site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-09-22 Security Update 2005-008 Security Update 2005-008 is now available and delivers the following security enhancements: ImageIO CVE-ID: CAN-2005-2747 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Viewing a maliciously-crafted GIF image may result in arbitrary code execution. Description: By carefully crafting a corrupt GIF image, an attacker can trigger a buffer overflow in ImageIO which may result in arbitrary code execution. Several components of Mac OS X utilize ImageIO including WebCore and Safari. This update addresses the issue by performing additional validation of images. Mail CVE-ID: CAN-2005-2746 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: When using auto-reply rules, Mail.app may expose the contents of encrypted messages. Description: Mail.app includes the contents of messages when processing auto-reply rules. If a message being processed was encrypted, the automatically generated response will include the decrypted message contents. This could allow an attacker to intercept the message. This update addresses the issue by ensuring that unencrypted responses to encrypted messages are not generated. Credit to Norbert Rittel of Rittel Consulting for reporting this issue. Mail CVE-ID: CAN-2005-2745 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Using Kerberos Version 5 for SMTP authentication Mail.app may disclose sensitive information. Description: When using SMTP authentication with Kerberos Version 5, Mail.app may append un-initialized memory to a message. This update addresses the issue by updating Mail.app. Credit to the MIT Kerberos team for reporting this issue. This issue was resolved in Mac OS X v10.4.2 by Security Update 2005-007. malloc CVE-ID: CAN-2005-2748 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Insecure file handling may result in local privilege escalation. Description: When certain environmental variables are set to enable debugging of application memory allocation, files with diagnostic information are created insecurely. This could allow a malicious local user to alter arbitrary files. This update addresses the issue by disallowing malloc debugging in privileged programs. Credit to Ilja van Sprundel of Suresec LTD for reporting this issue. QuickDraw Manager CVE-ID: CAN-2005-2744 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Viewing a maliciously-crafted PICT image may result in arbitrary code execution. Description: By carefully crafting a corrupt PICT image, an attacker can trigger a buffer overflow in QuickDraw Manager which may result in arbitrary code execution. Several components of Mac OS X utilize QuickDraw Manager, including Safari, Mail, and Finder. This update addresses the issue by performing additional validation of images. Credit to Henrik Dalgaard of Echo One for reporting this issue. QuickTime for Java CVE-ID: CAN-2005-2743 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: An untrusted applet may gain elevated privileges. Description: The Java extensions bundled with QuickTime 6.52 and earlier allow untrusted applets to call arbitrary functions from system libraries. This update addresses the issue by limiting these calls to trusted applets. Systems running QuickTime 7 or later are not affected by this issue. Systems running Mac OS X v10.4 or later are also not affected by this issue. Credit to Dino Dai Zovi for reporting this issue. Ruby CVE-ID: CAN-2005-1992 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Ruby applications utilizing the xmlrpc module may be vulnerable to arbitrary code execution. Description: The Ruby xmlrpc/utils module utilizes the method Module#public_instance_methods to determine which methods may be invoked remotely using XML-RPC. A change between different versions of Ruby caused this method list to unintentionally include methods that may be used to execute arbitrary Ruby code. This update addresses the issue by updating the xmlrpc/utils module. This issue does not affect systems prior to Mac OS X v10.4. Safari CVE-ID: CAN-2005-2524 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Maliciously crafted web archives could potentially allow cross-site scripting. Description: It is possible to view web archives served from remote sites in Safari. Maliciously crafted web archives may be rendered as content from sites they did not server them. This update prevents remote web archives from being loaded. Safari web archives were introduced in Safari 2.0. This issue was resolved in Mac OS X v10.4.2 by Security Update 2005-007. SecurityAgent CVE-ID: CAN-2005-2742 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: A user with physical access to the system may be able to bypass the "Require password to wake this computer from sleep or screen saver" setting. Description: Under certain situations, the "Switch User..." button may appear even though the "Enable fast user switching" setting is disabled. This could cause the currently logged-in user's desktop to be displayed without authentication. This update prevents the "Switch User..." button from appearing when inappropriate. This issue does not affect systems prior to Mac OS X v10.4. Credit to Luke Fowler of the Indiana University Global Research Network Operations Center for reporting this issue. securityd CVE-ID: CAN-2005-2741 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Malicious users may grant themselves rights to manipulate arbitrary files or perform other privileged actions. Description: Authorization Services allows unprivileged users to grant certain rights that should be restricted to administrators, which may lead to privilege escalation. This update addresses the issue by adding restrictions to which rights unprivileged users can grant themselves. Also included in this update are enhancements to LoginWindow for improved interaction with Parental Controls (Mac OS X v10.3.9), X509Anchors to include the Wells Fargo root certificate (Mac OS X v10.3.9), and Safe Download Validation to include Web Archives (Mac OS X v10.4.2). Security Update 2005-008 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.2 and Mac OS X Server v10.4.2 The download file is named: "SecUpd2005-008Ti.dmg" Its SHA-1 digest is: 9284ab3e3ed19761b74edb1afffba052f606c993 For Mac OS X v10.3.9 and Mac OS X Server v10.3.9 The download file is named: "SecUpd2005-008Pan.dmg" Its SHA-1 digest is: 65f4dde09ee46fb9e1d58259f4085d90f420fae0 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.2 (Build 2425) iQEVAwUBQzH2WYHaV5ucd/HdAQLg/Qf/dNM4ogTKflJB+9t4XRuL5SMb+oIFRflY k1umPl9xnVokCr6zBEXK0lPgCYpj72472leVYrqheqdS9SUu3TAs3EHIwp2Yv3nj PPuwVGl2KWiqp+xn4bvct1q+keXGZvExQHq3TjU1aK/Qvp/8OrUPXmFHfdUv6egU 9b9QOOlmWUqdJpJKcaep2Qt+nHsHnpxHziDek12sDE+57AKcUlDcx71TauXi1jWY nspdGVvSTfjuZlFXBm5kceIz2J7RARVOp7jaY+P7CjAIlp3G2qirST1C8RFGC7Tv bSfzCwuwKOfyyQQDI91+pvx7+MprggXmfIytvBl1L8YKkA3gUemBMQ== =1W57 -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com