Apple Mega Patch Covers 88 Mac OS X Vulnerabilities
Apple today released one of its biggest Mac OS X security updates in recent memory, covering a whopping with fixes for 88 documented vulnerabilities.
The Mac OS X v10.6.3 update, which is considered “critical,” covers flaws that could lead to remote code execution, information disclosure and denial-of-service attacks.
Security Update 2010-002 / Mac OS X v10.6.3 is now available and
addresses the following:
AppKit
CVE-ID: CVE-2010-0056
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Spell checking a maliciously crafted document may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the spell checking feature
used by Cocoa applications. Spell checking a maliciously crafted
document may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
bounds checking. This issue does not affect Mac OS X v10.6 systems.
Credit: Apple.
Application Firewall
CVE-ID: CVE-2009-2801
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Certain rules in the Application Firewall may become
inactive after restart
Description: A timing issue in the Application Firewall may cause
certain rules to become inactive after reboot. The issue is addressed
through improved handling of Firewall rules. This issue does not
affect Mac OS X v10.6 systems. Credit to Michael Kisor of
OrganicOrb.com for reporting this issue.
AFP Server
CVE-ID: CVE-2010-0057
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: When guest access is disabled, a remote user may be able to
mount AFP shares as a guest
Description: An access control issue in AFP Server may allow a
remote user to mount AFP shares as a guest, even if guest access is
disabled. This issue is addressed through improved access control
checks. Credit: Apple.
AFP Server
CVE-ID: CVE-2010-0533
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A remote user with guest access to an AFP share may access
the contents of world-readable files outside the Public share
Description: A directory traversal issue exists in the path
validation for AFP shares. A remote user may enumerate the parent
directory of the share root, and read or write files within that
directory that are accessible to the ‘nobody’ user. This issue is
addressed through improved handling of file paths. Credit to Patrik
Karlsson of cqure.net for reporting this issue.
Apache
CVE-ID: CVE-2009-3095
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may be able to bypass access control
restrictions
Description: An input validation issue exists in Apache’s handling
of proxied FTP requests. A remote attacker with the ability to issue
requests through the proxy may be able to bypass access control
restrictions specified in the Apache configuration. This issue is
addressed by updating Apache to version 2.2.14.
ClamAV
CVE-ID: CVE-2010-0058
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: ClamAV virus definitions may not receive updates
Description: A configuration issue introduced in Security Update
2009-005 prevents freshclam from running. This may prevent virus
definitions from being updated. This issue is addressed by updating
freshclam’s launchd plist ProgramArguments key values. This issue
does not affect Mac OS X v10.6 systems. Credit to Bayard Bell, Wil
Shipley of Delicious Monster, and David Ferrero of Zion Software, LLC
for reporting this issue.
CoreAudio
CVE-ID: CVE-2010-0059
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Playing maliciously crafted audio content may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
QDM2 encoded audio content. Playing maliciously crafted audio content
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking.
Credit to an anonymous researcher working with TippingPoint’s Zero
Day Initiative for reporting this issue.
CoreAudio
CVE-ID: CVE-2010-0060
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Playing maliciously crafted audio content may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
QDMC encoded audio content. Playing maliciously crafted audio content
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking.
Credit to an anonymous researcher working with TippingPoint’s Zero
Day Initiative for reporting this issue.
CoreMedia
CVE-ID: CVE-2010-0062
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in CoreMedia’s handling
of H.263 encoded movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue is addressed by performing additional
validation of H.263 encoded movie files. Credit to Damian Put working
with TippingPoint’s Zero Day Initiative for reporting this issue.
CoreTypes
CVE-ID: CVE-2010-0063
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Users are not warned before opening certain potentially
unsafe content types
Description: This update adds .ibplugin and .url to the system’s
list of content types that will be flagged as potentially unsafe
under certain circumstances, such as when they are downloaded from a
web page. While these content types are not automatically launched,
if manually opened they could lead to the execution of a malicious
JavaScript payload or arbitrary code execution. This update improves
the system’s ability to notify users before handling content types
used by Safari. Credit to Clint Ruoho of Laconic Security for
reporting this issue.
CUPS
CVE-ID: CVE-2010-0393
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A local user may be able to obtain system privileges
Description: A format string issue exists in the lppasswd CUPS
utility. This may allow a local user to obtain system privileges. Mac
OS X v10.6 systems are only affected if the setuid bit has been set
on the binary. This issue is addressed by using default directories
when running as a setuid process. Credit to Ronald Volgers for
reporting this issue.
curl
CVE-ID: CVE-2009-2417
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A man-in-the-middle attacker may be able to impersonate a
trusted server
Description: A canonicalization issue exists in curl’s handling of
NULL characters in the subject’s Common Name (CN) field of X.509
certificates. This may lead to man-in-the-middle attacks against
users of the curl command line tool, or applications using libcurl.
This issue is addressed through improved handling of NULL characters.
curl
CVE-ID: CVE-2009-0037
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Using curl with -L may allow a remote attacker to read or
write local files
Description: curl will follow HTTP and HTTPS redirects when used
with the -L option. When curl follows a redirect, it allows file://
URLs. This may allow a remote attacker to access local files. This
issue is addressed through improved validation of redirects. This
issue does not affect Mac OS X v10.6 systems. Credit to Daniel
Stenberg of Haxx AB for reporting this issue.
Cyrus IMAP
CVE-ID: CVE-2009-2632
Available for: Mac OS X Server v10.5.8
Impact: A local user may be able to obtain the privileges of the
Cyrus user
Description: A buffer overflow exists in the handling of sieve
scripts. By running a maliciously crafted sieve script, a local user
may be able to obtain the privileges of the Cyrus user. This issue is
addressed through improved bounds checking. This issue does not
affect Mac OS X v10.6 systems.
Cyrus SASL
CVE-ID: CVE-2009-0688
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: An unauthenticated remote attacker may cause unexpected
application termination or arbitrary code execution
Description: A buffer overflow exists in the Cyrus SASL
authentication module. Using Cyrus SASL authentication may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. This issue does
not affect Mac OS X v10.6 systems.
DesktopServices
CVE-ID: CVE-2010-0064
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Items copied in the Finder may be assigned an unexpected
file owner
Description: When performing an authenticated copy in the Finder,
original file ownership may be unexpectedly copied. This update
addresses the issue by ensuring that copied files are owned by the
user performing the copy. This issue does not affect systems prior to
Mac OS X v10.6. Credit to Gerrit DeWitt of Auburn University (Auburn,
AL) for reporting this issue.
DesktopServices
CVE-ID: CVE-2010-0537
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may gain access to user data via a multi-
stage attack
Description: A path resolution issue in DesktopServices is
vulnerable to a multi-stage attack. A remote attacker must first
entice the user to mount an arbitrarily named share, which may be
done via a URL scheme. When saving a file using the default save
panel in any application, and using “Go to folder” or dragging
folders to the save panel, the data may be unexpectedly saved to the
malicious share. This issue is addressed through improved path
resolution. This issue does not affect systems prior to Mac OS X
v10.6. Credit to Sidney San Martin working with DeepTech, Inc. for
reporting this issue.
Disk Images
CVE-ID: CVE-2010-0065
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Mounting a maliciously crafted disk image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
bzip2 compressed disk images. Mounting a maliciously crafted disk
image may lead to an unexpected application termination or arbitrary
code execution. This issue is addressed through improved bounds
checking. Credit: Apple.
Disk Images
CVE-ID: CVE-2010-0497
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Mounting a maliciously crafted disk image may lead to
arbitrary code execution
Description: A design issue exists in the handling of internet
enabled disk images. Mounting an internet enabled disk image
containing a package file type will open it rather than revealing it
in the Finder. This file quarantine feature helps to mitigate this
issue by providing a warning dialog for unsafe file types. This issue
is addressed through improved handling of package file types on
internet enabled disk images. Credit to Brian Mastenbrook working
with TippingPoint’s Zero Day Initiative for reporting this issue.
Directory Services
CVE-ID: CVE-2010-0498
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A local user may obtain system privileges
Description: An authorization issue in Directory Services’ handling
of record names may allow a local user to obtain system privileges.
This issue is addressed through improved authorization checks.
Credit: Apple.
Dovecot
CVE-ID: CVE-2010-0535
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: An authenticated user may be able to send and receive mail
even if the user is not on the SACL of users who are permitted to do
so
Description: An access control issue exists in Dovecot when Kerberos
authentication is enabled. This may allow an authenticated user to
send and receive mail even if the user is not on the service access
control list (SACL) of users who are permitted to do so. This issue
is addressed through improved access control checks. This issue does
not affect systems prior to Mac OS X v10.6.
Event Monitor
CVE-ID: CVE-2010-0500
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may cause arbitrary systems to be added to
the firewall blacklist
Description: A reverse DNS lookup is performed on remote ssh clients
that fail to authenticate. A plist injection issue exists in the
handling of resolved DNS names. This may allow a remote attacker to
cause arbitrary systems to be added to the firewall blacklist. This
issue is addressed by properly escaping resolved DNS names. Credit:
Apple.
FreeRADIUS
CVE-ID: CVE-2010-0524
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may obtain access to a network via RADIUS
authentication
Description: A certificate authentication issue exists in the
default Mac OS X configuration of the FreeRADIUS server. A remote
attacker may use EAP-TLS with an arbitrary valid certificate to
authenticate and connect to a network configured to use FreeRADIUS
for authentication. This issue is addressed by disabling support for
EAP-TLS in the configuration. RADIUS clients should use EAP-TTLS
instead. This issue only affects Mac OS X Server systems. Credit to
Chris Linstruth of Qnet for reporting this issue.
FTP Server
CVE-ID: CVE-2010-0501
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: Users may be able to retrieve files outside the FTP root
directory
Description: A directory traversal issue exists in FTP Server. This
may allow a user to retrieve files outside the FTP root directory.
This issue is addressed through improved handling of file names. This
issue only affects Mac OS X Server systems. Credit: Apple.
iChat Server
CVE-ID: CVE-2006-1329
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may be able to cause a denial of service
Description: An implementation issue exists in jabberd’s handling of
SASL negotiation. A remote attacker may be able to terminate the
operation of jabberd. This issue is addressed through improved
handling of SASL negotiation. This issue only affects Mac OS X Server
systems.
iChat Server
CVE-ID: CVE-2010-0502
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: Chat messages may not be logged
Description: A design issue exists in iChat Server’s support for
configurable group chat logging. iChat Server only logs messages with
certain message types. This may allow a remote user to send a message
through the server without it being logged. The issue is addressed by
removing the capability to disable group chat logs, and logging all
messages that are sent through the server. This issue only affects
Mac OS X Server systems. Credit: Apple.
iChat Server
CVE-ID: CVE-2010-0503
Available for: Mac OS X Server v10.5.8
Impact: An authenticated user may be able to cause an unexpected
application termination or arbitrary code execution
Description: A use-after-free issue exists in iChat Server. An
authenticated user may be able to cause an unexpected application
termination or arbitrary code execution. This issue is addressed
through improved memory reference tracking. This issue only affects
Mac OS X Server systems, and does not affect versions 10.6 or later.
iChat Server
CVE-ID: CVE-2010-0504
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: An authenticated user may be able to cause an unexpected
application termination or arbitrary code execution
Description: Multiple stack buffer overflow issues exist in iChat
Server. An authenticated user may be able to cause an unexpected
application termination or arbitrary code execution. These issues are
addressed through improved memory management. These issues only
affect Mac OS X Server systems. Credit: Apple.
ImageIO
CVE-ID: CVE-2010-0505
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of JP2
images. Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to Chris
Ries of Carnegie Mellon University Computing Service, and researcher
“85319bb6e6ab398b334509c50afce5259d42756e” working with
TippingPoint’s Zero Day Initiative for reporting this issue.
ImageIO
CVE-ID: CVE-2010-0041
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Visiting a maliciously crafted website may result in sending
data from Safari’s memory to the website
Description: An uninitialized memory access issue exists in
ImageIO’s handling of BMP images. Visiting a maliciously crafted
website may result in sending data from Safari’s memory to the
website. This issue is addressed through improved memory
initialization and additional validation of BMP images. Credit to
Matthew ‘j00ru’ Jurczyk of Hispasec for reporting this issue.
ImageIO
CVE-ID: CVE-2010-0042
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Visiting a maliciously crafted website may result in sending
data from Safari’s memory to the website
Description: An uninitialized memory access issue exists in
ImageIO’s handling of TIFF images. Visiting a maliciously crafted
website may result in sending data from Safari’s memory to the
website. This issue is addressed through improved memory
initialization and additional validation of TIFF images. Credit to
Matthew ‘j00ru’ Jurczyk of Hispasec for reporting this issue.
ImageIO
CVE-ID: CVE-2010-0043
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Processing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
TIFF images. Processing a maliciously crafted TIFF image may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory handling. This issue
does not affect systems prior to Mac OS X v10.6. Credit to Gus
Mueller of Flying Meat for reporting this issue.
Image RAW
CVE-ID: CVE-2010-0506
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Viewing a maliciously crafted NEF image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in Image RAW’s handling of NEF
images. Viewing a maliciously crafted NEF image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. This issue does
not affect Mac OS X v10.6 systems. Credit: Apple.
Image RAW
CVE-ID: CVE-2010-0507
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted PEF image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in Image RAW’s handling of PEF
images. Viewing a maliciously crafted PEF image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to Chris
Ries of Carnegie Mellon University Computing Services for reporting
this issue.
Libsystem
CVE-ID: CVE-2009-0689
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Applications that convert untrusted data between binary
floating point and text may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow exists in the floating point binary
to text conversion code within Libsystem. An attacker who can cause
an application to convert a floating point value into a long string,
or to parse a maliciously crafted string as a floating point value,
may be able to cause an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
bounds checking. Credit to Maksymilian Arciemowicz of
SecurityReason.com for reporting this issue.
CVE-ID: CVE-2010-0508
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Rules associated with a deleted mail account remain in
effect
Description: When a mail account is deleted, user-defined filter
rules associated with that account remain active. This may result in
unexpected actions. This issue is addressed by disabling associated
rules when a mail account is deleted.
CVE-ID: CVE-2010-0525
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Mail may use a weaker encryption key for outgoing email
Description: A logic issue exists in Mail’s handling of encryption
certificates. When multiple certificates for the recipient exist in
the keychain, Mail may select an encryption key that is not intended
for encipherment. This may lead to a security issue if the chosen key
is weaker than expected. This issue is addressed by ensuring that the
key usage extension within certificates is evaluated when selecting a
mail encryption key. Credit to Paul Suh of ps Enable, Inc. for
reporting this issue.
Mailman
CVE-ID: CVE-2008-0564
Available for: Mac OS X Server v10.5.8
Impact: Multiple vulnerabilities in Mailman 2.1.9
Description: Multiple cross-site scripting issues exist in Mailman
2.1.9. These issues are addressed by updating Mailman to version
2.1.13. Further information is available via the Mailman site at
http://mail.python.org/pipermail/mailman-
announce/2009-January/000128.html These issues only affect Mac OS X
Server systems, and do not affect versions 10.6 or later.
MySQL
CVE-ID: CVE-2008-4456, CVE-2008-7247, CVE-2009-2446, CVE-2009-4019,
CVE-2009-4030
Available for: Mac OS X Server v10.6 through v10.6.2
Impact: Multiple vulnerabilities in MySQL 5.0.82
Description: MySQL is updated to version 5.0.88 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. These issues only affect Mac OS X Server systems. Further
information is available via the MySQL web site at
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html
OS Services
CVE-ID: CVE-2010-0509
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A local user may be able to obtain elevated privileges
Description: A privilege escalation issue exists in SFLServer, as it
runs as group ‘wheel’ and accesses files in users’ home directories.
This issue is addressed through improved privilege management. Credit
to Kevin Finisterre of DigitalMunition for reporting this issue.
Password Server
CVE-ID: CVE-2010-0510
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may be able to log in with an outdated
password
Description: An implementation issue in Password Server’s handling
of replication may cause passwords to not be replicated. A remote
attacker may be able to log in to a system using an outdated
password. This issue is addressed through improved handling of
password replication. This issue only affects Mac OS X Server
systems. Credit to Jack Johnson of Anchorage School District for
reporting this issue.
perl
CVE-ID: CVE-2008-5302, CVE-2008-5303
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: A local user may cause arbitrary files to be deleted
Description: Multiple race condition issues exist in the rmtree
function of the perl module File::Path. A local user with write
access to a directory that is being deleted may cause arbitrary files
to be removed with the privileges of the perl process. This issue is
addressed through improved handling of symbolic links. This issue
does not affect Mac OS X v10.6 systems.
PHP
CVE-ID: CVE-2009-3557, CVE-2009-3558, CVE-2009-3559, CVE-2009-4017
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Multiple vulnerabilities in PHP 5.3.0
Description: PHP is updated to version 5.3.1 to address multiple
vulnerabilities, the most serious of which may lead to arbitary code
execution. Further information is available via the PHP website at
PHP
CVE-ID: CVE-2009-3557, CVE-2009-3558, CVE-2009-3559, CVE-2009-4142,
CVE-2009-4143
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Multiple vulnerabilities in PHP 5.2.11
Description: PHP is updated to version 5.2.12 to address multiple
vulnerabilities, the most serious of which may lead to cross-site
scripting. Further information is available via the PHP website at
Podcast Producer
CVE-ID: CVE-2010-0511
Available for: Mac OS X Server v10.6 through v10.6.2
Impact: An unauthorized user may be able to access a Podcast
Composer workflow
Description: When a Podcast Composer workflow is overwritten, the
access restrictions are removed. This may allow an unauthorized user
to access a Podcast Composer workflow. This issue is addressed
through improved handling of workflow access restrictions. Podcast
Composer was introduced in Mac OS X Server v10.6.
Preferences
CVE-ID: CVE-2010-0512
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: A network user may be able to bypass system login
restrictions
Description: An implementation issue exists in the handling of
system login restrictions for network accounts. If the network
accounts allowed to log in to the system at the Login Window are
identified by group membership only, the restriction will not be
enforced, and all network users will be allowed to log in to the
system. The issue is addressed through improved group restriction
management in the Accounts preference pane. This issue only affects
systems configured to use a network account server, and does not
affect systems prior to Mac OS X v10.6. Credit to Christopher D.
Grieb of University of Michigan MSIS for reporting this issue.
PS Normalizer
CVE-ID: CVE-2010-0513
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted PostScript file may lead to an
unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in the handling of
PostScript files. Viewing a maliciously crafted PostScript file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by performing additional
validation of PostScript files. On Mac OS X v10.6 systems this issue
is mitigated by the -fstack-protector compiler flag. Credit: Apple.
QuickTime
CVE-ID: CVE-2010-0062
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime’s handling
of H.263 encoded movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue is addressed by performing additional
validation of H.263 encoded movie files. Credit to Damian Put working
with TippingPoint’s Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0514
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of H.261
encoded movie files. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by performing additional
validation of H.261 encoded movie files. Credit to Will Dormann of
the CERT/CC for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0515
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption in the handling of H.264 encoded
movie files. Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed by performing additional validation of H.264
encoded movie files.
QuickTime
CVE-ID: CVE-2010-0516
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow in the handling of RLE encoded
movie files. Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed by performing additional validation of RLE encoded
movie files. Credit to an anonymous researcher working with
TippingPoint’s Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0517
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow in the handling of M-JPEG
encoded movie files. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by performing additional
validation of M-JPEG encoded movie files. Credit to Damian Put
working with TippingPoint’s Zero Day Initiative for reporting this
issue.
QuickTime
CVE-ID: CVE-2010-0518
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
Sorenson encoded movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue is addressed by performing additional
validation of Sorenson encoded movie files. Credit to Will Dormann of
the CERT/CC for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0519
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow exists in the handling of FlashPix
encoded movie files. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking.
Credit to an anonymous researcher working with TippingPoint’s Zero
Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0520
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of FLC
encoded movie files. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by performing additional
validation of FLC encoded movie files. Credit to Moritz Jodeit of
n.runs AG, working with TippingPoint’s Zero Day Initiative, and
Nicols Joly of VUPEN Security for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0526
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of MPEG
encoded movie files. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by performing additional
validation of MPEG encoded movie files. Credit to an anonymous
researcher working with TippingPoint’s Zero Day Initiative for
reporting this issue.
Ruby
CVE-ID: CVE-2009-2422, CVE-2009-3009, CVE-2009-4214
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Multiple issues in Ruby on Rails
Description: Multiple vulnerabilities exist in Ruby on Rails, the
most serious of which may lead to cross-site scripting. On Mac OS X
v10.6 systems, these issues are addressed by updating Ruby on Rails
to version 2.3.5. Mac OS X v10.5 systems are affected only by
CVE-2009-4214, and this issue is addressed through improved
validation of arguments to strip_tags.
Ruby
CVE-ID: CVE-2009-1904
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Running a Ruby script that uses untrusted input to
initialize a BigDecimal object may lead to an unexpected application
termination
Description: A stack exhaustion issue exists in Ruby’s handling of
BigDecimal objects with very large values. Running a Ruby script that
uses untrusted input to initialize a BigDecimal object may lead to an
unexpected application termination. For Mac OS X v10.6 systems, this
issue is addressed by updating Ruby to version 1.8.7-p173. For Mac OS
v10.5 systems, this issue is addressed by updating Ruby to version
1.8.6-p369.
Server Admin
CVE-ID: CVE-2010-0521
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may extract information from Open
Directory
Description: A design issue exists in the handling of authenticated
directory binding. A remote attacker may be able to anonymously
extract information from Open Directory, even if the “Require
authenticated binding between directory and clients” option is
enabled. The issue is addressed by removing this configuration
option. This issue only affects Mac OS X Server systems. Credit to
Scott Gruby of Gruby Solutions, and Mathias Haack of GRAVIS
Computervertriebsgesellschaft mbH for reporting this issue.
Server Admin
CVE-ID: CVE-2010-0522
Available for: Mac OS X Server v10.5.8
Impact: A former administrator may have unauthorized access to
screen sharing
Description: A user who is removed from the ‘admin’ group may still
connect to the server using screen sharing. This issue is addressed
through improved handling of administrator privileges. This issue
only affects Mac OS X Server systems, and does not affect version
10.6 or later. Credit: Apple.
SMB
CVE-ID: CVE-2009-2906
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may be able to cause a denial of service
Description: An infinite loop issue exists in Samba’s handling of
SMB ‘oplock’ break notifications. A remote attacker may be able to
trigger an infinite loop in smbd, causing it to consume excessive CPU
resources. The issue is addressed through improved handling of
‘oplock’ break notifications.
Tomcat
CVE-ID: CVE-2009-0580, CVE-2009-0033, CVE-2009-0783, CVE-2008-5515,
CVE-2009-0781, CVE-2009-2901, CVE-2009-2902, CVE-2009-2693
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: Multiple vulnerabilities in Tomcat 6.0.18
Description: Tomcat is updated to version 6.0.24 to address multiple
vulnerabilities, the most serious of which may lead to a cross site
scripting attack. Tomcat is only provided on Mac OS X Server systems.
Further information is available via the Tomcat site at
unzip
CVE-ID: CVE-2008-0888
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Extracting maliciously crafted zip files using the unzip
command tool may lead to an unexpected application termination or
code execution
Description: An uninitialized pointer issue exists is the handling
of zip files. Extracting maliciously crafted zip files using the
unzip command tool may lead to an unexpected application termination
or arbitrary code execution. This issue is addressed by performing
additional validation of zip files. This issue does not affect Mac OS
X v10.6 systems.
vim
CVE-ID: CVE-2008-2712, CVE-2008-4101, CVE-2009-0316
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Multiple vulnerabilities in vim 7.0
Description: Multiple vulnerabilities exist in vim 7.0, the most
serious of which may lead to arbitrary code execution when working
with maliciously crafted files. These issues are addressed by
updating to vim 7.2.102. These issues do not affect Mac OS X v10.6
systems. Further information is available via the vim website at
Wiki Server
CVE-ID: CVE-2010-0523
Available for: Mac OS X Server v10.5.8
Impact: Uploading a maliciously crafted applet may lead to the
disclosure of sensitive information
Description: Wiki Server allows users to upload active content such
as Java applets. A remote attacker may obtain sensitive information
by uploading a maliciously crafted applet and directing a Wiki Server
user to view it. The issue is addressed by restricting the file types
that may be uploaded to the Wiki Server. This issue only affects Mac
OS X Server systems, and does not affect versions 10.6 or later.
Wiki Server
CVE-ID: CVE-2010-0534
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: An authenticated user may bypass weblog creation
restrictions
Description: Wiki Server supports service access control lists
(SACLs), allowing an administrator to control the publication of
content. Wiki Server fails to consult the weblog SACL during the
creation of a user’s weblog. This may allow an authenticated user to
publish content to the Wiki Server, even though publication should be
disallowed by the service ACL. This issue does not affect systems
prior to Mac OS X v10.6.
X11
CVE-ID: CVE-2009-2042
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted image may lead to the
disclosure of sensitive information
Description: libpng is updated to version 1.2.37 to address an issue
that may result in the disclosure of sensitive information. Further
information is available via the libpng site at
http://www.libpng.org/pub/png/libpng.html
X11
CVE-ID: CVE-2003-0063
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Displaying maliciously crafted data within an xterm terminal
may lead to arbitrary code execution
Description: The xterm program supports a command sequence to change
the window title, and to print the window title to the terminal. The
information returned is provided to the terminal as though it were
keyboard input from the user. Within an xterm terminal, displaying
maliciously crafted data containing such sequences may result in
command injection. The issue is addressed by disabling the affected
command sequence.
xar
CVE-ID: CVE-2010-0055
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: A modified package may appear as validly signed
Description: A design issue exists in xar when validating a package
signature. This may allow a modified package to appear as validly
signed. This issue is fixed through improved package signature
validation. This issue does not affect Mac OS X v10.6 systems.
Credit: Apple.
Security Update 2010-002 / Mac OS X v10.6.3 may be obtained from
the Software Update pane in System Preferences, or Apple’s Software
Downloads web site:
http://www.apple.com/support/downloads/
Apple today released one of its biggest Mac OS X security updates in recent memory, covering a whopping 88 documented vulnerabilities.
The Mac OS X v10.6.3 update, which is considered “critical,” covers flaws that could lead to remote code execution, information disclosure and denial-of-service attacks.
In some scenarios, a malicious hacker could take complete control of a Mac-powered machine if a user simply views a malicious image or movie file.
The update covers critical vulnerabilities in AppKit, QuickTime,CoreMedia, CoreTypes, DiskImages, ImageIO and Image RAW.
It also covers holes in several open-source components, including Apache, ClamAV, MySQL, PHP.
Here’s the full list of the patched vulnerabilities.
The Security Update 2010-002 / Mac OS X v10.6.3 may be obtained from the Software Update pane in System Preferences, or Apple’s Software Downloads web page.