ID: 3673
Date: 01/08/2008
Title: 3673 - APPLE-SA-2008-07-31 Security Update 2008-005
Platform level affected:Operating System
Hardware components affected:Apple MAC
Specific operating systems components affected: Apple Mac OS
Net-enabled software: Other
Security software:Other
Other software: Other
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Apple
Applications affected:Mac OS X
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Remote execution/modification
Possible Duration: Open Ended
Availability of fix: Available
Type of fix: Patch
Source: Apple
Reliability of source: Trusted
Source URL: www.apple.com
CVE: CVE-2008-2830, CVE-2008-1447, CVE-2008-2320, CVE-2008-2321, CVE-2008-2322, CVE-2008-2323, CVE-2008-2324, CVE-2008-2952, CVE-2007-5135, CVE-2008-2051, CVE-2008-2050, CVE-2007-4850, CVE-2008-0599, CVE-2008-0674, CVE-2008-2325, CVE-2007-6199, CVE-2007-6200
Abstract: Apple have released Security Update 2008-005 which addresses a number of issues.
APPLE-SA-2008-07-31 Security Update 2008-005
Security Update 2008-005 is now available and addresses the following
issues:
Open Scripting Architecture
CVE-ID: CVE-2008-2830
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: A local user may execute commands with elevated privileges
Description: A design issue exists in the Open Scripting Architecture libraries when determining whether to load scripting addition plugins into applications running with elevated privileges.
Sending scripting addition commands to a privileged application may allow the execution of arbitrary code with those privileges. This update addresses the issue by not loading scripting addition plugins into applications running with system privileges. The recently reported ARDAgent and SecurityAgent issues are addressed by this update. Credit to Charles Srstka for reporting this issue.
BIND
CVE-ID: CVE-2008-1447
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: BIND is susceptible to DNS cache poisoning and may return forged information
Description: The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue.
CarbonCore
CVE-ID: CVE-2008-2320
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Processing long filenames may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in the handling of long filenames. Processing long filenames may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Thomas Raffetseder of the International Secure Systems Lab and Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.
CoreGraphics
CVE-ID: CVE-2008-2321
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Michal Zalewski of Google for reporting this issue.
CoreGraphics
CVE-ID: CVE-2008-2322
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow in the handling of PDF files may result in a heap buffer overflow. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through additional validation of PDF files. Credit to Pariente Kobi working with the iDefense VCP for reporting this issue.
Data Detectors Engine
CVE-ID: CVE-2008-2323
Available for: Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Viewing maliciously crafted messages with Data Detectors may lead to an unexpected application termination
Description: Data Detectors are used to extract reference information from textual content or archives. A resource consumption issue exists in Data Detectors' handling of textual content. Viewing maliciously crafted content in an application that uses Data Detectors may lead to a denial of service, but not arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.5.
Disk Utility
CVE-ID: CVE-2008-2324
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A local user may obtain system privileges
Description: The "Repair Permissions" tool in Disk Utility makes /usr/bin/emacs setuid. After the Repair Permissions tool has been run, a local user may use emacs to run commands with system privileges. This update addresses the issue by correcting the permissions applied to emacs in the Repair Permissions tool. This issue does not affect systems running Mac OS X v10.5 and later.
Credit to Anton Rang and Brian Timares for reporting this issue.
OpenLDAP
CVE-ID: CVE-2008-2952
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: A remote attacker may be able to cause an unexpected application termination
Description: An issue exists in OpenLDAP's ASN.1 BER decoding.
Processing a maliciously crafted LDAP message may trigger an assertion and lead to an unexpected application termination of the OpenLDAP daemon, slapd. This update addresses the issue by performing additional validation of LDAP messages.
OpenSSL
CVE-ID: CVE-2007-5135
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution
Description: A range checking issue exists in the
SSL_get_shared_ciphers() utility function within OpenSSL. In an application using this function, processing maliciously crafted packets may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
PHP
CVE-ID: CVE-2008-2051, CVE-2008-2050, CVE-2007-4850, CVE-2008-0599,
CVE-2008-0674
Available for: Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Multiple vulnerabilities in PHP 5.2.5
Description: PHP is updated to version 5.2.6 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at
http://www.php.net/ PHP version 5.2.x is only provided with Mac OS X
v10.5 systems.
QuickLook
CVE-ID: CVE-2008-2325
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues exist in QuickLook's handling of Microsoft Office files. Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5.
rsync
CVE-ID: CVE-2007-6199, CVE-2007-6200
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: Files outside the module root may be accessed or overwritten remotely
Description: Path validation issues exist in rsync's handling of symbolic links when running in daemon mode. Placing symbolic links in an rsync module may allow files outside of the module root to be accessed or overwritten. This update addresses the issue through improved handling of symbolic links. Further information on the patches applied is available via the rsync web site at
http://rsync.samba.org/
Security Update 2008-005 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.5.4 and Mac OS X Server 10.5.4 The download file is named: "SecUpd2008-005.dmg"
Its SHA-1 digest is: 9c4fd4ee59965819427445f6de172c42b223e6e1
For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2008-005Intel.dmg"
Its SHA-1 digest is: 1ff3242935c98325769b33148a2a8b1e72db567c
For Mac OS X v10.4.11 (PPC)
The download file is named: "SecUpd2008-005PPC.dmg"
Its SHA-1 digest is: 2f56ea4311d5b85de3c494f6fee46360e5b7317e
For Mac OS X Server v10.4.11 (Universal) The download file is named: "SecUpdSrvr2008-005Univ.dmg"
Its SHA-1 digest is: 256401659308a634cee06b00d1a6ae9dc20b5467
For Mac OS X Server v10.4.11 (PPC)
The download file is named: "SecUpdSrvr2008-005PPC.dmg"
Its SHA-1 digest is: d310d471bd39df92cb5580e18f356a222824d7d2
Information will also be posted to the Apple Security Updates web site:
http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key, and details are available at:
http://www.apple.com/support/security/pgp/
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Fri, 01 Aug 2008 10:00:00 GMT
Domain affected: Technical