Focus on Apple
Apple today released Mac OS X v10.4.11 and Security Update 2007-008 Nov 15 2007 05:07PM
Todd Woodward (todd_woodward symantec com)
Apple today released Mac OS X v10.4.11 and Security Update 2007-008
which resolves a large number of interesting security issues. In brief:

AppleRAID:
Resolves a "null pointer dereference" issue which may lead to an
unexpected system shutdown. Apple gave credit for reporting to Mark Tull
of SSAM1 at University of Hertfordshire, and Joel Vink of Zetera
Corporation.

BIND:
Updates known vulnerable versions of ISC BIND 9 to resolve a weak random
number generator issue which may allow malicious DNS cache poisoning.

bzip2:
Updates bzip2 to version 1.0.4 to address a remote DOS and race
condition.

CFFTP:
Resolves an "implementation" issue in the FTP portion of the CFNetwork
framework that could cause clients to connect to unintended hosts in
response to maliciously crafted replies to FTP PASV commands. Apple
gives credit for reporting to Dr. Bob Lopez PhD.

CFNetwork: Two issues...

Resolves a certificate validation issue that could allow
man-in-the-middle redirections to a spoofed site.. Apple gives credit
for reporting to Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of
MK&C.

Also an HTTP parsing issue in the CFNetwork framework that could
maliciously allow unexpected application termination. Apple cites this
issue as being described in the Month of Apple Bugs web site
(MOAB-25-01-2007).

CoreFoundation:
Resolves a buffer overflow that could lead to "unexpected application
termination or arbitrary code execution."

CoreText:
Resolves an "uninitialized object pointer" vulnerability that could lead
to "unexpected application termination or arbitrary code execution."
Apple gives credit for reporting to Will Dormann of the CERT/CC.

Flash Player Plug-in:
Resolves an issue with maliciously crafted Flash content that could lead
to "arbitrary code execution" by updating Flash Player to 9.0.47.0.

Kerberos:
Resolves a stack buffer overflow that could lead to DOS or "arbitrary
code execution."

Kernel: Resolves six issues...

* Elevation of privileges
* Unexpected system shutdown
* Arbitrary code execution
* chroot bypass
* Integer overflow in a system call
* setuid and setgid issues
* ioctl vulnerability
* Month of Kernel Bugs (MOKB-24-11-2006)

Apple gives specific credit for reporting these various issues to
VeriSign iDefense VCP, Johan Henselmans and Jesper Skov, RISE Security,
Ilja van Sprundel formerly of Suresec Inc., and Tobias Klein of
www.trapkit.de

Networking: Resolves five issues...

* An "implementation issue" in the Node Information Query mechanism
which "may allow a remote user to query for all addresses of a host,
including link-local addresses"
* Elevation of privileges, stack buffer overflow and memory allocation
vulnerabilities in AppleTalk
* Arithmetic error exists in AppleTalk when handling * A "double-free"
issue in the handling of certain IPV6 packets (PowerPC only)

Apple gives specific credit for reporting these various issues to
Bhavesh Davda of VMware, and Brian "chort" Keefer of Tumbleweed
Communications, anonymous and Sean Larsson of VeriSign iDefense Labs.

NFS:
Resolves a "double free" issue triggered by a maliciously crafted
AUTH_UNIX RPC call. Apple gives credit for reporting to Alan Newson of
NGSSoftware, and Renaud Deraison of Tenable Network Security, Inc.

NSURL:
Resolves a case-sensitivity issue in local file system URL references.

remote_cmds:
Resolves a tftpd issue (if enabled) that allows access to any path on a
file system. Apple gives credit for reporting to James P. Javery of
Stratus Data Systems, Inc.

Safari: Resolves two issues...

* A format string vulnerability (MOAB-30-01-2007)
* "Implementation issue" in HTTP authentication in Tabbed browsing,
which Apple gives credit for reporting to Michael Roitzsch of Technical
University Dresden

SecurityAgent:
Resolves a screenserver vulnerability that allows keystrokes to be sent
to a backend process. Apple gives credit for reporting to Faisal N.
Jawdat.

WebCore: Resolves nine issues...

* Vulnerability in how Safari handles file:// URLs
* An HTML forms input validation vulnerability
* Race condition in Safari's handling of page transitions
* A memory corruption issue
* JavaScript cross-site scripting and cross-frame vulnerabilities
* A cross-domain vulnerability

Apple gives specific credit for reporting thes various issues to
lixlpixel, Bodo Ruskamp of Itchigo Communications GmbH, Ryan Grisso of
NetSuite, David Bloom, Michal Zalewski of Google Inc., Secunia Research,
and Keigo Yamazaki of LAC Co., Ltd. (Little eArth Corporation Co.,
Ltd.),

WebKit: Resolves three issues...

* Keychain access vulnerability
* Arbitrary open TCP ports (Credit to Kostas G. Anagnostakis of
Institute for Infocomm Research, Singapore, and Spiros Antonatos of
FORTH-ICS, Greece)
* Local user temporary file insecurity during PDF preview in Safari

For specific details, refer to the following Apple Knowledge Base
article:

http://docs.info.apple.com/article.html?artnum=307041

###

Security Response Researcher
Focus-Apple Moderator

________________________________________
Todd D. Woodward
Technical Support Engineer
NetBackup Support
Symantec Corporation
www.symantec.com
Springfield, Oregon
________________________________________
Office: 541-335-7441
________________________________________

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus