November 2007 - Security-announce

APPLE-SA-2007-11-15 Mac OS X v10.5.1 Update
by Apple Product Security 15 Nov '07

15 Nov '07

site_archiver(a)lists.apple.com Delivered-To: security-announce(a)lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-11-15 Mac OS X v10.5.1 Update Mac OS X v10.5.1 Update is now available and addresses the following issues: Application Firewall CVE-ID: CVE-2007-4702 Available for: Mac OS X v10.5, Mac OS X Server v10.5 Impact: The "Block all incoming connections" setting for the firewall is misleading Description: The "Block all incoming connections" setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, and also allows mDNSResponder to receive connections. This could result in the unexpected exposure of network services. This update addresses the issue by more accurately describing the option as "Allow only essential services", and by limiting the processes permitted to receive incoming connections under this setting to a small fixed set of system services: configd (for DHCP and other network configuration protocols), mDNSResponder (for Bonjour), and racoon (for IPSec). The "Help" content for the Application Firewall is also updated to provide further information. This issue does not affect systems prior to Mac OS X v10.5. Application Firewall CVE-ID: CVE-2007-4703 Available for: Mac OS X v10.5, Mac OS X Server v10.5 Impact: Processes running as user "root" (UID 0) cannot be blocked when the firewall is set to "Set access for specific services and applications" Description: The "Set access for specific services and applications" setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, even if its executable is specifically added to the list of programs and its entry in the list is marked as "Block incoming connections". This could result in the unexpected exposure of network services. This update corrects the issue so that any executable so marked is blocked. This issue does not affect systems prior to Mac OS X v10.5. Application Firewall CVE-ID: CVE-2007-4704 Available for: Mac OS X v10.5, Mac OS X Server v10.5 Impact: Changes to Application Firewall settings do not affect processes started by launchd until they are restarted Description: When the Application Firewall settings are changed, a running process started by launchd will not be affected until it is restarted. A user might expect changes to take effect immediately and so leave their system exposed to network access. This update corrects the issue so that changes take effect immediately. This issue does not affect systems prior to Mac OS X v10.5. Mac OS X v10.5.1 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.5 The download file is named: "MacOSXUpd10.5.1.dmg" Its SHA-1 digest is: fb4ba4e5a0a7db7e04b3c93bb10115017cbea986 For Mac OS X Server v10.5 The download file is named: "MacOSXServerUpd10.5.1.dmg" Its SHA-1 digest is: 9ccfe856eae029b70b7f465d85041a96738eaeab Information will also be posted to the Apple Security Updates web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: 9.7.0.867 wsBVAwUBRzyVBcgAoqu4Rp5tAQjJGwf+JPqv9+zTyyvX5WmeLHocPXxwkZBupkT/ XnaeVJsckZchxKHahwFQPSMInx1mK4sG0rI00nXDQx3m1qpa5zrwQyIwgweg7gh8 SwnGDJdoZyUOuf+Yx7m2b/u426T0De7lqFNbBGnMdmtWKoZGfphUgPcTD6Svh2PB 3/EjmGqXzWrN5dgESI23c9YQvobRSTTye+uzT1Z5Hx7E1KPyuuGBsFhDCfxZ/fms ifLRZiXBOw2uzxVPQVHLtBnksO0MSgTfozQTfYNfcWugTE3N5TS6b6ck5Tv7bBpn RmKeqlmsdVQTLgxj47jnBQV8Wunl7Qwtzxfyj57jYqx3X7GPH+LGmw== =fq+k -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40li… This email sent to site_archiver(a)lists.apple.com

1 0

APPLE-SA-2007-11-14 Safari 3 Beta Update 3.0.4 (Windows)
by Apple Product Security 14 Nov '07

14 Nov '07

site_archiver(a)lists.apple.com Delivered-To: security-announce(a)lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-11-14 Safari 3 Beta Update 3.0.4 (Windows) Safari 3 Beta Update 3.0.4 (Windows) is now available and addresses the following issues: Safari CVE-ID: CVE-2007-4692 Available for: Windows XP or Vista Impact: An issue in Safari Tabbed browsing may lead to the disclosure of user credentials Description: An implementation issue exists in the Tabbed browsing feature of Safari. If HTTP authentication is used by a site being loaded in a tab other than the active tab, an authentication sheet may be displayed although the tab and its corresponding page are not visible. The user may consider the sheet to come from the currently active page, which may lead to the disclosure of user credentials. This update addresses the issue through improved handling of authentication sheets. Credit to Michael Roitzsch of Technical University Dresden for reporting this issue. Safari CVE-ID: CVE-2007-1351, CVE-2007-1352, CVE-2007-2754 Available for: Windows XP or Vista Impact: Multiple vulnerabilities in FreeType v2.2.1 Description: Multiple vulnerabilities exist in FreeType v2.2.1, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating FreeType to version 2.3.5. Further information is available via the FreeType site at http://www.freetype.org/ WebCore CVE-ID: CVE-2007-3758 Available for: Windows XP or Vista Impact: Visiting a malicious website may lead to cross-site scripting Description: A cross-site scripting issue in Safari allows malicious websites to set JavaScript window properties of websites served from a different domain. By enticing a user to visit a maliciously crafted web page, an attacker may be able to get or set the window status and location of pages served from other websites. This update addresses the issue by providing improved access controls on these properties. Credit to Michal Zalewski of Google Inc. for reporting this issue. WebCore CVE-ID: CVE-2007-3760 Available for: Windows XP or Vista Impact: Visiting a malicious website may lead to cross-site scripting Description: A cross-site scripting issue in Safari allows a malicious website to bypass the same origin policy by hosting embedded objects with javascript URLs. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of another site. This update addresses the issue by restricting the use of the javascript URL scheme and adding additional origin validation for these URLs. Credit to Michal Zalewski of Google Inc. and Secunia Research for reporting this issue. WebCore CVE-ID: CVE-2007-3756 Available for: Windows XP or Vista Impact: Visiting a malicious website may lead to the disclosure of URL contents Description: Safari may allow a web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted web page, an attacker may be able to obtain the URL of an unrelated page. This update addresses the issue through an improved cross-domain security check. Credit to Michal Zalewski of Google Inc. and Secunia Research for reporting this issue. WebKit CVE-ID: CVE-2007-4671 Available for: Windows XP or Vista Impact: JavaScript on websites may access or manipulate the contents of documents served over HTTPS Description: An issue in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of HTTPS web pages in that domain. This update addresses the issue by preventing JavaScript access from HTTP to HTTPS frames. Credit to Keigo Yamazaki of LAC Co., Ltd. (Little eArth Corporation Co., Ltd.) for reporting this issue. WebKit CVE-ID: CVE-2007-4698 Available for: Windows XP or Vista Impact: Visiting a malicious website may lead to cross-site scripting Description: Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of another site. This update addresses the issue by associating JavaScript events with the correct source frame. WebKit CVE-ID: CVE-2007-4812 Available for: Windows XP or Vista Impact: Visiting a malicious website may lead to arbitrary code execution Description: A buffer overflow exists in Safari's handling of the status bar. By enticing a user to visit a maliciously crafted web page, an attacker may cause arbitrary code execution. This update addresses the issue by re-implementing the status bar handling. Safari 3 Beta Update 3.0.4 (Windows) is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/ Safari for Windows XP or Vista The download file is named: "SafariSetup.exe" Its SHA-1 digest is: 54f68120298fd628255474d13e10562fcdbf2a14 Safari+QuickTime for Windows XP or Vista The download file is named: "SafariQuickTimeSetup.exe" Its SHA-1 digest is: a8afe488e2afcc8ccc9425792d5fc74ac9e25d10 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: 9.7.0.867 wsBVAwUBRztc8MgAoqu4Rp5tAQi2PQgAsBkFgf2vdsiiPOvdOLJ9kWiZaw9Q4lfd V5ntJlzUR09257XFZWYckraUZXaeZkuBbcSZsrCijiZuk9vj7a5F5uw4nSAvT/hp cNkPHd6GK5jYvyQVyrTOfFTRWwXQlNMN5UEZuS9puLZqUwDCVcoQGA/ex/qFsjH1 baR5Cl05StMdTN0KBhocY8HZNr+iWDEx57t1VdEyQVZqfImbxh94DmzKJ/EJhWZ8 tgi1EisLjMBnA/OlTDyScdCQTdJmXF4BRf+4/pCvJAJPWkLcRFV7GcE5Cby9RJK7 GYtjFV9GKuYiBNmX/Ku/C5y2KqfSXJqiSSHs7YkEGeURKuK4sbJLqw== =iPVV -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40li… This email sent to site_archiver(a)lists.apple.com

1 0

APPLE-SA-2007-11-14 Mac OS X v10.4.11 and Security Update 2007-008
by Apple Product Security 14 Nov '07

14 Nov '07

site_archiver(a)lists.apple.com Delivered-To: security-announce(a)lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-11-14 Mac OS X v10.4.11 and Security Update 2007-008 Mac OS X v10.4.11 and Security Update 2007-008 are now available and provide fixes for the following security issues. Mac OS X v10.4.11 also provides additional functionality changes, and information is available in its release note. The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Mac OS X v10.4.11 or Security Update 2007-008. AppleRAID CVE-ID: CVE-2007-4678 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Opening a maliciously crafted disk image may lead to an unexpected system shutdown Description: A null pointer dereference issue in AppleRAID may be triggered when mounting a striped disk image. This may lead to an unexpected system shutdown. Note that Safari will automatically mount disk images when "Open `safe' files after downloading" is enabled. This update addresses the issue by performing additional validation of disk images. Credit to Mark Tull of SSAM1 at University of Hertfordshire, and Joel Vink of Zetera Corporation for reporting this issue. BIND CVE-ID: CVE-2007-2926 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: An attacker may be able to control the content provided by a DNS server Description: ISC BIND 9 through 9.5.0a5 uses a weak random number generator during the creation of DNS query IDs when answering resolver questions or sending NOTIFY messages to slave name servers. This makes it easier for remote attackers to guess the next query ID and perform DNS cache poisoning. This update addresses the issue by improving the random number generator. bzip2 CVE-ID: CVE-2005-0953, CVE-2005-1260 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Multiple vulnerabilities in bzip2 Description: bzip2 has been updated to version 1.0.4 to address a remote denial of service, and a race condition which occurs during modification of file permissions. Further information is available via the bzip2 web site at http://bzip.org/ CFFTP CVE-ID: CVE-2007-4679 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 A user's FTP client could be remotely controlled to connect to other hosts Description: An implementation issue exists in the File Transfer Protocol (FTP) portion of CFNetwork. By sending maliciously crafted replies to FTP PASV (passive) commands, FTP servers are able to cause clients to connect to other hosts. This update addresses the issue by performing additional validation of IP addresses. This issue does not affect systems prior to Mac OS X v10.4. Credit to Dr Bob Lopez PhD for reporting this issue. CFNetwork CVE-ID: CVE-2007-4680 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: A remote attacker may be able to cause an untrusted certificate to appear trusted Description: An issue exists in the validation of certificates. A man-in-the-middle attacker may be able to direct the user to a legitimate site with a valid SSL certificate, then re-direct the user to a spoofed web site that incorrectly appears to be trusted. This could allow user credentials or other information to be collected. This update addresses the issue through improved validation of certificates. Credit to Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C for reporting this issue. CFNetwork CVE-ID: CVE-2007-0464 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Parsing HTTP replies using the CFNetwork framework may result in an unexpected application termination Description: A null pointer dereference issue exists in the CFNetwork framework. By enticing a user to use a vulnerable application to connect to a malicious server, an attacker may cause an unexpected application termination. There are no known vulnerable applications. This issue does not lead to arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-25-01-2007). This update addresses the issue by performing additional validation of HTTP replies. This issue does not affect systems prior to Mac OS X v10.4. CoreFoundation CVE-ID: CVE-2007-4681 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Reading a directory hierarchy may lead to an unexpected application termination or arbitrary code execution Description: A one byte buffer overflow may occur in CoreFoundation when listing the contents of a directory. By enticing a user to read a maliciously crafted directory hierarchy, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data. CoreText CVE-ID: CVE-2007-4682 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Viewing maliciously crafted text content may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized object pointer vulnerability exists in the handling of text content. By enticing a user to view maliciously crafted text content, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of object pointers. Credit to Will Dormann of the CERT/CC for reporting this issue. Flash Player Plug-in CVE-ID: CVE-2007-3456 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Opening maliciously crafted Flash content may lead to arbitrary code execution Description: An input validation issue exists in Adobe Flash Player. By enticing a user to open maliciously crafted Flash content, an attacker may cause arbitrary code execution. This update addresses the issue by updating Adobe Flash Player to version 9.0.47.0. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb07-12.html Kerberos CVE-ID: CVE-2007-3999, CVE-2007-4743 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: A remote attacker may be able to cause a denial of service or arbitrary code execution if the Kerberos administration daemon is enabled Description: A stack buffer overflow exists in the MIT Kerberos administration daemon (kadmind), which may lead to an unexpected application termination or arbitrary code execution with system privileges. Further information is available via the MIT Kerberos website at http://web.mit.edu/Kerberos/ This issue does not affect systems prior to Mac OS X v10.4. Kernel CVE-ID: CVE-2007-3749 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: A local user may be able to execute arbitrary code with system privileges Description: When executing a privileged binary, the kernel does not reset the current Mach thread port or thread exception port. As a result, a local user may be able to write arbitrary data into the address space of the process running as system, which could lead to arbitrary code execution with system privileges. This update addresses the issue by resetting all the special ports that need to be reset. Credit to an anonymous researcher working with the VeriSign iDefense VCP for reporting this issue. Kernel CVE-ID: CVE-2007-4683 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Processes restricted via the chroot system call may access arbitrary files Description: The chroot mechanism is intended to restrict the set of files that a process can access. By changing the working directory using a relative path, an attacker may bypass this restriction. This update addresses the issue by through improved access checks. Credit to Johan Henselmans and Jesper Skov for reporting this issue. Kernel CVE-ID: CVE-2007-4684 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: A local user may obtain system privileges Description: An integer overflow exists within the i386_set_ldt system call, which may allow a local user to execute arbitrary code with elevated privileges. This update addresses the issue through improved validation of input arguments. Credit to RISE Security for reporting this issue. Kernel CVE-ID: CVE-2007-4685 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: A local user may obtain system privileges Description: An issue exists in the handling of standard file descriptors while executing setuid and setgid programs. This could allow a local user to obtain system privileges by executing setuid programs with the standard file descriptors in an unexpected state. This update addresses the issue by initializing standard file descriptors to a known state when executing setuid or setgid programs. Credit to Ilja van Sprundel formerly of Suresec Inc. reporting this issue. Kernel CVE-ID: CVE-2006-6127 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: A local user may be able to cause an unexpected system shutdown Description: An implementation issue exists in kevent() when registering a NOTE_TRACK kernel event with a kernel event queue created by a parent process. This could allow a local user to cause an unexpected system shutdown. This issue has been described on the Month of Kernel Bugs web site (MOKB-24-11-2006). This update addresses the issue by removing support for NOTE_TRACK event. Kernel CVE-ID: CVE-2007-4686 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Maliciously crafted ioctl requests may lead to an unexpected system shutdown or arbitrary code execution with system privileges Description: An integer overflow exists in the handling of an ioctl request. By sending a maliciously crafted ioctl request, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the issue by performing additional validation of ioctl requests. Credit to Tobias Klein of www.trapkit.de for reporting this isssue. Networking CVE-ID: CVE-2007-4688 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: A remote user may obtain all addresses of a host Description: An implementation issue exists in the Node Information Query mechanism, which may allow a remote user to query for all addresses of a host, including link-local addresses. This update addresses the issue by dropping node information queries from systems not on the local network. Credit to Arnaud Ebalard of EADS Innovation Works for reporting this issue. Networking CVE-ID: CVE-2007-4269 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: If AppleTalk is enabled, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges Description: An integer overflow exists in the handling of ASP messages with AppleTalk. By sending a maliciously crafted ASP message on an AppleTalk socket, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the issue by performing additional validation of ASP messages. Credit to Sean Larsson of VeriSign iDefense Labs for reporting this issue. Networking CVE-ID: CVE-2007-4689 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Certain IPV6 packets may cause an unexpected system shutdown or arbitrary code execution Description: A double-free issue exists in the handling of certain IPV6 packets, which may lead to an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the issue through improved handling of IPV6 packets. This issue does not affect systems with Intel processors. Credit to Bhavesh Davda of VMware, and Brian "chort" Keefer of Tumbleweed Communications for reporting this issue. Networking CVE-ID: CVE-2007-4267 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: If AppleTalk is enabled and in routing mode, a local user may cause an unexpected system shutdown or arbitrary code execution Description: Adding a new AppleTalk zone could trigger a stack buffer overflow issue. By sending a maliciously crafted ioctl request to an AppleTalk socket, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the issue in AppleTalk through improved bounds checking on ioctl requests. Credit to an anonymous researcher working with the VeriSign iDefense VCP for reporting this issue. Networking CVE-ID: CVE-2007-4268 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: If AppleTalk is enabled, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges Description: An arithmetic error exists in AppleTalk when handling memory allocations, which may lead to a heap buffer overflow. By sending a maliciously crafted AppleTalk message, a local user may cause an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the issue through improved bounds checking on AppleTalk messages. Credit to Sean Larsson of VeriSign iDefense Labs for reporting this issue. NFS CVE-ID: CVE-2007-4690 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: A maliciously crafted AUTH_UNIX RPC call may lead to an unexpected system shutdown or arbitrary code execution Description: A double free issue in NFS may be triggered when processing an AUTH_UNIX RPC call. By sending a maliciously crafted AUTH_UNIX RPC call via TCP or UDP, a remote attacker may cause an unexpected system shutdown or arbitrary code execution. This update addresses the issue by through improved validation of AUTH_UNIX RPC packets. Credit to Alan Newson of NGSSoftware, and Renaud Deraison of Tenable Network Security, Inc. for reporting this issue. NSURL CVE-ID: CVE-2007-4691 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Visiting a malicious web site may result in arbitrary code execution Description: A case-sensitivity issue exists in NSURL when determining if a URL references the local file system. This may cause a caller of the API to make incorrect security decisions, potentially leading to the execution of files on the local system or network volumes without appropriate warnings. This update addresses the issue by using a case insensitive comparison. remote_cmds CVE-ID: CVE-2007-4687 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: If tftpd is enabled, the default configuration allows clients to access any path on the system Description: By default, the /private/tftpboot/private directory contains a symbolic link to the root directory, which allows clients to access any path on the system. This update addresses the issue by removing the /private/tftpboot/private directory. Credit to James P. Javery of Stratus Data Systems, Inc. for reporting this issue. Safari CVE-ID: CVE-2007-0646 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Opening a .download file with a maliciously crafted name may lead to an unexpected application termination or arbitrary code execution Description: A format string vulnerability exists in Safari. By enticing a user to open a .download file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-30-01-2007). This update addresses the issue through improved handling of format strings. Safari CVE-ID: CVE-2007-4692 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: An issue in Safari Tabbed browsing may lead to the disclosure of user credentials Description: An implementation issue exists in the Tabbed browsing feature of Safari. If HTTP authentication is used by a site being loaded in a tab other than the active tab, an authentication sheet may be displayed although the tab and its corresponding page are not visible. The user may consider the sheet to come from the currently active page, which may lead to the disclosure of user credentials. This update addresses the issue through improved handling of authentication sheets. Credit to Michael Roitzsch of Technical University Dresden for reporting this issue. SecurityAgent CVE-ID: CVE-2007-4693 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: A person with physical access to a system may be able to bypass the screen saver authentication dialog Description: When waking a computer from sleep or screen saver, a person with physical access may be able to send keystrokes to a process running behind the screen saver authentication dialog. This update addresses the issue through improved handling of keyboard focus between secure text fields. Credit to Faisal N. Jawdat for reporting this issue. WebCore CVE-ID: CVE-2007-4694 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Local files may be loaded from remote content Description: Safari does not block file:// URLs when loading resources. By enticing a user to visit a maliciously crafted website, a remote attacker may view the content of local files, which may lead to the disclosure of sensitive information. This update addresses the issue by preventing local files from being loaded from remote content. Credit to lixlpixel for reporting this issue. WebCore CVE-ID: CVE-2007-4695 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Uploading a maliciously crafted file may allow the tampering of form data Description: An input validation issue exists in the handling of HTML forms. By enticing a user to upload a maliciously crafted file, an attacker may alter the values of form fields, which may lead to unexpected behavior when the form is processed by the server. This update addresses the issue through improved handling of file uploads. Credit to Bodo Ruskamp of Itchigo Communications GmbH for reporting this issue. WebCore CVE-ID: CVE-2007-4696 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Visiting a malicious website may lead to the disclosure of sensitive information Description: A race condition exists in Safari's handling of page transitions. By enticing a user to visit a malicious web page, an attacker may be able to obtain information entered in forms on other web sites, which may lead to the disclosure of sensitive information. This update addresses the issue by properly clearing form data during page transitions. Credit to Ryan Grisso of NetSuite for reporting this issue. WebCore CVE-ID: CVE-2007-4697 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in the handling of the browser's history. By enticing a user to visit a maliciously crafted web page, an attacker may cause an unexpected application termination or arbitrary code execution. Credit to David Bloom for reporting this issue. WebCore CVE-ID: CVE-2007-4698 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Visiting a malicious website may result in cross-site scripting Description: Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of another site. This update addresses the issue by associating JavaScript events with the correct source frame. WebCore CVE-ID: CVE-2007-3758 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Visiting a malicious website may lead to cross-site scripting Description: A cross-site scripting issue in Safari allows malicious websites to set JavaScript window properties of websites served from a different domain. By enticing a user to visit a maliciously crafted web page, an attacker may be able to get or set the window status and location of pages served from other websites. This update addresses the issue by providing improved access controls on these properties. Credit to Michal Zalewski of Google Inc. for reporting this issue. WebCore CVE-ID: CVE-2007-3760 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Visiting a malicious website may result in cross-site scripting Description: A cross-site scripting issue in Safari allows a malicious website to bypass the same origin policy by hosting embedded objects with javascript URLs. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of another site. This update addresses the issue by restricting the use of the javascript URL scheme and adding additional origin validation for these URLs. Credit to Michal Zalewski of Google Inc. and Secunia Research for reporting this issue. WebCore CVE-ID: CVE-2007-4671 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: JavaScript on websites may access or manipulate the contents of documents served over HTTPS Description: An issue in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of HTTPS web pages in that domain. This update addresses the issue by preventing JavaScript access from HTTP to HTTPS frames. Credit to Keigo Yamazaki of LAC Co., Ltd. (Little eArth Corporation Co., Ltd.) for reporting this issue. WebCore CVE-ID: CVE-2007-3756 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Visiting a malicious website may lead to the disclosure of URL contents Description: Safari may allow a web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted web page, an attacker may be able to obtain the URL of an unrelated page. This update addresses the issue through an improved cross-domain security check. Credit to Michal Zalewski of Google Inc. and Secunia Research for reporting this issue. WebKit CVE-ID: CVE-2007-4699 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: Unauthorized applications may access private keys added to the keychain by Safari Description: By default, when Safari adds a private key to the keychain, it allows all applications to access the key without warning. This update addresses the issue by asking the user for permission when applications other than Safari attempt to use the key. WebKit CVE-ID: CVE-2007-4700 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: A malicious website may be able to cause Safari to send remotely specified data to arbitrary TCP ports Description: Safari may allow a malicious website to send remotely specified data to arbitrary TCP ports. This update addresses the issue by blocking access to certain ports. Credit to Kostas G. Anagnostakis of Institute for Infocomm Research, Singapore, and Spiros Antonatos of FORTH-ICS, Greece for reporting this issue. WebKit CVE-ID: CVE-2007-4701 Available for: Mac OS X v10.4 through Mac OS X v10.4.10, Mac OS X Server v10.4 through Mac OS X Server v10.4.10 Impact: A local user may be able to read the content of opened PDF files Description: WebKit/Safari creates temporary files insecurely when previewing a PDF file, which may allow a local user to access the file's content. This may lead to the disclosure of sensitive information. This update addresses the issue by This update addresses the issue by using more restrictive permissions for temporary files during PDF preview. Credit to Jean-Luc Giraud, and Moritz Borgmann of ETH Zurich for reporting this issue. Mac OS X v10.4.11 and Security Update 2007-008 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Mac OS X v10.4.11 or Security Update 2007-008. For Mac OS X v10.4.10 (Intel) The download file is named: "MacOSXUpd10.4.11Intel.dmg" Its SHA-1 digest is: 4c9103699c7925cc0277cffce4c7419a9d469c31 For Mac OS X v10.4.4 (Intel) through v10.4.9 (Intel) The download file is named: "MacOSXUpdCombo10.4.11Intel.dmg" Its SHA-1 digest is: 9a869c44010996bcf1a645f5467dd1bc596924dd For Mac OS X v10.4.10 (PowerPC) The download file is named: "MacOSXUpd10.4.11PPC.dmg" Its SHA-1 digest is: 132d354637604c63d28b57e57e74aed1b21c9894 For Mac OS X v10.4 (PowerPC) through v10.4.9 (PowerPC) The download file is named: "MacOSXUpdCombo10.4.11PPC.dmg" Its SHA-1 digest is: 3d403bfa769424c61a3cfac173f8527658f9d4af For Mac OS X Server v10.4.10 (Universal) The download file is named: "MacOSXServerUpd10.4.11Univ.dmg" Its SHA-1 digest is: 37bf2f081d773756472205146a037d1c8c52d45e For Mac OS X Server v10.4.7 through v10.4.9 (Universal) The download file is named: "MacOSXSrvrCombo10.4.11Univ.dmg" Its SHA-1 digest is: 94a87bb6f7c73b68c2a8654a5c2642d7c5e82d56 For Mac OS X Server v10.4.10 (PowerPC) The download file is named: "MacOSXServerUpd10.4.11PPC.dmg" Its SHA-1 digest is: 6dde722314da1eaf00f881f026cfe770044f6cda For Mac OS X Server v10.4 through v10.4.9 (PowerPC) The download file is named: "MacOSXSrvrCombo10.4.11PPC.dmg" Its SHA-1 digest is: 3aeb0fae441957c7a831365ad5af1b79b0d87720 For Mac OS X v10.3.9 The download file is named: "SecUpd2007-008Pan.dmg" Its SHA-1 digest is: 7049852014bb8d31fe8a3b2706e59c1e7d3aebcd For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2007-008Pan.dmg" Its SHA-1 digest is: d085bfc4bc59ca3c81495e9b7029381c3fa9b082 Information will also be posted to the Apple Security Updates web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: 9.7.0.867 wsBVAwUBRztE4cgAoqu4Rp5tAQjJTAf9EesvmGlmlCEkWuObFmqyAv8QNhgABAhu 80ooZEyBzq+lZgNb6/bGB0zDH3qwPC1y8XQytDS/X2Px64Fn3B/QZWfB+JWZQSgk 1p4BqyeEgEPTPx+wap+MXGJ1Gxhy8RWPCAlIm4a6vWxC8/cTTk/rTW59zhtWxOvc uNeubzcHwgMhFMNCrL88IIzMHzbTC0wVkqMUZVsiB2Rh18Lka0U0X974oNRGtjB9 yanzG898/eQAXZLoIqfIRE6OAasC4O3gVtp04npX4HNerd1Q379ou95YQLQC6su7 6qmiRDWmHt/v7FYklEO8GgJ72vzuSoy52srs6tn7EuZMK5aRYW3e7A== =P5Hm -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40li… This email sent to site_archiver(a)lists.apple.com

1 0

APPLE-SA-2007-11-12 iPhone v1.1.2 and iPod Touch v1.1.2
by Apple Product Security 12 Nov '07

12 Nov '07

site_archiver(a)lists.apple.com Delivered-To: security-announce(a)lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-11-12 iPhone v1.1.2 and iPod Touch v1.1.2 iPhone v1.1.2 and iPod Touch v1.1.2 updates are now available and address the following issue: ImageIO CVE-ID: CVE-2006-3459, CVE-2006-3461, CVE-2006-3462, CVE-2006-3465 Available for: iPhone v1.0 through v1.1.1, iPod Touch v1.1 and v1.1.1 Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: ImageIO contains a version of libtiff that is vulnerable to multiple buffer overflows. By enticing a user to view a maliciously crafted TIFF image, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issues by performing additional validation of TIFF images. These issues do not affect Mac OS X v10.3.9 systems with Security Update 2006-004, Mac OS X v10.4.7 systems with Security Update 2006-004, or systems running Mac OS X v10.4.8 or later. Credit to Tavis Ormandy, Google Security Team for reporting this issue. Installation note: This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone or iPod Touch is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting "don't install" will present the option the next time you connect your iPhone or iPod Touch. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the "Check for Update" button within iTunes. After doing this, the update can be applied when your iPhone or iPod Touch is docked to your computer. To check that the iPhone or iPod Touch has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "1.1.2 (3B49)" or later Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: 9.7.0.867 wsBVAwUBRzjabsgAoqu4Rp5tAQj79QgAgVDCk8niaPXaKBDcUpTjj/lULWmTR93c 9iQ9LDNjjAIhI/M8rDSO2N21kz6VA5Glc0r4qHFec8nWH8H9YdAYy+i6JtIXlKxc BRSf/L1Nj09NYkyHKRXH37Msr912Td9/g3Bjh9np7Mawib4jWRI29kKAB4gbrkl2 DkZxFIv+S+scJG+1uQTb4grQlw7WHHnJ3Bs6huyyVJHJW+pdPCV7HI+aCmZ/IKSg RB1/u7L5VnF+4wNnGSmTC/aDGQ5/S+cSUI7Ik6StYGregEX4i2WXB5adSOtzpRHy KZYs4vVMyVzoEUngaICOCCPhUYTK0GgkE2e99DCTb2SczUEG5Jg2fg== =6+ik -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40li… This email sent to site_archiver(a)lists.apple.com

1 0

APPLE-SA-2007-11-05 QuickTime 7.3
by Apple Product Security 05 Nov '07

05 Nov '07

site_archiver(a)lists.apple.com Delivered-To: security-announce(a)lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-11-05 QuickTime 7.3 QuickTime 7.3 is now available and addresses the following issues: QuickTime CVE-ID: CVE-2007-2395 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in QuickTime's handling of image description atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of QuickTime image descriptions. Credit to Dylan Ashe of Adobe Systems Incorporated for reporting this issue. QuickTime CVE-ID: CVE-2007-3750 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in QuickTime Player's handling of Sample Table Sample Descriptor (STSD) atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of STSD atoms. Credit to Tobias Klein of www.trapkit.de for reporting this issue. QuickTime CVE-ID: CVE-2007-3751 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2 Impact: Untrusted Java applets may obtain elevated privileges Description: Multiple vulnerabilities exist in QuickTime for Java, which may allow untrusted Java applets to obtain elevated privileges. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker may cause the disclosure of sensitive information and arbitrary code execution with elevated privileges. This update addresses the issues by making QuickTime for Java no longer accessible to untrusted Java applets. Credit to Adam Gowdiak for reporting this issue. QuickTime CVE-ID: CVE-2007-4672 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2 Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT files. Credit to Ruben Santamarta of reversemode.com working with TippingPoint and the Zero Day Initiative for reporting this issue. QuickTime CVE-ID: CVE-2007-4676 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2 Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT files. Credit to Ruben Santamarta of reversemode.com working with TippingPoint and the Zero Day Initiative for reporting this issue. QuickTime CVE-ID: CVE-2007-4675 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2 Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in QuickTime's handling of panorama sample atoms in QTVR (QuickTime Virtual Reality) movie files. By enticing a user to view a maliciously crafted QTVR file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing bounds checking on panorama sample atoms. Credit to Mario Ballano from 48bits.com working with the VeriSign iDefense VCP for reporting this issue. QuickTime CVE-ID: CVE-2007-4677 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, XP SP2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in the parsing of the color table atom when opening a movie file. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of color table atoms. Credit to Ruben Santamarta of reversemode.com and Mario Ballano of 48bits.com working with TippingPoint and the Zero Day Initiative for reporting this issue. QuickTime 7.3 may be obtained from the Software Update application, or from the Apple Downloads site: http://www.apple.com/support/downloads/ For Mac OS X v10.5 The download file is named: "QuickTime730_Leopard.dmg" Its SHA-1 digest is: 581a470ce7b98b3c7e515fd8d610502a94214933 For Mac OS X v10.4.9 or later The download file is named: "QuickTime730_Tiger.dmg" Its SHA-1 digest is: 191e9789a9207921424185db1dc37792c7ec78e For Mac OS X v10.3.9 The download file is named: "QuickTime730_Panther.dmg" Its SHA-1 digest is: 969324ae94afe82173f155d7db31dbce8c02dd0 QuickTime 7.3 for Windows Vista, XP SP2 The download file is named: "QuickTimeInstaller.exe" Its SHA-1 digest is: 14788da58ad4e1cc219d4a92b833ca49b9d99e59 QuickTime 7.3 with iTunes for Windows Vista, XP SP2 The download file is named: "iTunes75Setup.exe" Its SHA-1 digest is: b38005b53e608dcd2b4fe18b44cc419fefbc9411 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.3 (Build 2932) iQEVAwUBRy+AA8gAoqu4Rp5tAQiMpggAkcS1K1tPbqHw+KvdP7e3ck2jMIAUXN83 /ghr8z5yL54pONas3GE96vsp1qyYVAzKuGoG4iRpMe+7fMYk+TOfLR7TWhaC+Usw m+NVPESANt8sKamKNdbtLyHhHEvXSi4dC8/WdIbifW115IvfAH/E/L2IDSlB6Nih jpQ83jWDluI+T/jit04A7p0aAfry8PJEjal7sQ8ZLnBHthRsel78a729Nk036dl7 +Pfh/SZedNq0v4aLH22gDTt7rImcyJ1oY4hBOLh9KGZGe1ppmCB/UtG5woAqgbFz G98/8MEQT0/bwBjsoTJ8G6eSUeMvmmUuBACSrW+EwxoUExres5zHGw== =u231 -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40li… This email sent to site_archiver(a)lists.apple.com

1 0