ID

VAR-200909-0760

CVE

CVE-2009-2804

TITLE

Apple Mac OS of ColorSync Vulnerable to arbitrary code execution

DESCRIPTION

Integer overflow in ColorSync in Apple Mac OS X 10.4.11 and 10.5.8, and Safari before 4.0.4 on Windows, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted ColorSync profile embedded in an image, leading to a heap-based buffer overflow. Apple Mac OS X is prone to a heap-based buffer-overflow vulnerability that affects the ColorSync component. Successfully exploiting this issue may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition. The following versions are affected: Mac OS X 10.4.11 and prior Mac OS X Server 10.4.11 and prior Mac OS X 10.5.8 and prior Mac OS X Server 10.5.8 and prior NOTE: This issue was previously covered in BID 36349 (Apple Mac OS X 2009-005 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. Integer overflow vulnerabilities exist in Mac OS X and Safari systems running on Windows platforms. For more information see vulnerability #4 in: SA36701 2) An error exists when handling an "Open Image in New Tab", "Open Image in New Window", or "Open Link in New Tab" shortcut menu action performed on a link to a local file. This can be exploited to load a local HTML file and disclose sensitive information by tricking a user into performing the affected actions within a specially crafted webpage. 3) An error exists in WebKit when sending "preflight" requests originating from a page in a different origin. This can be exploited to facilitate cross-site request forgery attacks by injecting custom HTTP headers. 5) An error in WebKit when handling an HTML 5 Media Element on Mac OS X can be exploited to bypass remote image loading restrictions via e.g. HTML-formatted emails. NOTE: Some errors leading to crashes, caused by the included libxml2 library, have also been reported. SOLUTION: Update to version 4.0.4. PROVIDED AND/OR DISCOVERED BY: 1-3, 5) Reported by the vendor. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA36701 VERIFY ADVISORY: http://secunia.com/advisories/36701/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error in Alias Manager when processing alias files can be exploited to cause a buffer overflow and potentially execute arbitrary code. 2) An error in Resource Manager when processing resource forks can be exploited to corrupt memory and potentially execute arbitrary code. 3) Multiple vulnerabilities in ClamAV can be exploited to bypass certain security restrictions, cause a DoS, and potentially compromise a vulnerable system. For more information: SA34566 SA34612 4) An integer overflow error exists when processing ColorSync profiles embedded in images. 5) An integer overflow error exists in CoreGraphics when processing JBIG2 streams embedded in PDF files. 6) An error in CoreGraphics can be exploited to cause a heap-based buffer overflow potentially execute arbitrary code when drawing long text strings. This is related to vulnerability #1 in: SA36269 7) A NULL-pointer dereference error in CUPS can be exploited to cause a crash. For more information see vulnerability #4 in: SA34481 8) An error in the CUPS USB backend can be exploited to cause a heap-based buffer overflow and execute arbitrary code with escalated privileges. 9) Multiple vulnerabilities in Adobe Flash Player can be exploited by malicious people to bypass security features, gain knowledge of sensitive information, or compromise a user's system. For more information: SA35948 10) Multiple errors exist in ImageIO when processing PixarFilm encoded TIFF images. These can be exploited to trigger memory corruptions and potentially execute arbitrary code via specially crafted TIFF files. 11) An error exists in Launch Services when handling files having a ".fileloc" extension. 12) An error exists in Launch Services when handling exported document types presented when an application is downloaded. This can be exploited to associate a safe file extension with an unsafe Uniform Type Identifier (UTI) and execute arbitrary code. 13) An error in MySQL can be exploited by malicious, local users to bypass certain security restrictions. For more information: SA30134 14) Multiple vulnerabilities in PHP have an unknown impact or can potentially be exploited by malicious people to disclose sensitive information or cause a DoS (Denial of Service). For more information: SA34081 15) An error exists in Samba when handling error conditions. This can be exploited by a user without a configured home directory to access the contents of the file system by connecting to the Windows File Sharing service. 16) Input passed in search requests containing non UTF-8 encoded data to Wiki Server is not properly sanitised before being returned to the user. Security Update 2009-005 (Tiger PPC): http://support.apple.com/downloads/DL931/en_US/SecUpd2009-005PPC.dmg Security Update 2009-005 (Tiger Intel): http://support.apple.com/downloads/DL932/en_US/SecUpd2009-005Intel.dmg Security Update 2009-005 Server (Tiger Univ): http://support.apple.com/downloads/DL933/en_US/SecUpdSrvr2009-005Univ.dmg Security Update 2009-005 Server (Tiger PPC): http://support.apple.com/downloads/DL934/en_US/SecUpdSrvr2009-005PPC.dmg Mac OS X Server v10.6.1 Update: http://support.apple.com/downloads/DL929/en_US/MacOSXServerUpd10.6.1.dmg Security Update 2009-005 Server (Leopard): http://support.apple.com/downloads/DL936/en_US/SecUpdSrvr2009-005.dmg Security Update 2009-005 (Leopard): http://support.apple.com/downloads/DL935/en_US/SecUpd2009-005.dmg Mac OS X v10.6.1 Update: http://support.apple.com/downloads/DL930/en_US/MacOSXUpd10.6.1.dmg PROVIDED AND/OR DISCOVERED BY: 1, 2, 4, 8, 10-12, 16) Reported by the vendor. 5) The vendor credits Will Dormann of CERT/CC. 6) The vendor credits Will Drewry of Google. 15) The vendor credits J. David Hester of LCG Systems National Institutes of Health. ORIGINAL ADVISORY: http://support.apple.com/kb/HT3864 http://support.apple.com/kb/HT3865 OTHER REFERENCES: SA30134: http://secunia.com/advisories/30134/ SA34081: http://secunia.com/advisories/34081/ SA34481: http://secunia.com/advisories/34481/ SA34566: http://secunia.com/advisories/34566/ SA34612: http://secunia.com/advisories/34612/ SA35948: http://secunia.com/advisories/35948/ SA36269: http://secunia.com/advisories/36269/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

digital error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

J. David Hester

SOURCES

LAST UPDATE DATE

2025-04-10T22:05:41.213000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE