQN8Ittn
PTDGAhb4aMBm/6paoewyuaH+kRo7cOFrcZbpmIZxdO/+ZdNbL8lqGXjrPoKhRe4P
lHoFmX4wMbTn2UG8Mh8K1Fg8FI3g2/yQ2l6zPHR4Kw7t+GAtAd7o/wDJb9NKhM1k
yQkINZBTEEoiK6cGbyqfFXZ+B3UHZkSMZAVOHXPynoxAd1qqXEncnA==
=Kh3j
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRWzpUCh9+71yA2DNAQJvwQP/fX8bYHeaksqVGkGwCSWFTeG/7Zp/jg7B
MbRLIUfp8tHVO0Hs4WaqqHaPmqTt24EkLX8rbpmhGP2kXl6c3x6auwXYCzOn/yVY
3IJf844pj4+2Tozz3DUXxWTWIyhoUFwZ2WHGphVzEy2o/SOo34sFd15nUPX7AR53
8dzFDdR8e78=
=1LUO
-----END PGP SIGNATURE-----
|