September 2006 - Security-announce

APPLE-SA-2006-09-29 Mac OS X v10.4.8 and Security Update 2006-006
by Apple Product Security 29 Sep '06

29 Sep '06

site_archiver(a)lists.apple.com Delivered-To: security-announce(a)lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2006-09-29 Mac OS X v10.4.8 and Security Update 2006-006 Mac OS X v10.4.8 and Security Update 2006-006 are now available and provide fixes for the following security issues. Mac OS X v10.4.8 also provides additional functionality changes, and information is available in its release note. The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Mac OS X v10.4.8 or Security Update 2006-006. CFNetwork CVE-ID: CVE-2006-4390 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: CFNetwork clients such as Safari may allow unauthenticated SSL sites to appear as authenticated Description: Connections created using SSL are normally authenticated and encrypted. When encryption is implemented without authentication, malicious sites may be able to pose as trusted sites. In the case of Safari this may lead to the lock icon being displayed when the identity of a remote site cannot be trusted. This update addresses the issue by disallowing anonymous SSL connections by default. Credit to Adam Bryzak of Queensland University of Technology for reporting this issue. Flash Player CVE-ID: CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Playing Flash content may lead to arbitrary code execution Description: Adobe Flash Player contains critical vulnerabilities that may lead to arbitrary code execution when handling maliciously-crafted content. This update addresses the issues by incorporating Flash Player version 9.0.16.0 on Mac OS X v10.3.9 and Flash Player version 9.0.20.0 on Mac OS X v10.4 systems. Further information is available via the Adobe web site at: http://www.adobe.com/support/security/bulletins/apsb06-11.html ImageIO CVE-ID: CVE-2006-4391 Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Viewing a maliciously-crafted JPEG2000 image may lead to an application crash or arbitrary code execution Description: By carefully crafting a corrupt JPEG2000 image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. This update addresses the image by performing additional validation of JPEG2000 images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Tom Saxton of Idle Loop Software Design for reporting this issue. Kernel CVE-ID: CVE-2006-4392 Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Local users may be able to run arbitrary code with raised privileges Description: An error handling mechanism in the kernel, known as Mach exception ports, provides the ability to control programs when certain types of errors are encountered. Malicious local users could use this mechanism to execute arbitrary code in privileged programs if an error is encountered. This update addresses the issue by restricting access to Mach exception ports for privileged programs. Credit to Dino Dai Zovi of Matasano Security for reporting this issue. LoginWindow CVE-ID: CVE-2006-4397 Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: After an unsuccessful attempt to log in to a network account, Kerberos tickets may be accessible to other local users Description: Due to an unchecked error condition, Kerberos tickets may not be properly destroyed after unsuccessfully attempting to log in to a network account via loginwindow. This could result in unauthorized access by other local users to a previous user's Kerberos tickets. This update addresses the issue by clearing the credentials cache after failed logins. This issue does not affect systems prior to Mac OS X v10.4. Credit to Patrick Gallagher of Digital Peaks Corporation for reporting this issue. LoginWindow CVE-ID: CVE-2006-4393 Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Kerberos tickets may be accessible to other local users if Fast User Switching is enabled Description: An error in the handling of Fast User Switching may allow a local user to gain access to the Kerberos tickets of other local users. Fast User Switching has been updated to prevent this situation. This issue does not affect systems prior to Mac OS X v10.4. Credit to Ragnar Sundblad of the Royal Institute of Technology, Stockholm, Sweden for reporting this issue. LoginWindow CVE-ID: CVE-2006-4394 Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Network accounts may be able to bypass loginwindow service access controls Description: Service access controls can be used to restrict which users are allowed to log in to a system via loginwindow. A logic error in loginwindow allows network accounts without GUIDs to bypass service access controls. This issue only affects systems that have been configured to use service access controls for loginwindow and to allow network accounts to authenticate users without a GUID. The issue has been resolved by properly handling service access controls in loginwindow. This issue does not affect systems prior to Mac OS X v10.4. Preferences CVE-ID: CVE-2006-4387 Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: After removing an account's Admin privileges, the account may still manage WebObjects applications Description: Clearing the "Allow user to administer this computer" checkbox in System Preferences may fail to remove the account from the appserveradm or appserverusr groups. These groups allow an account to manage WebObjects applications. This update addresses the issue by ensuring the account is removed from the appropriate groups. This issue does not affect systems prior to Mac OS X v10.4. Credit to Phillip Tejada of Fruit Bat Software for reporting this issue. QuickDraw Manager CVE-ID: CVE-2006-4395 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Opening a malicious PICT image with certain applications may lead to an application crash or arbitrary code execution Description: Certain applications invoke an unsupported QuickDraw operation to display PICT images. By carefully crafting a corrupt PICT image, an attacker can trigger memory corruption in these applications, which may lead to an application crash or arbitrary code execution. This update addresses the issue by preventing the unsupported operation. SASL CVE-ID: CVE-2006-1721 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Remote attackers may be able to cause an IMAP server denial of service Description: An issue in the DIGEST-MD5 negotiation support in Cyrus SASL can lead to a segmentation fault in the IMAP server with a maliciously-crafted realm header. This update addresses the issue through improved handling of realm heders in authentication attempts. WebCore CVE-ID: CVE-2006-3946 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Viewing a maliciously-crafted web page may lead to arbitrary code execution Description: A memory management error in WebKit's handling of certain HTML could allow a malicious web site to cause a crash or potentially execute arbitrary code as the user viewing the site. This update addresses the issue by preventing the condition causing the overflow. Credit to Jens Kutilek of Netzallee for reporting this issue. Workgroup Manager CVE-ID: CVE-2006-4399 Available for: Mac OS X Server v10.4 through Mac OS X Server v10.4.7 Impact: Accounts in a NetInfo parent that appear to use ShadowHash passwords may still use crypt Description: Workgroup Manager appears to allow switching authentication type from crypt to ShadowHash passwords in a NetInfo parent, when in actuality it does not. Refreshing the view of an account in a NetInfo parent will properly indicate that crypt is still being used. This update addresses the issue by disallowing administrators from selecting ShadowHash passwords for accounts in a NetInfo parent. Credit to Chris Pepper of The Rockefeller University for reporting this issue. Mac OS X v10.4.8 and Security Update 2006-006 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Mac OS X v10.4.8 or Security Update 2006-006. For Mac OS X v10.3.9 The download file is named: "SecUpd2006-006Pan.dmg" Its SHA-1 digest is: fddff89d465bd850bb32573857a1dcc66b415a01 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2006-006Pan.dmg" Its SHA-1 digest is: 0be0cb9ef603c6d093d863193aa8c83964c110c3 For Mac OS X v10.4.7 (PowerPC) The download file is named: "MacOSXUpd10.4.8PPC.dmg" Its SHA-1 digest is: 982d70a52099297e322ba8e4540ef6d30fa5673a For Mac OS X v10.4 (PowerPC) through v10.4.6 (PowerPC) The download file is named: "MacOSXUpdCombo10.4.8PPC.dmg" Its SHA-1 digest is: dfa38c7d99ba103d4b0460859e03bc8437690bd2 For Mac OS X v10.4.7 (Intel) The download file is named: "MacOSXUpd10.4.8Intel.dmg" Its SHA-1 digest is: 540955d0c2c7d4b11a3a6951003f02d6b46e8d2d For Mac OS X v10.4.4 (Intel) through v10.4.6 (Intel) The download file is named: "MacOSXUpdCombo10.4.8Intel.dmg" Its SHA-1 digest is: 46ed3360238415adc1612440dda8f58c1443cb37 For Mac OS X Server v10.4.7 (PowerPC) The download file is named: "MacOSXServerUpd10.4.8PPC.dmg" Its SHA-1 digest is: c2e7b6483cc2a873c838aa97e629b07d147aa679 For Mac OS X Server v10.4.7 (Universal) The download file is named: "MacOSXServerUpd10.4.8Univ.dmg" Its SHA-1 digest is: fb4abd5d926704f6ed73018189e6ce6e0d8be1fd For Mac OS X Server v10.4 through v10.4.6 (PowerPC) The download file is named: "MacOSXSrvrCombo10.4.8PPC.dmg" Its SHA-1 digest is: c84e2cb0ccf1d71b976026d35266c693d7e71954 Information will also be posted to the Apple Security Updates web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRRxmrYmzP5/bU5rtAQhhnAf+KYmtVj8SOXUM/tSzJcV8LDm8GezrhU63 /dI60vzR4c/9D6QvCt2sFWaY5JjvYMuzktIHDeqxuvkwvCfXK8WBr/7pMwEVtL79 9KQ/JiBG9FEXb+BxMk9qlFc5Sc6w0X9ZxIE26qYQoXgu0+iEeeskbyTKnmZrOGO6 dm1QJmOH74V8zYonN3MKqAug36nzulu8dUoA1PXgCwFQ55Wdu0YOW/i/IfpURzVj NDI5tcBprpqxyAx0fkSu4EWdvL9y/FyO/pYpkeJa+FORNXyUD2/XfBwmAw0NvsbX 97z+IBU86ZUT6VJFJk4jvFzrqKIx6gy78i3YnMXLmRj/epS7dWSg8A== =e06p -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40li… This email sent to site_archiver(a)lists.apple.com

1 0

APPLE-SA-2006-09-21 AirPort Update 2006-001 and Security Update 2006-005
by Apple Product Security 21 Sep '06

21 Sep '06

site_archiver(a)lists.apple.com Delivered-To: security-announce(a)lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2006-09-21 AirPort Update 2006-001 and Security Update 2006-005 The security fixes described below are available in AirPort Update 2006-001 and Security Update 2006-005. AirPort Update 2006-001 contains an additional non-security fix to address a reliability issue that occurs on a limited number of MacBook Pro systems. AirPort CVE-ID: CVE-2006-3507 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7 Impact: Attackers on the wireless network may cause arbitrary code execution Description: Two separate stack buffer overflows exist in the AirPort wireless driver's handling of malformed frames. An attacker in local proximity may be able to trigger an overflow by injecting a maliciously-crafted frame into a wireless network. When the AirPort card is on, this could lead to arbitrary code execution with system privileges. This issue affects Power Mac, PowerBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers equipped with wireless. Intel-based Mac mini, MacBook, and MacBook Pro computers are not affected. There is no known exploit for this issue. This update addresses the issues by performing additional validation of wireless frames. AirPort CVE-ID: CVE-2006-3508 Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7 Impact: Attackers on the wireless network may cause system crashes, privilege elevation, or arbitrary code execution Description: A heap buffer overflow exists in the AirPort wireless driver's handling of scan cache updates. An attacker in local proximity may be able to trigger the overflow by injecting a maliciously-crafted frame into the wireless network. This could lead to a system crash, privilege elevation, or arbitrary code execution with system privileges. This issue affects Intel-based Mac mini, MacBook, and MacBook Pro computers equipped with wireless. Power Mac, PowerBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers are not affected. This update addresses the issue by performing additional validation of wireless frames. There is no known exploit for this issue. This issue does not affect systems prior to Mac OS X v10.4. AirPort CVE-ID: CVE-2006-3509 Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7 Impact: Depending upon third-party wireless software in use, attackers on the wireless network may cause crashes or arbitrary code execution Description: An integer overflow exists in the AirPort wireless driver's API for third-party wireless software. This could lead to a buffer overflow in such applications dependent upon API usage. No applications are known to be affected at this time. If an application is affected, then an attacker in local proximity may be able to trigger an overflow by injecting a maliciously-crafted frame into the wireless network. This may cause crashes or lead to arbitrary code execution with the privileges of the user running the application. This issue affects Intel-based Mac mini, MacBook, and MacBook Pro computers equipped with wireless. Power Mac, PowerBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers are not affected. This update addresses the issues by performing additional validation of wireless frames. There is no known exploit for this issue. This issue does not affect systems prior to Mac OS X v10.4. AirPort Update 2006-001 and Security Update 2006-005 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either AirPort Update 2006-001 or Security Update 2006-005. For Mac OS X v10.4.7 Build 8J2135 or 8J2135a The download file is named: "AirPortUpdate2006001.dmg" Its SHA-1 digest is: 94855a341c05344dab4f965c595c7149352d2617 For Mac OS X v10.4.7 Build 8J135 For Mac OS X Server v10.4.7 Build 8J135 The download file is named: "SecUpd2006-005Ti.dmg" Its SHA-1 digest is: 32877c48193aa070c6e379bdec580b8d4a5c3ccc For Mac OS X v10.4.7 Build 8K1079, 8K1106, 8K1123, or 8K1124 For Mac OS X Server v10.4.7 Build 8K1079 The download file is named: "SecUpd2006-005Univ.dmg" Its SHA-1 digest is: fc1de2d328f41b74fa43cdc72af579618a05cc43 For Mac OS X v10.3.9 or Mac OS X Server v10.3.9 The download file is named: "SecUpd2006-005Pan.dmg" Its SHA-1 digest is: e382c31989061772a7fae7bdab55efdebfdc8e1b For Mac OS X v10.3.9 and Mac OS X Server v10.3.9 systems, if the Software Update utility does not present Security Update 2006-005, the following two updates need to be installed: AirPort 4.2 http://www.apple.com/support/downloads/airport42formacosx1033.html AirPort Extreme Driver Update 2005-001 http://www.apple.com/support/downloads/ airportextremedriverupdate2005001.html Information will also be posted to the Apple Security Updates web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRRLo84mzP5/bU5rtAQiu4wf/WQvis/Vi9dO/4EUjSMpJI/tkCRzLKgKQ ahMxAL+gni4ysbSNizQ6GhDJbZqVMMglW8kwcNdhPrcitIKfrNzCFjjmDmqU05t8 8r6ZkZeaZdG4y9F8XalSM1wZ2mmGvahDYmROug34e+4CahybJurWalFYYRwvnM09 uRDm7IYu/MItMTs/gi2BSJMIBQZPjyWCaj8FkDazSPOZ26W2Z5lchVy9qgQcV7Cp +rWDN96ADYUxRwWRNL8bS/OZGmraxrl2MUFUnATTAgFtJN2FMTKAnNMBfxhpCwT9 2sSK5EF+ui8zTEjtDbU+11d+jzqtV0CRbWvsR1wCbXJpFS+5VVW2Xg== =L77K -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40li… This email sent to site_archiver(a)lists.apple.com

1 0

APPLE-SA-2006-09-12 QuickTime 7.1.3
by Apple Product Security 12 Sep '06

12 Sep '06

site_archiver(a)lists.apple.com Delivered-To: security-announce(a)lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2006-09-12 QuickTime 7.1.3 QuickTime 7.1.3 is now available. Along with functionality improvements (see release notes), it also provides fixes for the following security issues: QuickTime CVE-ID: CVE-2006-4381, CVE-2006-4386 Available for: Mac OS X v10.3.9 and later, Windows XP/2000 Impact: Viewing a maliciously-crafted H.264 movie may lead to an application crash or arbitrary code execution Description: By carefully crafting a corrupt H.264 movie, an attacker can trigger an integer overflow or buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of H.264 movies. Credit to Sowhat of Nevis Labs, Mike Price of McAfee AVERT Labs, and Piotr Bania of piotrbania.com for reporting these issues. QuickTime CVE-ID: CVE-2006-4382 Available for: Mac OS X v10.3.9 and later, Windows XP/2000 Impact: Viewing a maliciously-crafted QuickTime movie may lead to an application crash or arbitrary code execution Description: By carefully crafting a corrupt QuickTime movie, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of QuickTime movies. Credit to Mike Price of McAfee AVERT Labs for reporting this issue. QuickTime CVE-ID: CVE-2006-4384 Available for: Mac OS X v10.3.9 and later, Windows XP/2000 Impact: Viewing a maliciously-crafted FLC movie may lead to an application crash or arbitrary code execution Description: By carefully crafting a corrupt FLC movie, an attacker can trigger a heap buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FLC movies. Credit to Ruben Santamarta of reversemode.com working with the iDefense VCP Program, and Mike Price of McAfee AVERT Labs for reporting this issue. QuickTime CVE-ID: CVE-2006-4388 Available for: Mac OS X v10.3.9 and later, Windows XP/2000 Impact: Viewing a maliciously-crafted FlashPix may lead to an application crash or arbitrary code execution Description: By carefully crafting a corrupt FlashPix file, an attacker can trigger an integer overflow or buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FlashPix files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue. QuickTime CVE-ID: CVE-2006-4389 Available for: Mac OS X v10.3.9 and later, Windows XP/2000 Impact: Viewing a maliciously-crafted FlashPix may lead to an application crash or arbitrary code execution Description: By carefully crafting a corrupt FlashPix file, an attacker can trigger an exception leaving an uninitialized object. This may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FlashPix files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue. QuickTime CVE-ID: CVE-2006-4385 Available for: Mac OS X v10.3.9 and later, Windows XP/2000 Impact: Viewing a maliciously-crafted SGI image may lead to an application crash or arbitrary code execution Description: By carefully crafting a corrupt SGI image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of SGI image files. Credit to Mike Price of McAfee AVERT Labs for reporting this issue. QuickTime 7.1.3 may be obtained from the Software Update pane in System Preferences, or from the Download tab in the QuickTime site http://www.apple.com/quicktime/ For Mac OS X v10.3.9 or later The download file is named: "QuickTimeInstallerX.dmg" Its SHA-1 digest is: 55cfeb0d92d8e0a0694267df58d2b53526d24d3d QuickTime 7.1.3 for Windows 2000/XP The download file is named: "QuickTimeInstaller.exe" Its SHA-1 digest is: 047a9f2d88c8a865b4ad5f24c9904b8727ba71e7 QuickTime 7.1.3 with iTunes for Windows 2000/XP The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 5cdc86b2edb1411b9a022f05b1bfbe858fbcf901 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRQb9HomzP5/bU5rtAQhhbQf+KodANyZEVRfZClyDgqwQxTFmxboBFVsE Bm7BLUAlD8RrI8Q5wScLkZ1gYez7dx+Uj/UeZer99JMof1OLyzZqcWXx2XFQ+PH6 iPuxYKTvSaDE04oAsyayYtfHOa9J9XMLo8HDVH62ZotbBwOBEg266I1Ux0ZrfJ+T oN05LgTjNmNxCwDdullYrLDDhPvIqdqIez3jVKn3kfoPErYe/2bazo1vzarQjJcR NjTyKvpKqHRRXUWcQdF0IocmwCgNxYCC/U8VM9dnBS2O8JLoxQvx1DLFNOLjciTJ omnxotHNN0HCpzLObROh8CGW1f/2ZWVf1WQNMlzzvWNKVX8fxoro2Q== =Vavv -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40li… This email sent to site_archiver(a)lists.apple.com

1 0