copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
Security Bul...
»
AusCERT Alert
» AL-2007.0092 -- [OSX] -- Apple Security Update 2007-007
AL-2007.0092 -- [OSX] -- Apple Security Update 2007-007
Date:
01 August 2007
References
:
ESB-2004.0790
ESB-2005.0416
ESB-2005.0437
ESB-2006.0946
ESB-2007.0247
ESB-2007.0272
AA-2007.0028
AL-2007.0065
ESB-2007.0330
ESB-2007.0339
ESB-2007.0360
ESB-2007.0444
AL-2007.0078
ESB-2007.0578
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== A U S C E R T A L E R T AL-2007.0092 -- AUSCERT ALERT [OSX] Apple Security Update 2007-007 1 August 2007 =========================================================================== AusCERT Alert Summary --------------------- Product: iChat CoreAudio PDFKit bzip2 gnuzip mDNSResponder Samba Kerberos CFNetwork cscope PHP Quartz Composer SquirrelMail Tomcat WebCore WebKit Publisher: Apple Operating System: Mac OS X 10.4.10 and prior Mac OS X Server 10.4.10 and prior Impact: Root Compromise Execute Arbitrary Code/Commands Overwrite Arbitrary Files Inappropriate Access Cross-site Scripting Provide Misleading Information Access: Remote/Unauthenticated CVE Names: CVE-2007-3944 CVE-2007-3748 CVE-2007-3747 CVE-2007-3746 CVE-2007-3745 CVE-2007-3744 CVE-2007-3742 CVE-2007-2798 CVE-2007-2589 CVE-2007-2447 CVE-2007-2446 CVE-2007-2443 CVE-2007-2442 CVE-2007-2410 CVE-2007-2409 CVE-2007-2408 CVE-2007-2407 CVE-2007-2406 CVE-2007-2405 CVE-2007-2404 CVE-2007-2403 CVE-2007-1860 CVE-2007-1717 CVE-2007-1711 CVE-2007-1583 CVE-2007-1521 CVE-2007-1484 CVE-2007-1461 CVE-2007-1460 CVE-2007-1358 CVE-2007-1287 CVE-2007-1262 CVE-2007-1001 CVE-2007-0478 CVE-2007-0450 CVE-2006-6142 CVE-2006-4019 CVE-2006-3174 CVE-2006-2842 CVE-2005-3128 CVE-2005-2090 CVE-2005-0758 CVE-2004-2541 CVE-2004-0996 Ref: ESB-2004.0790 ESB-2005.0416 ESB-2005.0437 ESB-2006.0946 AL-2007.0078 AA-2007.0028 ESB-2007.0247 ESB-2007.0272 ESB-2007.0330 ESB-2007.0339 ESB-2007.0360 AL-2007.0065 ESB-2007.0444 Original Bulletin: http://docs.info.apple.com/article.html?artnum=306172 Comment: An attacker may compromise the computer remotely in several ways, using the iChat application, a webpage containing a malicious Java applet, or by supplying a malicious PDF file, compressed archive or Quartz Composer file. An mDNSResponder vulnerability allows the computer to be compomised by sending a malicious packet from the local LAN. Several important server vulnerabilities are also addressed, including the remote Kerberos and Samba vulnerabilities described previously in AusCERT Alerts AL-2007.0065 and AL-2007.0078. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-07-31 Security Update 2007-007 Security Update 2007-007 is now available and addresses the following issues: bzip2 CVE-ID: CVE-2005-0758 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Running bzgrep on a file with a maliciously crafted name may lead to arbitrary code execution Description: A file name handling issue exists in bzgrep. By enticing a user into running bzgrep on a file with a maliciously crafted name, an attacker may trigger the issue which may lead to arbitrary code execution. This update addresses the issue through improved handling of file names. CFNetwork CVE-ID: CVE-2007-2403 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Clicking on an FTP URI may cause arbitrary FTP commands to be issued Description: By enticing a user to follow a maliciously crafted FTP URI, an attacker can cause the user's FTP client to issue arbitrary FTP commands to any accessible FTP server, using the credentials of the user. This update addresses the issue by performing additional validation of FTP URIs. CFNetwork CVE-ID: CVE-2007-2404 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Applications using CFNetwork to make HTTP requests may be vulnerable to a response splitting attack Description: An HTTP response splitting vulnerability exists in CFNetwork. By sending a maliciously crafted HTTP response to a user's HTTP request, an attacker may alter the user's consecutive responses, which could lead to cross-site scripting. This update addresses the issue through improved parsing of HTTP responses. Credit to Steven Kramer of sprintteam.nl for reporting this issue. CoreAudio CVE-ID: CVE-2007-3745 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Visiting a malicious website may lead to arbitrary code execution Description: A design issue exists in the Java interface to CoreAudio. JDirect exposes an interface that may allow freeing arbitrary memory. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional security checks in the Java interface to CoreAudio. CoreAudio CVE-ID: CVE-2007-3746 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Visiting a malicious website may lead to arbitrary code execution Description: An issue exists in the Java interface to CoreAudio, which may allow reading or writing out of the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously crafted Java applet, anattacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional bounds checking. CoreAudio CVE-ID: CVE-2007-3747 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Visiting a malicious website may lead to arbitrary code execution Description: An issue exists in the Java interface to CoreAudio, which may allow instantiation or manipulation of objects outside the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional security checks in the Java interface to CoreAudio. cscope CVE-ID: CVE-2004-0996, CVE-2004-2541 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Multiple vulnerabilities in Cscope Description: Cscope is updated to version 15.6 to address several vulnerabilities, the most serious of which are buffer overflow and insecure temporary file creation vulnerabilities. Further information is available via the Cscope web site at http://cscope.sourceforge.net/ gnuzip CVE-ID: CVE-2005-0758 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Running zgrep on a file with a maliciously crafted name may lead to arbitrary code execution Description: A file name handling issue exists in zgrep. By enticing a user into running zgrep on a file with a maliciously crafted name, an attacker may trigger the issue which may lead to arbitrary code execution. This update addresses the issue by through improved file names handling. iChat CVE-ID: CVE-2007-3748 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in iChat. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets in iChat. Kerberos CVE-ID: CVE-2007-2442, CVE-2007-2443, CVE-2007-2798 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Multiple vulnerabilities in the MIT krb5 Kerberos administration daemon Description: Multiple vulnerabilities exists in the MIT Kerberos administration daemon (kadmind), which may lead to an unexpected application termination or arbitrary code execution with system privileges. Further information on the issue and the patch applied is available via the MIT Kerberos website at http://web.mit.edu/Kerberos/ Credit to the MIT Kerberos Team for reporting these issues, which were originally discovered by Wei Wang of McAfee Avert Labs. mDNSResponder CVE-ID: CVE-2007-3744 Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the Mac OS X implementation of mDNSResponder. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by removing UPnP IGD support. This issue does not affect systems prior to Mac OS X v10.4. PDFKit CVE-ID: CVE-2007-2405 Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer underflow exists in Preview's handling of PDF files. By enticing a user to open a maliciously crafted PDF file, an attacker may trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PDF files. This issue does not affect systems prior to Mac OS X v10.4. PHP CVE-ID: CVE-2007-1001, CVE-2007-1287, CVE-2007-1460, CVE-2007-1461, CVE-2007-1484, CVE-2007-1521, CVE-2007-1583, CVE-2007-1711, CVE-2007-1717 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Multiple vulnerabilities in PHP 4.4.4 Description: PHP is updated to version 4.4.7 to address several vulnerabilities. Further information is available via the PHP web site at http://www.php.net/ Quartz Composer CVE-ID: CVE-2007-2406 Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Viewing a maliciously crafted Quartz Composer file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized object pointer vulnerability exists in the handling of Quartz Composer files. By enticing a user to view a maliciously crafted Quartz Composer file, an attacker may trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing proper initialization of object pointers. This issue does not affect systems prior to Mac OS X v10.4. Samba CVE-ID: CVE-2007-2446 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: When Windows file sharing is enabled, an unauthenticated remote attacker may cause an unexpected application termination or arbitrary code execution Description: Multiple heap buffer overflows exist in the Samba daemon. By sending maliciously crafted MS-RPC requests, a remote attacker can trigger the overflow which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of MS-RPC requests. Samba CVE-ID: CVE-2007-2447 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: When Windows file sharing is enabled, an unauthenticated remote attacker may be able to execute arbitrary shell commands Description: A command injection vulnerability exists in the Samba daemon. By sending maliciously crafted MS-RPC requests, a remote attacker can trigger the command injection. This update addresses the issue by performing additional validation of MS-RPC requests. This issue does not affect the default Samba configuration. Samba CVE-ID: CVE-2007-2407 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: When Windows file sharing is enabled, users may bypass file system quotas Description: An issue exists in Samba when a server process drops its privileges. This could allow the quota enforcement to be bypassed, and the file system quota to be exceeded. This update addresses the issue by properly dropping privileges. Credit to Mike Matz of Wyomissing Area School District for reporting this issue. SquirrelMail CVE-ID: CVE-2005-3128, CVE-2006-2842, CVE-2006-3174, CVE-2006-4019, CVE-2006-6142, CVE-2007-1262, CVE-2007-2589 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.10 Impact: Multiple vulnerabilities in SquirrelMail 1.4.5 Description: SquirrelMail is updated to version 1.4.10 to address several vulnerabilities, the most serious of which is cross-site scripting triggered by viewing HTML mail. Further information is available via the SquirrelMail web site at http://www.SquirrelMail.org/ Tomcat CVE-ID: CVE-2005-2090, CVE-2007-0450, CVE-2007-1358, CVE-2007-1860 Available for: Mac OS X Server v10.4.10 Impact: Multiple vulnerabilities in Tomcat Description: Tomcat is updated to version 4.1.36 to address several vulnerabilities, the most serious of which are cross-site scripting and information disclosure. Further information is available via the Tomcat site at http://tomcat.apache.org/ These issues do not affect systems prior to Mac OS X v10.4. WebCore CVE-ID: CVE-2007-2408 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Visiting a malicious website may allow Java applets to load and run even when Java is disabled Description: Safari provides an "Enable Java" preference, which when unchecked should prevent the loading of Java applets. By default, Java applets are allowed to be loaded. Navigating to a maliciously crafted web page may allow a Java applet to be loaded without checking the preference. This update addresses the issue through a stricter check of the "Enable Java" preference. Credit to Rhys Kidd and Scott Wilde for reporting this issue. WebCore CVE-ID: CVE-2007-0478 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Content may be injected into HTML comments leading to cross-site scripting attacks Description: An issue exists in WebCore when parsing comments inside an HTML title element. This can allow an attacker to insert scripts into a web page on sites which allow the page owner to enter HTML, but not scripts. This update addresses the issue by correctly parsing comments in title elements. WebCore CVE-ID: CVE-2007-2409 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Visiting a malicious website may lead to the disclosure of URL contents Description: A design issue in WebCore allows a popup window to read the URL that is currently being viewed in the parent window. By enticing a user to visit a maliciously crafted web page, an attacker can trigger the issue, which may lead to the disclosure of information via the URL contents. This update addresses the issue through an improved cross-domain security check. Credit to Secunia Research for reporting this issue. WebCore CVE-ID: CVE-2007-2410 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Visiting a malicious website may allow cross-site scripting Description: In Safari, properties of certain global objects are not cleared when navigating to a new URL within the same window. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue which may lead to cross-site scripting. This update addresses the issue by properly clearing global objects. WebKit CVE-ID: CVE-2007-3742 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Look-alike characters in a URL could be used to masquerade a website Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check. Credit to Tomohito Yoshino of Business Architects Inc. for reporting this issue. WebKit CVE-ID: CVE-2007-3944 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issues, which may lead to arbitrary code execution. This update addresses the issues by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues. Security Update 2007-007 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.10 (Universal) The download file is named: "SecUpd2007-007Univ.dmg" Its SHA-1 digest is: 8ef20aa2fbeb81716a20565e7b0b5116f79f4ab5 For Mac OS X v10.4.10 (PowerPC) The download file is named: "SecUpd2007-007Ti.dmg" Its SHA-1 digest is: 43e774881f314ed0feb1302da30a14a72fdfa740 For Mac OS X v10.3.9 The download file is named: "SecUpd2007-007Pan.dmg" Its SHA-1 digest is: 8576955e1a4574d5cb2eb0721b130a22919e6b62 For Mac OS X Server v10.4.10 (Universal) The download file is named: "SecUpdSrvr2007-007Universal.dmg" Its SHA-1 digest is: 6a07dd5c4af3e7c371600e1759a98f5bb8b76b33 For Mac OS X Server v10.4.10 (PowerPC) The download file is named: "SecUpdSrvr2007-007Ti.dmg" Its SHA-1 digest is: 9bc897a174f2aeddfa21603bb15366c883162d48 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2007-007Pan.dmg" Its SHA-1 digest is: e27cdd6b78309cffdbf6f88ad2c0ff4ad0cfaf21 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRq+7gcgAoqu4Rp5tAQhq1Af/Q4SkLMs6qSutEZZn+2oGrW/iBwHhU+ZL 1Zh57Q1+9l3VZrROmxdJ0/JkhmO9zpQ4rdZGWtVY08SV/v0kIFqTu8I31GnfBCq7 mvobg7z3ej680vtBCvmTgSfitlVa0+2KhnaNAsGGo0lOiCZuV9KQd6lPhSVor/Gq mqZ3a8y9D6RhfREbMzG7GOJ/BwmBeRTrnNVaI5mJP0KXUygsn3Gf5O++SwuOJzG2 qK11KGIx/dxCbR7Dbz9KEmoF8PQbeuyUBb9ZrYAfvSwa4riveCbvvLLWo9Aszl5U BEW09G3aIYWe4HXogCtz9XIksqswajmudS707j6tNw0oa4JoYcYNjA== =odx6 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRq/yXSh9+71yA2DNAQLPugP/V74/29gCD97zePInLtacsfV9Ol2UidOb WnJOEx9p3KP2ohJ7krY6gVR1jaRl3zmzwFa/rTQ/YzbaM/SaT57/LzB2U5Pe9qhZ jJMOQjolkycKGE6G2lYeQTsndoVKJIFWlb+R2dCbGL+1l5vpwie/srAp0oD8cB0g whRwcP8Xnqw= =5Ztm -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1977&it=7920