Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0536
Security Update 2010-004 / Mac OS X v10.6.4
16 June 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mac OS X
Publisher: Apple
Operating System: Mac OS X
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Cross-site Request Forgery -- Remote with User Interaction
Create Arbitrary Files -- Remote with User Interaction
Read-only Data Access -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2010-1748 CVE-2010-1411 CVE-2010-1382
CVE-2010-1381 CVE-2010-1380 CVE-2010-1379
CVE-2010-1377 CVE-2010-1376 CVE-2010-1375
CVE-2010-1374 CVE-2010-1373 CVE-2010-1320
CVE-2010-0734 CVE-2010-0546 CVE-2010-0545
CVE-2010-0543 CVE-2010-0541 CVE-2010-0540
CVE-2010-0302 CVE-2010-0283 CVE-2010-0187
CVE-2010-0186 CVE-2009-4212 CVE-2009-2964
CVE-2009-1581 CVE-2009-1580 CVE-2009-1579
CVE-2009-1578
Reference: ASB-2010.0149
ESB-2010.0386
ESB-2010.0263
ESB-2010.0164
ESB-2010.0159.2
ESB-2010.0150
ESB-2009.0467
Original Bulletin:
http://support.apple.com/kb/HT4188
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2010-06-15-1 Security Update 2010-004 / Mac OS X v10.6.4
Security Update 2010-004 / Mac OS X v10.6.4 is now available and
addresses the following:
CUPS
CVE-ID: CVE-2010-0540
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: Visiting a maliciously crafted website while logged into the
CUPS web interface as an administrator may allow CUPS settings to be
changed
Description: A cross-site request forgery issue exists in the CUPS
web interface. Visiting a maliciously crafted website while logged
into the CUPS web interface as an administrator may allow CUPS
settings to be changed. This issue is addressed by requiring web form
submissions to include a randomized session token. Credit to Adrian
'pagvac' Pastor of GNUCITIZEN, and Tim Starling for reporting this
issue.
CUPS
CVE-ID: CVE-2010-0302
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: A remote attacker may cause an unexpected application
termination of cupsd
Description: A use after free issue exists in cupsd. By issuing a
maliciously crafted get-printer-jobs request, an attacker may cause a
remote denial of service. This is mitigated through the automatic
restart of cupsd after its termination. This issue is addressed
through improved connection use tracking. Credit to Tim Waugh for
reporting this issue.
CUPS
CVE-ID: CVE-2010-1748
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: An attacker with access to the CUPS web interface may be
able to read a limited amount of memory from the cupsd process
Description: An uninitialized memory read issue exists in the CUPS
web interface's handling of form variables. An attacker with access
to the CUPS web interface may be able to read a limited amount of
memory from the cupsd process. By default, only local users may
access the web interface. Remote users may access it as well when
Printer Sharing is enabled. This issue is addressed through improved
handling of form variables. Credit to Luca Carettoni for reporting
this issue.
DesktopServices
CVE-ID: CVE-2010-0545
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: A Finder operation may result in files or folders with
unexpected permissions
Description: When "Apply to enclosed items..." is selected in the
"Get Info" window in the Finder, the ownership of the enclosed items
is not changed. This may cause the enclosed files and folders to have
unexpected permissions. This issue is addressed by applying the
correct ownership. Credit to Michi Ruepp of pianobakery.com for
reporting this issue.
Flash Player plug-in
CVE-ID: CVE-2010-0186, CVE-2010-0187
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: Multiple vulnerabilities in Adobe Flash Player plug-in
Description: Multiple issues exist in the Adobe Flash Player plug-
in, the most serious of which may lead to unauthorized cross-domain
requests. The issues are addressed by updating the Flash Player plug-
in to version 10.0.45.2 Further information is available via the
Adobe web site at http://www.adobe.com/support/security/
Folder Manager
CVE-ID: CVE-2010-0546
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: Unmounting a maliciously crafted disk image or remote share
may lead to data loss
Description: A symlink following issue exists in Folder Manager. A
folder named "Cleanup At Startup" is removed upon unmount. A
maliciously crafted volume may use a symlink to cause the deletion of
an arbitrary folder with the permissions of the current user. This
issue is addressed through improved handling of symlinks. Credit:
Apple.
Help Viewer
CVE-ID: CVE-2010-1373
Available for: Mac OS X v10.6 through v10.6.3,
Mac OS X Server v10.6 through v10.6.3
Impact: Visiting a maliciously crafted website may lead to the
execution of JavaScript in the local domain
Description: A cross-site scripting issue exists in Help Viewer's
handling of help: URLs. Visiting a maliciously crafted website may
lead to the execution of JavaScript in the local domain. This may
lead to information disclosure or arbitrary code execution. This
issue is addressed through improved escaping of URL parameters in
HTML content. This issue does not affect systems prior to Mac OS X
v10.6. Credit to Clint Ruoho of Laconic Security for reporting this
issue.
iChat
CVE-ID: CVE-2010-1374
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: A remote user may upload files to arbitrary locations on the
filesystem of a user currently using AIM in iChat
Description: A directory traversal issue exists in iChat's handling
of inline image transfers. A remote user may upload files to
arbitrary locations on the filesystem of a user currently using AIM
in iChat. This issue is addressed through improved handling of file
paths. Credit: Apple.
ImageIO
CVE-ID: CVE-2010-1411
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: Opening a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple integer overflows in the handling of TIFF
files may result in a heap buffer overflow. Opening a maliciously
crafted TIFF file may lead to an unexpected application termination
or arbitrary code execution. The issues are addressed through
improved bounds checking. Credit to Kevin Finisterre of
digitalmunition.com for reporting these issues.
ImageIO
CVE-ID: CVE-2010-0543
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption exists in the handling of MPEG2
encoded movie files. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by performing additional
validation of MPEG2 encoded movie files. For Mac OS X v10.6 systems
this issue is addressed in Mac OS X v10.6.2. Credit: Apple.
Kerberos
CVE-ID: CVE-2009-4212
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: An unauthenticated remote user may cause an unexpected
termination of the KDC process, or arbitrary code execution
Description: An integer overflow exists in AES and RC4 decryption
operations of the crypto library in the KDC server. Sending a
maliciously crafted encrypted message to the KDC server may lead to
an unexpected termination of the KDC process, or arbitrary code
execution. This issue is addressed through improved bounds checking.
Credit to the MIT Kerberos Team for reporting this issue.
Kerberos
CVE-ID: CVE-2010-1320
Available for: Mac OS X v10.6 through v10.6.3,
Mac OS X Server v10.6 through v10.6.3
Impact: A remote user may cause an unexpected termination of the KDC
process, or arbitrary code execution
Description: A double free issue exists in the renewal or validation
of existing tickets in the KDC process. A remote user may cause an
unexpected termination of the KDC process, or arbitrary code
execution. This issue is addressed through improved ticket handling.
This issue does not affect systems prior to Mac OS X v10.6. Credit to
Joel Johnson for reporting this issue to Debian, and Brian Almeida
working with the MIT Kerberos Security Team.
Kerberos
CVE-ID: CVE-2010-0283
Available for: Mac OS X v10.6 through v10.6.3,
Mac OS X Server v10.6 through v10.6.3
Impact: An unauthenticated remote user may cause an unexpected
termination of the KDC process
Description: A logic issue in the handling of KDC requests may cause
an assertion to be triggered. Sending a maliciously crafted message
to the KDC server, a remote attacker may be able to interrupt the
Kerberos service by triggering an assertion. This issue is addressed
through improved validation of KDC requests. This issue does not
affect systems prior to Mac OS X v10.6. Credit to Emmanuel Bouillon
of NATO C3 Agency working the MIT Kerberos Security Team for
reporting this issue.
libcurl
CVE-ID: CVE-2010-0734
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: Using libcurl to download files from a maliciously crafted
website may lead to an unexpected application termination or
arbitrary code execution
Description: A buffer overflow exists in libcurl's handling of gzip-
compressed web content. When processing compressed content, libcurl
may return an unexpectedly large amount of data to the calling
application. This may lead to an unexpected application termination
or arbitrary code execution. The issue is addressed by ensuring that
the size of data blocks returned to the calling application by
libcurl adheres to documented limits.
Network Authorization
CVE-ID: CVE-2010-1375
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: A local user may obtain system privileges
Description: NetAuthSysAgent does not require authorization for
certain operations. This may allow a local user to obtain system
privileges. This issue is addressed by requiring authorization for
additional operations. This issue does not affect Mac OS X v10.6
systems. Credit: Apple.
Network Authorization
CVE-ID: CVE-2010-1376
Available for: Mac OS X v10.6 through v10.6.3,
Mac OS X Server v10.6 through v10.6.3
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A format string issue exists in the handling of afp:,
cifs:, and smb: URLs. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved validation of afp:, cifs:,
and smb: URLs. This issue does not affect systems prior to Mac OS X
v10.6. Credit to Ilja van Sprundel of IOActive, and Chris Ries of
Carnegie Mellon University Computing Services for reporting this
issue.
Open Directory
CVE-ID: CVE-2010-1377
Available for: Mac OS X v10.6 through v10.6.3,
Mac OS X Server v10.6 through v10.6.3
Impact: A man-in-the-middle attacker may be able to impersonate a
network account server
Description: When binding to a network account server via System
Preferences, Open Directory will automatically negotiate an
unprotected connection to the server if it is not possible to connect
to the server with Secure Sockets Layer (SSL). A man-in-the-middle
attacker may be able to impersonate the network account server, which
may lead to arbitrary code execution with system privileges. This
issue is addressed by providing an option to require a secure
connection. This issue does not affect systems prior to Mac OS X
v10.6.
Printer Setup
CVE-ID: CVE-2010-1379
Available for: Mac OS X v10.6 through v10.6.3,
Mac OS X Server v10.6 through v10.6.3
Impact: Network devices may disable printing in certain applications
Description: A character encoding issue exists in Printer Setup's
handling of nearby printers. If a device on the local network
advertises a printing service with a Unicode character in its service
name, printing may fail in certain applications. The issue is
addressed through improved handling of shared printers. This issue
does not affect systems prior to Mac OS X v10.6. Credit to Filipp
Lepalaan of mcare Oy for reporting this issue.
Printing
CVE-ID: CVE-2010-1380
Available for: Mac OS X v10.6 through v10.6.3,
Mac OS X Server v10.6 through v10.6.3
Impact: A user with access to the printer may cause an unexpected
application termination or arbitrary code execution
Description: An integer overflow issue exists in the calculation of
page sizes in the cgtexttops CUPS filter. A local or remote user with
access to the printer may cause an unexpected application termination
or arbitrary code execution. This issue is addressed through improved
bounds checking. This issue does not affect systems prior to Mac OS X
v10.6. Credit to regenrecht working with iDefense for reporting this
issue.
Ruby
CVE-ID: CVE-2010-0541
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: A remote attacker may gain access to accounts served by Ruby
WEBrick
Description: A cross-site scripting issue exists in the Ruby WEBrick
HTTP server's handling of error pages. Accessing a maliciously
crafted URL in certain web browsers may cause the error page to be
treated as UTF-7, allowing JavaScript injection. The issue is
addressed by setting UTF-8 as the default character set in HTTP error
responses. Credit: Apple.
SMB File Server
CVE-ID: CVE-2010-1381
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: A remote user may obtain unauthorized access to arbitrary
files
Description: A configuration issue exists in Apple's distribution of
Samba, the server used for SMB file sharing. Using symbolic links, a
remote user with access to an SMB share may obtain unauthorized
access to arbitrary files. This issue is addressed by disabling
support for wide links in the Samba configuration file.
SquirrelMail
CVE-ID: CVE-2009-1578, CVE-2009-1579, CVE-2009-1580, CVE-2009-1581,
CVE-2009-2964
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: Multiple vulnerabilities in SquirrelMail
Description: SquirrelMail is updated to version 1.4.20 to address
several vulnerabilities, the most serious of which is a cross-site
scripting issue. Further information is available via the
SquirrelMail web site at http://www.SquirrelMail.org/
Wiki Server
CVE-ID: CVE-2010-1382
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.3, Mac OS X Server v10.6 through v10.6.3
Impact: Viewing maliciously crafted Wiki content may result in a
cross-site scripting attack
Description: The Wiki Server does not specify an explicit character
set when serving HTML documents in response to user requests. An
attacker with the ability to post or comment on Wiki Server hosted
content may include scripts encoded in an alternate character set.
This may lead to a cross-site scripting attack against users of the
Wiki Server. The issue is addressed by specifying a character set for
the document in HTTP responses.
Security Update 2010-004 / Mac OS X v10.6.4 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Security Update 2010-004 or Mac OS X v10.6.4.
For Mac OS X v10.6.3
The download file is named: MacOSXUpd10.6.4.dmg
Its SHA-1 digest is: e306451e458701dbbc0268bec87239f5490ec832
For Mac OS X v10.6 - v10.6.2
The download file is named: MacOSXUpdCombo10.6.4.dmg
Its SHA-1 digest is: b7ea3ebe1d0a98dfdc4cb107cb7127f5ac2cdb96
For Mac OS X Server v10.6.3
The download file is named: MacOSXServerUpd10.6.4.dmg
Its SHA-1 digest is: 7688a1a3d77b23ce142038ff295d868e37f79872
For Mac OS X Server v10.6 - v10.6.2
The download file is named: MacOSXServUpdCombo10.6.4.dmg
Its SHA-1 digest is: dd38a7d63a4383e608da99ffcf70e6dc213082b3
For Mac OS X v10.5.8
The download file is named: SecUpd2010-004.dmg
Its SHA-1 digest is: 0555958e44a52a447e4fd67469299f0d35286a8a
For Mac OS X Server v10.5.8
The download file is named: SecUpdSrvr2010-004.dmg
Its SHA-1 digest is: 222d512a8c0de61fcb9d9a130d660bb5a52e6402
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJMF9I4AAoJEGnF2JsdZQeeWxAIAMLvKKSnSNKUCYX5q0zKRi95
yl+gnDoyN6KYKBz7hlj/UMsEH4LnwTq6v3zja2HQ1qkI2tI2hPrCLkDqb/AAwPUI
ysFy3cShqWoqMWg6X4y+M3DMSG7jg8jOfMejtvx4T2BtfZDCxCY7bJZaz9sZ2Abk
SGejb/o+huwN+Tnb58cS74KdcLr+bS4yD12dmKw5qSC5qPqXSEmOcr/QFJVGR2Q3
Fn0o+X2KtNUU2IqjhW8ijnFR/gpoejku6XBLkD795oaC5ikLdewDjDWXCGv6zNmH
0tqouPyqYEY+5u3/rjELmqWiOsJ8UIiYfPIf+wj3bNnNXIYXaPC5a2Pq6OdOmGE=
=YDft
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMF/9m/iFOrG6YcBERAocbAKCgKhJPuSiNJZLpwpMBDn2kPKrC8ACgjGLa
if5HnZNIRzSHadYlDHdOKAw=
=aDg0
-----END PGP SIGNATURE-----