copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2005.0732 -- APPLE-SA-2005-09-22 -- Security Update 2005-008

Date: 23 September 2005

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                   ESB-2005.0732 -- APPLE-SA-2005-09-22
                         Security Update 2005-008
                             23 September 2005

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ImageIO
                   Mail.app
                   QuickDraw Manager
                   QuickTime
                   Ruby
                   Safari
                   SecurityAgent
Publisher:         Apple
Operating System:  Mac OS X
Impact:            Execute Arbitrary Code/Commands
                   Increased Privileges
                   Access Confidential Data
                   Modify Arbitrary Files
                   Inappropriate Access
                   Cross-site Scripting
Access:            Remote/Unauthenticated
CVE Names:         CAN-2005-2748 CAN-2005-2747 CAN-2005-2746
                   CAN-2005-2745 CAN-2005-2744 CAN-2005-2743
                   CAN-2005-2742 CAN-2005-2741 CAN-2005-2524
                   CAN-2005-1992

Original Bulletin: http://docs.info.apple.com/article.html?artnum=302413

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-09-22 Security Update 2005-008

Security Update 2005-008 is now available and delivers the following
security enhancements:

ImageIO
CVE-ID: CAN-2005-2747
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Viewing a maliciously-crafted GIF image may result in
arbitrary code execution.
Description: By carefully crafting a corrupt GIF image, an attacker
can trigger a buffer overflow in ImageIO which may result in
arbitrary code execution. Several components of Mac OS X utilize
ImageIO including WebCore and Safari. This update addresses the issue
by performing additional validation of images.

Mail
CVE-ID: CAN-2005-2746
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.2, Mac OS X Server v10.4.2
Impact: When using auto-reply rules, Mail.app may expose the contents
of encrypted messages.
Description: Mail.app includes the contents of messages when
processing auto-reply rules. If a message being processed was
encrypted, the automatically generated response will include the
decrypted message contents. This could allow an attacker to intercept
the message. This update addresses the issue by ensuring that
unencrypted responses to encrypted messages are not generated. Credit
to Norbert Rittel of Rittel Consulting for reporting this issue.

Mail
CVE-ID: CAN-2005-2745
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Using Kerberos Version 5 for SMTP authentication Mail.app may
disclose sensitive information.
Description: When using SMTP authentication with Kerberos Version 5,
Mail.app may append un-initialized memory to a message. This update
addresses the issue by updating Mail.app. Credit to the MIT Kerberos
team for reporting this issue. This issue was resolved in Mac OS X
v10.4.2 by Security Update 2005-007.

malloc
CVE-ID: CAN-2005-2748
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.2, Mac OS X Server v10.4.2
Impact: Insecure file handling may result in local privilege
escalation.
Description: When certain environmental variables are set to enable
debugging of application memory allocation, files with diagnostic
information are created insecurely. This could allow a malicious
local user to alter arbitrary files. This update addresses the issue
by disallowing malloc debugging in privileged programs. Credit to
Ilja van Sprundel of Suresec LTD for reporting this issue.

QuickDraw Manager
CVE-ID: CAN-2005-2744
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.2, Mac OS X Server v10.4.2
Impact: Viewing a maliciously-crafted PICT image may result in
arbitrary code execution.
Description: By carefully crafting a corrupt PICT image, an attacker
can trigger a buffer overflow in QuickDraw Manager which may result
in arbitrary code execution. Several components of Mac OS X utilize
QuickDraw Manager, including Safari, Mail, and Finder. This update
addresses the issue by performing additional validation of images.
Credit to Henrik Dalgaard of Echo One for reporting this issue.

QuickTime for Java
CVE-ID: CAN-2005-2743
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: An untrusted applet may gain elevated privileges.
Description: The Java extensions bundled with QuickTime 6.52 and
earlier allow untrusted applets to call arbitrary functions from
system libraries. This update addresses the issue by limiting these
calls to trusted applets. Systems running QuickTime 7 or later are
not affected by this issue. Systems running Mac OS X v10.4 or later
are also not affected by this issue. Credit to Dino Dai Zovi for
reporting this issue.

Ruby
CVE-ID: CAN-2005-1992
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Ruby applications utilizing the xmlrpc module may be
vulnerable to arbitrary code execution.
Description: The Ruby xmlrpc/utils module utilizes the method
Module#public_instance_methods to determine which methods may be
invoked remotely using XML-RPC. A change between different versions
of Ruby caused this method list to unintentionally include methods
that may be used to execute arbitrary Ruby code. This update
addresses the issue by updating the xmlrpc/utils module. This issue
does not affect systems prior to Mac OS X v10.4.

Safari
CVE-ID: CAN-2005-2524
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Maliciously crafted web archives could potentially allow
cross-site scripting.
Description: It is possible to view web archives served from remote
sites in Safari. Maliciously crafted web archives may be rendered as
content from sites they did not server them. This update prevents
remote web archives from being loaded. Safari web archives were
introduced in Safari 2.0. This issue was resolved in Mac OS X v10.4.2
by Security Update 2005-007.

SecurityAgent
CVE-ID: CAN-2005-2742
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: A user with physical access to the system may be able to
bypass the "Require password to wake this computer from sleep or
screen saver" setting.
Description: Under certain situations, the "Switch User..." button
may appear even though the "Enable fast user switching" setting is
disabled. This could cause the currently logged-in user's desktop to
be displayed without authentication. This update prevents the "Switch
User..." button from appearing when inappropriate. This issue does
not affect systems prior to Mac OS X v10.4. Credit to Luke Fowler of
the Indiana University Global Research Network Operations Center for
reporting this issue.

securityd
CVE-ID: CAN-2005-2741
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.2, Mac OS X Server v10.4.2
Impact: Malicious users may grant themselves rights to manipulate
arbitrary files or perform other privileged actions.
Description: Authorization Services allows unprivileged users to
grant certain rights that should be restricted to administrators,
which may lead to privilege escalation. This update addresses the
issue by adding restrictions to which rights unprivileged users can
grant themselves.

Also included in this update are enhancements to LoginWindow for
improved interaction with Parental Controls (Mac OS X v10.3.9),
X509Anchors to include the Wells Fargo root certificate (Mac OS X
v10.3.9), and Safe Download Validation to include Web Archives (Mac
OS X v10.4.2).

Security Update 2005-008 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.2 and Mac OS X Server v10.4.2
The download file is named:  "SecUpd2005-008Ti.dmg"
Its SHA-1 digest is:  9284ab3e3ed19761b74edb1afffba052f606c993

For Mac OS X v10.3.9 and Mac OS X Server v10.3.9
The download file is named:  "SecUpd2005-008Pan.dmg"
Its SHA-1 digest is:  65f4dde09ee46fb9e1d58259f4085d90f420fae0

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2425)

iQEVAwUBQzH2WYHaV5ucd/HdAQLg/Qf/dNM4ogTKflJB+9t4XRuL5SMb+oIFRflY
k1umPl9xnVokCr6zBEXK0lPgCYpj72472leVYrqheqdS9SUu3TAs3EHIwp2Yv3nj
PPuwVGl2KWiqp+xn4bvct1q+keXGZvExQHq3TjU1aK/Qvp/8OrUPXmFHfdUv6egU
9b9QOOlmWUqdJpJKcaep2Qt+nHsHnpxHziDek12sDE+57AKcUlDcx71TauXi1jWY
nspdGVvSTfjuZlFXBm5kceIz2J7RARVOp7jaY+P7CjAIlp3G2qirST1C8RFGC7Tv
bSfzCwuwKOfyyQQDI91+pvx7+MprggXmfIytvBl1L8YKkA3gUemBMQ==
=1W57
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQzNCVCh9+71yA2DNAQJbfwP+KxNYTfmxKVeefjLj8HcIkrwJANhWiKcw
4N6mgmeShfzr0VuY5hz1SEdQw355Y3CfxiymjQdE47Hssx64wEzr2j/QBC9Fucp1
FMfmCIIYzNguzVv8jRk2AcZ5XGhEqvTaCzs6eZGrnQZT5tzGh18hqRrrwOcDUTks
m9bk7vy7W6c=
=5T+7
-----END PGP SIGNATURE-----