VARIoT IoT vulnerabilities database

The Repair Permissions tool in Disk Utility in Apple Mac OS X 10.4.11 adds the setuid bit to the emacs executable file, which allows local users to gain privileges by executing commands within emacs. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-005. The security update addresses a total of six new vulnerabilities that affect the CarbonCore, CoreGraphics, Data Detectors Engine, Disk Utility, OpenLDAP, and QuickLook components of Mac OS X. The advisory also contains security updates for 11 previously reported issues. NOTE: This BID is being retired; the following individual records have been created to better document these issues: 30487 Apple Mac OS X CarbonCore Stack Based Buffer Overflow 30488 Apple Mac OS X CoreGraphics Multiple Memory Corruption Vulnerabilities 30489 Apple Mac OS X CoreGraphics Heap Based Buffer Overflow Vulnerability 30490 Apple Mac OS X Data Detectors Engine Denial Of Service Vulnerability 30492 Apple Mac OS X Disk Utility Privilege Escalation Vulnerability 30493 Apple Mac OS X QuickLook Multiple Memory Corruption Vulnerabilities. An unprivileged local user may exploit this issue to run commands with system-level privileges. The following versions are affected: Mac OS X v10.4.11 and prior Mac OS X Server v10.4.11 and prior This issue does not affect systems running Mac OS X v10.5 and later. 1) A vulnerability in BIND can be exploited to poison the DNS cache. For more information: SA30973 2) A boundary error exists in CarbonCore when handling filenames. This can be exploited to cause a stack-based buffer overflow via overly long filenames. Successful exploitation of the vulnerability may allow execution of arbitrary code. 3) Multiple errors exist in CoreGraphics when processing received arguments. These can be exploited to trigger a memory corruption by e.g. tricking a user into visiting a specially crafted website. Successful exploitation of the vulnerability may allow execution of arbitrary code. 4) An integer overflow error exists in CoreGraphics when handling PDF files. This can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file. Successful exploitation of the vulnerability may allow execution of arbitrary code. 5) Multiple errors in QuickLook when downloading Microsoft Office files can be exploited to cause a memory corruption. Successful exploitation of the vulnerability may allow execution of arbitrary code. 6) An error exists in the Data Detectors engine when viewing a specially crafted message. This can be exploited to consume overly large resources and trigger an application using the engine to terminate. 7) The problem is that the "Repair Permissions" tool included in Disk Utility sets the "setuid" bit on "/usr/bin/emacs". This can be exploited to execute arbitrary commands with system privileges. 8) An error in OpenLDAP when parsing ASN.1 BER encoded packets can be exploited to cause a DoS. For more information: SA30853 9) A boundary error exists in the OpenSSL "SSL_get_shared_ciphers()" function. For more information see vulnerability #4 in: SA22130 10) Some vulnerabilities in PHP can be exploited malicious users to bypass certain security restrictions, and potentially by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA30048 11) Two vulnerabilities in rsync can be exploited by malicious users to bypass certain security restrictions. For more information: SA27863 SOLUTION: Apply Security Update 2008-005. Security Update 2008-005 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008005serverppc.html Security Update 2008-005 Server (Intel): http://www.apple.com/support/downloads/securityupdate2008005serverintel.html Security Update 2008-005 (PPC): http://www.apple.com/support/downloads/securityupdate2008005ppc.html Security Update 2008-005 (Intel): http://www.apple.com/support/downloads/securityupdate2008005intel.html Security Update 2008-005 (Leopard): http://www.apple.com/support/downloads/securityupdate2008005leopard.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Dan Kaminsky of IOActive 2) Thomas Raffetseder of the International Secure Systems Lab and Sergio 'shadown' Alvarez of n.runs AG. 3) Michal Zalewski, Google 4) Pariente Kobi, reported via iDefense 7) Anton Rang and Brian Timares ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT2647 OTHER REFERENCES: SA22130: http://secunia.com/advisories/22130/ SA27863: http://secunia.com/advisories/27863/ SA30048: http://secunia.com/advisories/30048/ SA30973: http://secunia.com/advisories/30973/ SA30853: http://secunia.com/advisories/30853/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

QuickLook in Apple Mac OS X 10.4.11 and 10.5.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Microsoft Office file, related to insufficient "bounds checking.". Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-005. The security update addresses a total of six new vulnerabilities that affect the CarbonCore, CoreGraphics, Data Detectors Engine, Disk Utility, OpenLDAP, and QuickLook components of Mac OS X. The advisory also contains security updates for 11 previously reported issues. NOTE: This BID is being retired; the following individual records have been created to better document these issues: 30487 Apple Mac OS X CarbonCore Stack Based Buffer Overflow 30488 Apple Mac OS X CoreGraphics Multiple Memory Corruption Vulnerabilities 30489 Apple Mac OS X CoreGraphics Heap Based Buffer Overflow Vulnerability 30490 Apple Mac OS X Data Detectors Engine Denial Of Service Vulnerability 30492 Apple Mac OS X Disk Utility Privilege Escalation Vulnerability 30493 Apple Mac OS X QuickLook Multiple Memory Corruption Vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the affected application or cause denial-of-service conditions. The following versions are affected: Mac OS X v10.5.4 and prior Mac OS X Server v10.5.4 and prior This issue does not affect systems prior to Mac OS X v10.5. 1) A vulnerability in BIND can be exploited to poison the DNS cache. For more information: SA30973 2) A boundary error exists in CarbonCore when handling filenames. This can be exploited to cause a stack-based buffer overflow via overly long filenames. Successful exploitation of the vulnerability may allow execution of arbitrary code. 3) Multiple errors exist in CoreGraphics when processing received arguments. These can be exploited to trigger a memory corruption by e.g. tricking a user into visiting a specially crafted website. Successful exploitation of the vulnerability may allow execution of arbitrary code. 4) An integer overflow error exists in CoreGraphics when handling PDF files. This can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file. Successful exploitation of the vulnerability may allow execution of arbitrary code. 5) Multiple errors in QuickLook when downloading Microsoft Office files can be exploited to cause a memory corruption. Successful exploitation of the vulnerability may allow execution of arbitrary code. 6) An error exists in the Data Detectors engine when viewing a specially crafted message. This can be exploited to consume overly large resources and trigger an application using the engine to terminate. 7) The problem is that the "Repair Permissions" tool included in Disk Utility sets the "setuid" bit on "/usr/bin/emacs". This can be exploited to execute arbitrary commands with system privileges. 8) An error in OpenLDAP when parsing ASN.1 BER encoded packets can be exploited to cause a DoS. For more information: SA30853 9) A boundary error exists in the OpenSSL "SSL_get_shared_ciphers()" function. For more information see vulnerability #4 in: SA22130 10) Some vulnerabilities in PHP can be exploited malicious users to bypass certain security restrictions, and potentially by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA30048 11) Two vulnerabilities in rsync can be exploited by malicious users to bypass certain security restrictions. For more information: SA27863 SOLUTION: Apply Security Update 2008-005. Security Update 2008-005 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008005serverppc.html Security Update 2008-005 Server (Intel): http://www.apple.com/support/downloads/securityupdate2008005serverintel.html Security Update 2008-005 (PPC): http://www.apple.com/support/downloads/securityupdate2008005ppc.html Security Update 2008-005 (Intel): http://www.apple.com/support/downloads/securityupdate2008005intel.html Security Update 2008-005 (Leopard): http://www.apple.com/support/downloads/securityupdate2008005leopard.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Dan Kaminsky of IOActive 2) Thomas Raffetseder of the International Secure Systems Lab and Sergio 'shadown' Alvarez of n.runs AG. 3) Michal Zalewski, Google 4) Pariente Kobi, reported via iDefense 7) Anton Rang and Brian Timares ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT2647 OTHER REFERENCES: SA22130: http://secunia.com/advisories/22130/ SA27863: http://secunia.com/advisories/27863/ SA30048: http://secunia.com/advisories/30048/ SA30973: http://secunia.com/advisories/30973/ SA30853: http://secunia.com/advisories/30853/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Data Detectors Engine in Apple Mac OS X 10.5.4 allows attackers to cause a denial of service (resource consumption) via crafted textual content in messages. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-005. The advisory also contains security updates for 11 previously reported issues. Attackers can exploit this issue to cause denial-of-service conditions in applications using Data Detectors. The following versions are affected: Mac OS X v10.5.4 and prior Mac OS X Server v10.5.4 and prior This issue does not affect systems prior to Mac OS X v10.5. 1) A vulnerability in BIND can be exploited to poison the DNS cache. For more information: SA30973 2) A boundary error exists in CarbonCore when handling filenames. This can be exploited to cause a stack-based buffer overflow via overly long filenames. Successful exploitation of the vulnerability may allow execution of arbitrary code. 3) Multiple errors exist in CoreGraphics when processing received arguments. These can be exploited to trigger a memory corruption by e.g. tricking a user into visiting a specially crafted website. Successful exploitation of the vulnerability may allow execution of arbitrary code. 4) An integer overflow error exists in CoreGraphics when handling PDF files. This can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file. Successful exploitation of the vulnerability may allow execution of arbitrary code. 5) Multiple errors in QuickLook when downloading Microsoft Office files can be exploited to cause a memory corruption. Successful exploitation of the vulnerability may allow execution of arbitrary code. 6) An error exists in the Data Detectors engine when viewing a specially crafted message. This can be exploited to consume overly large resources and trigger an application using the engine to terminate. 7) The problem is that the "Repair Permissions" tool included in Disk Utility sets the "setuid" bit on "/usr/bin/emacs". This can be exploited to execute arbitrary commands with system privileges. 8) An error in OpenLDAP when parsing ASN.1 BER encoded packets can be exploited to cause a DoS. For more information: SA30853 9) A boundary error exists in the OpenSSL "SSL_get_shared_ciphers()" function. For more information see vulnerability #4 in: SA22130 10) Some vulnerabilities in PHP can be exploited malicious users to bypass certain security restrictions, and potentially by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA30048 11) Two vulnerabilities in rsync can be exploited by malicious users to bypass certain security restrictions. For more information: SA27863 SOLUTION: Apply Security Update 2008-005. Security Update 2008-005 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008005serverppc.html Security Update 2008-005 Server (Intel): http://www.apple.com/support/downloads/securityupdate2008005serverintel.html Security Update 2008-005 (PPC): http://www.apple.com/support/downloads/securityupdate2008005ppc.html Security Update 2008-005 (Intel): http://www.apple.com/support/downloads/securityupdate2008005intel.html Security Update 2008-005 (Leopard): http://www.apple.com/support/downloads/securityupdate2008005leopard.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Dan Kaminsky of IOActive 2) Thomas Raffetseder of the International Secure Systems Lab and Sergio 'shadown' Alvarez of n.runs AG. 3) Michal Zalewski, Google 4) Pariente Kobi, reported via iDefense 7) Anton Rang and Brian Timares ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT2647 OTHER REFERENCES: SA22130: http://secunia.com/advisories/22130/ SA27863: http://secunia.com/advisories/27863/ SA30048: http://secunia.com/advisories/30048/ SA30973: http://secunia.com/advisories/30973/ SA30853: http://secunia.com/advisories/30853/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer overflow in CoreGraphics in Apple Mac OS X 10.4.11, 10.5.2, and 10.5.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF file with a long Type 1 font, which triggers a heap-based buffer overflow. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-005. The security update addresses a total of six new vulnerabilities that affect the CarbonCore, CoreGraphics, Data Detectors Engine, Disk Utility, OpenLDAP, and QuickLook components of Mac OS X. The advisory also contains security updates for 11 previously reported issues. NOTE: This BID is being retired; the following individual records have been created to better document these issues: 30487 Apple Mac OS X CarbonCore Stack Based Buffer Overflow 30488 Apple Mac OS X CoreGraphics Multiple Memory Corruption Vulnerabilities 30489 Apple Mac OS X CoreGraphics Heap Based Buffer Overflow Vulnerability 30490 Apple Mac OS X Data Detectors Engine Denial Of Service Vulnerability 30492 Apple Mac OS X Disk Utility Privilege Escalation Vulnerability 30493 Apple Mac OS X QuickLook Multiple Memory Corruption Vulnerabilities. Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed attempts will likely cause denial-of-service conditions. 1) A vulnerability in BIND can be exploited to poison the DNS cache. For more information: SA30973 2) A boundary error exists in CarbonCore when handling filenames. This can be exploited to cause a stack-based buffer overflow via overly long filenames. 3) Multiple errors exist in CoreGraphics when processing received arguments. These can be exploited to trigger a memory corruption by e.g. tricking a user into visiting a specially crafted website. This can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file. 5) Multiple errors in QuickLook when downloading Microsoft Office files can be exploited to cause a memory corruption. 6) An error exists in the Data Detectors engine when viewing a specially crafted message. This can be exploited to consume overly large resources and trigger an application using the engine to terminate. 7) The problem is that the "Repair Permissions" tool included in Disk Utility sets the "setuid" bit on "/usr/bin/emacs". This can be exploited to execute arbitrary commands with system privileges. 8) An error in OpenLDAP when parsing ASN.1 BER encoded packets can be exploited to cause a DoS. For more information: SA30853 9) A boundary error exists in the OpenSSL "SSL_get_shared_ciphers()" function. For more information see vulnerability #4 in: SA22130 10) Some vulnerabilities in PHP can be exploited malicious users to bypass certain security restrictions, and potentially by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA30048 11) Two vulnerabilities in rsync can be exploited by malicious users to bypass certain security restrictions. For more information: SA27863 SOLUTION: Apply Security Update 2008-005. Security Update 2008-005 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008005serverppc.html Security Update 2008-005 Server (Intel): http://www.apple.com/support/downloads/securityupdate2008005serverintel.html Security Update 2008-005 (PPC): http://www.apple.com/support/downloads/securityupdate2008005ppc.html Security Update 2008-005 (Intel): http://www.apple.com/support/downloads/securityupdate2008005intel.html Security Update 2008-005 (Leopard): http://www.apple.com/support/downloads/securityupdate2008005leopard.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Dan Kaminsky of IOActive 2) Thomas Raffetseder of the International Secure Systems Lab and Sergio 'shadown' Alvarez of n.runs AG. 3) Michal Zalewski, Google 4) Pariente Kobi, reported via iDefense 7) Anton Rang and Brian Timares ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT2647 OTHER REFERENCES: SA22130: http://secunia.com/advisories/22130/ SA27863: http://secunia.com/advisories/27863/ SA30048: http://secunia.com/advisories/30048/ SA30973: http://secunia.com/advisories/30973/ SA30853: http://secunia.com/advisories/30853/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. iDefense Security Advisory 07.31.08 http://labs.idefense.com/intelligence/vulnerabilities/ Jul 31, 2008 I. For more information, see the vendor's site found at the following link URL. http://www.apple.com/macosx/ II. This vulnerability exists due to the way PDF files containing Type 1 fonts are handled. When processing a font with an overly large length, integer overflow could occur. III. An attacker could exploit this issue via multiple attack vectors. The most appealing vector for attack is Safari. An attacker could host a malformed PDF file on a website and entice a targeted user to open a URL. Upon opening the URL in Safari the PDF file will be automatically parsed and exploitation will occur. While this is the most appealing attack vector, the file can also be attached to an e-mail. Any application which uses the Apple libraries for file open dialogs will crash upon previewing the malformed PDF document. IV. Previous versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. More information is available at the following URL. http://support.apple.com/kb/HT2647 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-2322 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/09/2008 Initial vendor notification 07/10/2008 Initial vendor response 07/31/2008 Public disclosure IX. CREDIT This vulnerability was reported to iDefense by Pariente Kobi. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Stack-based buffer overflow in CarbonCore in Apple Mac OS X 10.4.11 and 10.5.4, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long filename to the file management API. Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed attempts will likely cause denial-of-service conditions. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-005. The security update addresses a total of six new vulnerabilities that affect the CarbonCore, CoreGraphics, Data Detectors Engine, Disk Utility, OpenLDAP, and QuickLook components of Mac OS X. The advisory also contains security updates for 11 previously reported issues. 1) A vulnerability in BIND can be exploited to poison the DNS cache. For more information: SA30973 2) A boundary error exists in CarbonCore when handling filenames. This can be exploited to cause a stack-based buffer overflow via overly long filenames. Successful exploitation of the vulnerability may allow execution of arbitrary code. 3) Multiple errors exist in CoreGraphics when processing received arguments. These can be exploited to trigger a memory corruption by e.g. tricking a user into visiting a specially crafted website. Successful exploitation of the vulnerability may allow execution of arbitrary code. 4) An integer overflow error exists in CoreGraphics when handling PDF files. This can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file. Successful exploitation of the vulnerability may allow execution of arbitrary code. 5) Multiple errors in QuickLook when downloading Microsoft Office files can be exploited to cause a memory corruption. Successful exploitation of the vulnerability may allow execution of arbitrary code. 6) An error exists in the Data Detectors engine when viewing a specially crafted message. This can be exploited to consume overly large resources and trigger an application using the engine to terminate. 7) The problem is that the "Repair Permissions" tool included in Disk Utility sets the "setuid" bit on "/usr/bin/emacs". This can be exploited to execute arbitrary commands with system privileges. 8) An error in OpenLDAP when parsing ASN.1 BER encoded packets can be exploited to cause a DoS. For more information: SA30853 9) A boundary error exists in the OpenSSL "SSL_get_shared_ciphers()" function. For more information see vulnerability #4 in: SA22130 10) Some vulnerabilities in PHP can be exploited malicious users to bypass certain security restrictions, and potentially by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA30048 11) Two vulnerabilities in rsync can be exploited by malicious users to bypass certain security restrictions. For more information: SA27863 SOLUTION: Apply Security Update 2008-005. Security Update 2008-005 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008005serverppc.html Security Update 2008-005 Server (Intel): http://www.apple.com/support/downloads/securityupdate2008005serverintel.html Security Update 2008-005 (PPC): http://www.apple.com/support/downloads/securityupdate2008005ppc.html Security Update 2008-005 (Intel): http://www.apple.com/support/downloads/securityupdate2008005intel.html Security Update 2008-005 (Leopard): http://www.apple.com/support/downloads/securityupdate2008005leopard.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Dan Kaminsky of IOActive 2) Thomas Raffetseder of the International Secure Systems Lab and Sergio 'shadown' Alvarez of n.runs AG. 3) Michal Zalewski, Google 4) Pariente Kobi, reported via iDefense 7) Anton Rang and Brian Timares ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT2647 OTHER REFERENCES: SA22130: http://secunia.com/advisories/22130/ SA27863: http://secunia.com/advisories/27863/ SA30048: http://secunia.com/advisories/30048/ SA30973: http://secunia.com/advisories/30973/ SA30853: http://secunia.com/advisories/30853/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA35379 VERIFY ADVISORY: http://secunia.com/advisories/35379/ DESCRIPTION: Some vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to disclose sensitive information or compromise a user's system. 1) An error in the handling of TrueType fonts can be exploited to corrupt memory when a user visits a web site embedding a specially crafted font. 2) Some vulnerabilities in FreeType can potentially be exploited to compromise a user's system. For more information: SA33970 4) An error in the processing of external entities in XML files can be exploited to read files from the user's system when a users visits a specially crafted web page. Other vulnerabilities have also been reported of which some may also affect Safari version 3.x. SOLUTION: Upgrade to Safari version 4, which fixes the vulnerabilities. PROVIDED AND/OR DISCOVERED BY: 1-3) Tavis Ormandy 4) Chris Evans of Google Inc

Unspecified vulnerability in CoreGraphics in Apple Mac OS X 10.4.11 and 10.5.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unknown vectors involving "processing of arguments.". Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-005. The security update addresses a total of six new vulnerabilities that affect the CarbonCore, CoreGraphics, Data Detectors Engine, Disk Utility, OpenLDAP, and QuickLook components of Mac OS X. The advisory also contains security updates for 11 previously reported issues. NOTE: This BID is being retired; the following individual records have been created to better document these issues: 30487 Apple Mac OS X CarbonCore Stack Based Buffer Overflow 30488 Apple Mac OS X CoreGraphics Multiple Memory Corruption Vulnerabilities 30489 Apple Mac OS X CoreGraphics Heap Based Buffer Overflow Vulnerability 30490 Apple Mac OS X Data Detectors Engine Denial Of Service Vulnerability 30492 Apple Mac OS X Disk Utility Privilege Escalation Vulnerability 30493 Apple Mac OS X QuickLook Multiple Memory Corruption Vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the affected application or cause denial-of-service conditions. 1) A vulnerability in BIND can be exploited to poison the DNS cache. For more information: SA30973 2) A boundary error exists in CarbonCore when handling filenames. This can be exploited to cause a stack-based buffer overflow via overly long filenames. Successful exploitation of the vulnerability may allow execution of arbitrary code. 3) Multiple errors exist in CoreGraphics when processing received arguments. These can be exploited to trigger a memory corruption by e.g. tricking a user into visiting a specially crafted website. Successful exploitation of the vulnerability may allow execution of arbitrary code. 4) An integer overflow error exists in CoreGraphics when handling PDF files. This can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file. Successful exploitation of the vulnerability may allow execution of arbitrary code. 5) Multiple errors in QuickLook when downloading Microsoft Office files can be exploited to cause a memory corruption. Successful exploitation of the vulnerability may allow execution of arbitrary code. 6) An error exists in the Data Detectors engine when viewing a specially crafted message. This can be exploited to consume overly large resources and trigger an application using the engine to terminate. 7) The problem is that the "Repair Permissions" tool included in Disk Utility sets the "setuid" bit on "/usr/bin/emacs". This can be exploited to execute arbitrary commands with system privileges. 8) An error in OpenLDAP when parsing ASN.1 BER encoded packets can be exploited to cause a DoS. For more information: SA30853 9) A boundary error exists in the OpenSSL "SSL_get_shared_ciphers()" function. For more information see vulnerability #4 in: SA22130 10) Some vulnerabilities in PHP can be exploited malicious users to bypass certain security restrictions, and potentially by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA30048 11) Two vulnerabilities in rsync can be exploited by malicious users to bypass certain security restrictions. For more information: SA27863 SOLUTION: Apply Security Update 2008-005. Security Update 2008-005 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008005serverppc.html Security Update 2008-005 Server (Intel): http://www.apple.com/support/downloads/securityupdate2008005serverintel.html Security Update 2008-005 (PPC): http://www.apple.com/support/downloads/securityupdate2008005ppc.html Security Update 2008-005 (Intel): http://www.apple.com/support/downloads/securityupdate2008005intel.html Security Update 2008-005 (Leopard): http://www.apple.com/support/downloads/securityupdate2008005leopard.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Dan Kaminsky of IOActive 2) Thomas Raffetseder of the International Secure Systems Lab and Sergio 'shadown' Alvarez of n.runs AG. 3) Michal Zalewski, Google 4) Pariente Kobi, reported via iDefense 7) Anton Rang and Brian Timares ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT2647 OTHER REFERENCES: SA22130: http://secunia.com/advisories/22130/ SA27863: http://secunia.com/advisories/27863/ SA30048: http://secunia.com/advisories/30048/ SA30973: http://secunia.com/advisories/30973/ SA30853: http://secunia.com/advisories/30853/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Hi all, I am way behind on this, so I wanted to drop a quick note regarding some of my vulnerabilities recently addressed by browser vendors - and provide some possibly interesting PoCs / fuzzers to go with them: Summary : MSIE same-origin bypass race condition (CVE-2007-3091) Impact : security bypass, possibly more Reported : June 2007 (publicly) PoC URL : http://lcamtuf.coredump.cx/ierace/ Bulletin : http://www.microsoft.com/technet/security/bulletin/MS09-019.mspx Notes : additional credit to David Bloom for developing an improved proof-of-concept exploit Summary : MSIE memory corruption on page transitions Impact : memory corruption, potential code execution Reported : April 2008 (privately) PoC URL : http://lcamtuf.coredump.cx/stest/ (fuzzers) Bulletin : http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx Notes : - Summary : multiple browsers <CANVAS> implementation crashes (CVE-2008-2321, ???) Impact : memory corruption, potential code execution Reported : February 2008 (privately) PoC URL : http://lcamtuf.coredump.cx/canvas/ (fuzzer) Bulletin : http://lists.apple.com/archives/security-announce/2009/Jun/msg00002.html Bulletin : http://www.opera.com/support/kb/view/882/ Notes : also some DoS issues in Firefox Summary : Safari page transition tailgating (CVE-2009-1684) Impact : page spoofing, navigation target disclosure Reported : February 2008 (privately) PoC URL : http://lcamtuf.coredump.cx/sftrap2/ Bulletin : http://lists.apple.com/archives/security-announce/2009/Jun/msg00002.html Notes : - Cheers, /mz . 1) A vulnerability in CoreGraphics can potentially be exploited to compromise a vulnerable system. For more information: SA31610 3) An error in the processing of TIFF images can cause a device reset. 4) An unspecified error can result in the encryption level for PPTP VPN connections to be lower than expected. 5) A signedness error in the Office Viewer component can potentially be exploited to execute arbitrary code via a specially crafted Microsoft Excel file. This is related to vulnerability #10 in: SA32222 6) A weakness exists in the handling of emergency calls, which can be exploited to bypass the Passcode lock and call arbitrary numbers when physical access to the device is provided. 7) A weakness causes the Passcode lock not to be restored properly. 8) A security issue can result in the content of an SMS message being displayed when the message arrives while the emergency call screen is shown. 9) An error in Safari when handling HTML table elements can be exploited to cause a memory corruption and potentially execute arbitrary code when a user visits a specially crafted web site. 10) An error in Safari when handling embedded iframe elements can be exploited to spoof the user interface via content being displayed outside its boundaries. 11) An error exists in Safari when launching an application while a call approval dialog is shown. It is also possible to block the user's ability to cancel the call. 12) An error in Webkit can be exploited to disclose potentially sensitive data from form fields, although the "Autocomplete" feature is disabled. This is related to vulnerability #8 in: SA32706 SOLUTION: Update to iPhone OS 2.2 or iPhone OS for iPod touch 2.2 (downloadable and installable via iTunes). ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. Other vulnerabilities have also been reported of which some may also affect Safari version 3.x. SOLUTION: Upgrade to Safari version 4, which fixes the vulnerabilities. PROVIDED AND/OR DISCOVERED BY: 1-3) Tavis Ormandy 4) Chris Evans of Google Inc

Unspecified vulnerability in Serv-U File Server 7.0.0.1, and other versions before 7.2.0.1, allows remote authenticated users to cause a denial of service (daemon crash) via an SSH session with SFTP commands for directory creation and logging. RhinoSoft Serv-U is prone to a remote denial-of-service vulnerability when handling certain SFTP commands. Exploiting this issue can cause the server to crash and deny service to legitimate users. Versions prior to Serv-U 7.2.0.1 are vulnerable. The vulnerability is caused due to an error within the logging functionality when creating directories via SFTP. This can be exploited to crash the service. Successful exploitation requires a valid account with write permissions. SOLUTION: Update to version 7.2.0.1. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.serv-u.com/releasenotes/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

A cross-site scripting vulnerability has been found in Hitachi Collaboration - Online Community Management.An attacker could execute a cross-site scripting attack.

Multiple cross-site scripting (XSS) vulnerabilities in Camera Life 2.6.2b8 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.php and (2) rss.php; the query string after the image name in (3) photos/photo; the path parameter to (4) folder.php; page parameter and REQUEST_URI to (5) login.php; ver parameter to (6) media.php; theme parameter to (7) modules/iconset/iconset-debug.php; and the REQUEST_URI to (8) index.php. Camera Life Contains a cross-site scripting vulnerability.By any third party, via Web Script or HTML May be inserted. Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials. Camera Life 2.6.2b8 is vulnerable to these issues; earlier versions may also be affected. Camera Life is an open source PHP-based photo management and organization plugin. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Camera Life "id" SQL Injection Vulnerability SECUNIA ADVISORY ID: SA31234 VERIFY ADVISORY: http://secunia.com/advisories/31234/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: Camera Life 2.x http://secunia.com/product/15165/ DESCRIPTION: nuclear has discovered a vulnerability in Camera Life, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "id" parameter in sitemap.xml.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is confirmed in version 2.6. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: nuclear ORIGINAL ADVISORY: http://milw0rm.com/exploits/6132 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple iTunes before 10.5.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning. Apple From iTunes An update for has been released.Man-in-the-middle attacks (man-in-the-middle attack) Any software iTunes May appear to be an update. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Successful exploits will compromise the affected application and possibly the underlying computer. iTunes is a free application for iPod and iPhone media file management. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-11-14-1 iTunes 10.5.1 iTunes 10.5.1 is now available and addresses the following: iTunes Available for: Mac OS X v10.5 or later, Windows 7, Vista, XP SP2 or later Impact: A man-in-the-middle attacker may offer software that appears to originate from Apple Description: iTunes periodically checks for software updates using an HTTP request to Apple. If Apple Software Update for Windows is not installed, clicking the Download iTunes button may open the URL from the HTTP response in the user's default browser. This issue has been mitigated by using a secured connection when checking for available updates. For OS X systems, the user's default browser is not used because Apple Software Update is included with OS X, however this change adds additional defense-in-depth. CVE-ID CVE-2008-3434 : Francisco Amato of Infobyte Security Research iTunes 10.5.1 may be obtained from: http://www.apple.com/itunes/download/ For Mac OS X: The download file is named: "iTunes10.5.1.dmg" Its SHA-1 digest is: 08f8ebe3f75d7b98a215750c08b7d6eff7c9ceb9 For Windows XP / Vista / Windows 7: The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: bbe7ed41e62ef1eb345a12a68c1a81d351057952 For 64-bit Windows XP / Vista / Windows 7: The download file is named: "iTunes64Setup.exe" Its SHA-1 digest is: c3e70eb77ab400470ef9451803c0e411eed6a689 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJOwLKNAAoJEGnF2JsdZQeecIgH/3TTYRa3C8GPQMDZJgdD0Wgh sktAAH3DWj3HbEluuieTyLkoIzXLluVrJCaLOIt0G79gF0wkW7fB6eXU3i2MFtS2 QYy6dKzZHEKSWlez+pPDnvBLD7KWFg74rz0MBDhhgmpxqHOfJ6CU0xFuojoIYvtP 7WpLtqRpEc1R2dR/y4ACwZWfhpdatZ+mv7Gjq++Nem3/+1MU3M88eGGmX/95qGTv F6dwxf0c2jhL/5mRqC7A0ybn6VQm0oeTxEN8lgr+NQ+BQdXpH4wNzxmhtRP0AmZ6 A8sENF6QBXf4J3+fCX6NqwvAwhTNUav7ApC4TMvN6fcAHzoTECvUIdpOBSKUD3E= =7US+ -----END PGP SIGNATURE-----

SQL injection vulnerability in sitemap.xml.php in Camera Life 2.6.2 allows remote attackers to execute arbitrary SQL commands via the id parameter in a photos action. Camera Life is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Camera Life 2.6.2 is vulnerable; other versions may also be affected. Camera Life is a photo album management system developed in PHP. Input passed to the "id" parameter in sitemap.xml.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is confirmed in version 2.6. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: nuclear ORIGINAL ADVISORY: http://milw0rm.com/exploits/6132 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in phpHoo3.php in phpHoo3 4.3.9, 4.3.10, 4.4.8, and 5.2.6 allows remote attackers to execute arbitrary SQL commands via the viewCat parameter. phpHoo3 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. phpHoo3 is a yahoo-like link management software. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: phpHoo3 "viewCat" SQL Injection Vulnerability SECUNIA ADVISORY ID: SA31130 VERIFY ADVISORY: http://secunia.com/advisories/31130/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: phpHoo3 http://secunia.com/product/19341/ DESCRIPTION: Mr.SQL has discovered a vulnerability in phpHoo3, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "viewCat" parameter in phpHoo3.php is not properly sanitised before being used in SQL queries. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Mr.SQL ORIGINAL ADVISORY: http://milw0rm.com/exploits/6091 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari sends Referer headers containing https URLs to different https web sites, which allows remote attackers to obtain potentially sensitive information by reading Referer log data. Information gathered by an attacker who exploits this vulnerability can aid in further attacks. Safari 3.1.2 is vulnerable; other versions may also be affected. Apple Safari is the world's fastest, most innovative web browser for Mac and PC

Apple Safari allows web sites to set cookies for country-specific top-level domains, such as co.uk and com.au, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session, aka "Cross-Site Cooking," a related issue to CVE-2004-0746, CVE-2004-0866, and CVE-2004-0867. Apple Safari is prone to a vulnerability that allows attackers to set cookies for certain domain extensions. The browser does not have any security provisions to prevent cookies from being set for extensions with embedded dots. Attackers can leverage this issue to set cookies in a manner that could aid in other web-based attacks. Safari 3.1.2 is vulnerable; other versions may also be affected. Safari is the web browser bundled by default in the Apple family machine operating system. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple Safari Cross-Domain Cookie Injection Vulnerability SECUNIA ADVISORY ID: SA31128 VERIFY ADVISORY: http://secunia.com/advisories/31128/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: Safari 3.x http://secunia.com/product/17989/ Safari for Windows 3.x http://secunia.com/product/17978/ DESCRIPTION: A vulnerability has been discovered in Apple Safari, which can be exploited by malicious people to bypass certain security restrictions. This can e.g. be exploited to fix a session by setting a known session ID in a cookie, which the browser sends to all web sites operating under an affected domain (e.g. co.uk, com.au). The vulnerability is confirmed in Apple Safari for Windows 3.1.2. SOLUTION: Do not browse untrusted web sites or follow untrusted links. PROVIDED AND/OR DISCOVERED BY: kuza55 ORIGINAL ADVISORY: http://kuza55.blogspot.com/2008/07/some-random-safari-notes.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA08-350A Apple Updates for Multiple Vulnerabilities Original release date: December 15, 2008 Last revised: -- Source: US-CERT Systems Affected * Apple Mac OS X versions prior to and including 10.4.11 (Tiger) and 10.5.5 (Leopard) * Apple Mac OS X Server versions prior to and including 10.4.11 (Tiger) and 10.5.5 (Leopard) Overview Apple has released Security Update 2008-008 and Mac OS X version 10.5.6 to correct multiple vulnerabilities affecting Apple Mac OS X and Mac OS X Server. Attackers could exploit these vulnerabilities to execute arbitrary code, gain access to sensitive information, or cause a denial of service. I. Description Apple Security Update 2008-008 and Apple Mac OS X version 10.5.6 address a number of vulnerabilities affecting Apple Mac OS X and Mac OS X Server versions prior to and including 10.4.11 and 10.5.5. The update also addresses vulnerabilities in other vendors' products that ship with Apple Mac OS X or Mac OS X Server. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, or privilege escalation. III. Solution Install Apple Security Update 2008-008 or Apple Mac OS X version 10.5.6. These and other updates are available via Software Update or via Apple Downloads. IV. References * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * About the security content of Security Update 2008-008 / Mac OS X v10.5.6 - <https://support.apple.com/kb/HT3338> * Mac OS X: Updating your software - <https://support.apple.com/kb/HT1338?viewlocale=en_US> * Apple Downloads - <http://support.apple.com/downloads/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA08-350A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA08-350A Feedback VU#901332" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History December 15, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSUbT5nIHljM+H4irAQLfMggAvH7VNoR3th5dBLhuq/f43ka1G5cecyAK g4gucF6+frxTfsVz2FGbawFdD/sAxAb/CnASFIkbuHItPwI526uy8MjXOmi/kYm2 ESZgD8U0OBtb2mqQRfhURz9sF97yVFhvHAZS3VOOCH85d1R6dr4ncxIWMGn2cgon Cjlll1WTx2BuMZO/AFn2UM7OooV9VVXtMht9D48X7i9bCWoU2W0mFSCHr+bJPE3d fI8v9+kyCQnjB3R9J+eGxmFClXl9PeMxOvsjPh/bQ8PpmAYMCH1Qp7vaSjjqSlVE ljRuyK8e6TIirse/RoK0YOwqBWudpgyJZvsV89ft9v55+a0l+2UlJw== =yvkk -----END PGP SIGNATURE-----

The WOHyperlink implementation in WebObjects in Apple Xcode tools before 3.1 appends local session IDs to generated non-local URLs, which allows remote attackers to obtain potentially sensitive information by reading the requests for these URLs. Apple WebObjects is prone to an information-disclosure vulnerability when generating URIs for HTML documents. To exploit this issue an affected application would have to contain a URI to an arbitrary website that an attacker has control of or on which the attacker can view activity logs. Harvested session ID data can aid in attacks. Versions of WebObjects that are affected are currently unspecified, however those included in Xcode versions prior to 3.1 are affected. Xcode is the development tool used on Apple machines. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple Xcode tools Vulnerability and Security Issue SECUNIA ADVISORY ID: SA31060 VERIFY ADVISORY: http://secunia.com/advisories/31060/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Apple Xcode 2.x http://secunia.com/product/10144/ Apple Xcode 3.x http://secunia.com/product/19297/ DESCRIPTION: A vulnerability and a security issue have been reported in Xcode tools, which can be exploited by malicious people to disclose sensitive information or to compromise a user's system. 1) A boundary error in the handling of .funhouse files in CoreImage Examples can be exploited to cause a buffer overflow when a user is tricked into opening a specially crafted .funhouse file. Successful exploitation allows execution of arbitrary code. 2) An error in WebObjects exists within the handling of session IDs where the session ID is always appended to the URL generated by WOHyperlink. This may lead to the disclosure of session IDs when generating URLs to other web sites. SOLUTION: Update to version 3.1. PROVIDED AND/OR DISCOVERED BY: 1) Kevin Finisterre, Netragard 2) Reported by the vendor. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT2352 Netragard: http://www.netragard.com/pdfs/research/NETRAGARD-20080630-FUNHOUSE.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer signedness error in Apple Safari allows remote attackers to read the contents of arbitrary memory locations, cause a denial of service (application crash), and probably have unspecified other impact via the array index of the arguments array in a JavaScript function, possibly a related issue to CVE-2008-2307. This vulnerability is CVE-2008-2307 Vulnerability related to. Apple iPhone and iPod touch are prone to multiple remote vulnerabilities: 1. A vulnerability that may allow users to spoof websites. 2. 3. 4. Successfully exploiting these issues may allow attackers to execute arbitrary code, crash the affected application, obtain sensitive information, or direct unsuspecting victims to a spoofed site; other attacks are also possible. These issues affect iPhone 1.0 through 1.1.4 and iPod touch 1.1 through 1.1.4. Apple Safari has an integer symbol type error vulnerability

Safari on Apple iPhone before 2.0 and iPod touch before 2.0 allows remote attackers to spoof the address bar via Unicode ideographic spaces in the URL. A vulnerability that may allow users to spoof websites. 2. An information-disclosure vulnerability. 3. A buffer-overflow vulnerability. 4. Two memory-corruption vulnerabilities. Successfully exploiting these issues may allow attackers to execute arbitrary code, crash the affected application, obtain sensitive information, or direct unsuspecting victims to a spoofed site; other attacks are also possible. These issues affect iPhone 1.0 through 1.1.4 and iPod touch 1.1 through 1.1.4. The Safari browser is embedded in both the iPhone and iPod Touch, and remote attackers can exploit multiple security holes in the browser to cause denial of service, read sensitive information, or execute arbitrary code. CVE-2008-2317 There is a memory corruption vulnerability in WebCore's processing of style sheet units. If a malicious site is visited, the browser may terminate unexpectedly or execute arbitrary code. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA35379 VERIFY ADVISORY: http://secunia.com/advisories/35379/ DESCRIPTION: Some vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to disclose sensitive information or compromise a user's system. PROVIDED AND/OR DISCOVERED BY: 1-3) Tavis Ormandy 4) Chris Evans of Google Inc. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple iPhone / iPod touch Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31074 VERIFY ADVISORY: http://secunia.com/advisories/31074/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple iPhone http://secunia.com/product/15128/ Apple iPod touch http://secunia.com/product/16074/ DESCRIPTION: Some vulnerabilities have been reported in Apple iPhone and iPod touch, which can be exploited by malicious people to conduct spoofing and cross-site scripting attacks, cause a DoS (Denial of Service), bypass certain security restrictions, or compromise a user's system. 1) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 2) A vulnerability in the handling of packets with an IPComp header can be exploited to cause a DoS. 4) An error exists in Safari within the handling of self-signed or invalid certificates. If a user clicks on the menu button while being prompted to accept or reject such a certificate, Safari automatically accepts the certificate on the next visit. 5) A signedness error in Safari when handling Javascript array indices can be exploited to trigger an out-of-bounds memory access and may allow execution of arbitrary code. 6) A vulnerability due to Safari ignoring Unicode Byte-order-Mark (BOM) sequences when parsing web pages can be exploited to bypass certain HTML and Javascript filtering mechanisms. This is related to vulnerability #8 in: SA20376 7) A vulnerability Safari can be exploited by malicious people to compromise a vulnerable system. For more information see vulnerability #3 in: SA30775 8) An unspecified error exists in WebKit in the processing of style-sheet elements. This can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user visits a specially crafted web page. 9) An error in Safari when handling xml documents can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA28444 10) An error in Safari when processing xml documents can potentially be exploited by malicious people to compromise a user's system. For more information: SA30315 11) An unspecified error exists in JavaScriptCore's handling of runtime garbage collection. This can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user visits a specially crafted web page. 12) Some vulnerabilities in Safari can be exploited by malicious people to conduct cross-site scripting attacks or potentially to compromise a user's system. SOLUTION: Upgrade to version 2.0 (downloadable and installable via iTunes). PROVIDED AND/OR DISCOVERED BY: The vendor credits: 4) Hiromitsu Takagi 5) SkyLined, Google 6) Chris Weber, Casaba Security, LLC 7) James Urquhart 8) Peter Vreudegnhil, working with the TippingPoint Zero Day Initiative 10) Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of Google Security Team 11) Itzik Kotler and Jonathan Rom of Radware 12) Robert Swiecki of the Google Security Team, David Bloom, and Charlie Miller of Independent Security Evaluators ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT2351 JVN: http://jvn.jp/jp/JVN88676089/index.html Chris Evans: http://scary.beasts.org/security/CESA-2008-004.html OTHER REFERENCES: SA20376: http://secunia.com/advisories/20376/ SA28444: http://secunia.com/advisories/28444/ SA29130: http://secunia.com/advisories/29130/ SA29846: http://secunia.com/advisories/29846/ SA30315: http://secunia.com/advisories/30315/ SA30775: http://secunia.com/advisories/30775/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in Apple Core Image Fun House 2.0 and earlier in CoreImage Examples in Xcode tools before 3.1 allows user-assisted attackers to execute arbitrary code or cause a denial of service (application crash) via a .funhouse file with a string XML element that contains many characters. Apple Xcode Core Image Fun House is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue by enticing an unsuspecting victim to open a malicious '.funhouse' file. Successfully exploiting this issue will allow the attacker to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition. Apple Xcode 2.0 through 3.0 are vulnerable. Xcode is the development tool used on Apple machines. The Xcode tools include a sample app called Core Image Fun House for working with content with the .funhouse extension. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple Xcode tools Vulnerability and Security Issue SECUNIA ADVISORY ID: SA31060 VERIFY ADVISORY: http://secunia.com/advisories/31060/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Apple Xcode 2.x http://secunia.com/product/10144/ Apple Xcode 3.x http://secunia.com/product/19297/ DESCRIPTION: A vulnerability and a security issue have been reported in Xcode tools, which can be exploited by malicious people to disclose sensitive information or to compromise a user's system. 1) A boundary error in the handling of .funhouse files in CoreImage Examples can be exploited to cause a buffer overflow when a user is tricked into opening a specially crafted .funhouse file. Successful exploitation allows execution of arbitrary code. 2) An error in WebObjects exists within the handling of session IDs where the session ID is always appended to the URL generated by WOHyperlink. This may lead to the disclosure of session IDs when generating URLs to other web sites. The vulnerability and security issue is reported in versions prior to 3.1. SOLUTION: Update to version 3.1. PROVIDED AND/OR DISCOVERED BY: 1) Kevin Finisterre, Netragard 2) Reported by the vendor. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT2352 Netragard: http://www.netragard.com/pdfs/research/NETRAGARD-20080630-FUNHOUSE.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ipnat in IP Filter in Sun Solaris 10 and OpenSolaris before snv_96, when running on a DNS server with Network Address Translation (NAT) configured, improperly changes the source port of a packet when the destination port is the DNS port, which allows remote attackers to bypass an intended CVE-2008-1447 protection mechanism and spoof the responses to DNS queries sent by named. Deficiencies in the DNS protocol and common DNS implementations facilitate DNS cache poisoning attacks. Multiple vendors' implementations of the DNS protocol are prone to a DNS-spoofing vulnerability because the software fails to securely implement random values when performing DNS queries. Successfully exploiting this issue allows remote attackers to spoof DNS replies, allowing them to redirect network traffic and to launch man-in-the-middle attacks. This issue affects Microsoft Windows DNS Clients and Servers, ISC BIND 8 and 9, and multiple Cisco IOS releases; other DNS implementations may also be vulnerable. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Nixu Secure Name Server BIND Query Port DNS Cache Poisoning SECUNIA ADVISORY ID: SA31031 VERIFY ADVISORY: http://secunia.com/advisories/31031/ CRITICAL: Moderately critical IMPACT: Spoofing WHERE: >From remote OPERATING SYSTEM: Nixu Secure Name Server 1.x http://secunia.com/product/19287/ DESCRIPTION: A vulnerability has been reported in Nixu Secure Name Server, which can be exploited by malicious people to poison the DNS cache. For more information: SA30973 SOLUTION: Reportedly, a patched version of BIND has been made available via automated software updates. ORIGINAL ADVISORY: http://www.kb.cert.org/vuls/id/MAPG-7G7NUC ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The SNMP daemon in the F5 FirePass 1200 6.0.2 hotfix 3 allows remote attackers to cause a denial of service (daemon crash) by walking the hrSWInstalled OID branch in HOST-RESOURCES-MIB. FirePass is prone to a denial-of-service vulnerability in the SNMP daemon. An attacker can exploit this issue to cause the affected application to crash, resulting in a denial-of-service condition. F5 FirePass SSL VPN devices allow users to securely connect to critical business applications. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: F5 FirePass 1200 SSL VPN SNMP Denial of Service SECUNIA ADVISORY ID: SA30965 VERIFY ADVISORY: http://secunia.com/advisories/30965/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: FirePass 5.x http://secunia.com/product/4695/ FirePass 6.x http://secunia.com/product/13146/ DESCRIPTION: nnposter has reported a vulnerability in F5 FirePass 1200 SSL VPN, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when traversing certain OID branches (e.g. hrSWInstalled in HOST-RESOURCES-MIB / OID 1.3.6.1.2.1.25.6) and can be exploited to crash the daemon. The vulnerability is reported in version 6.0.2 hotfix 3. Other versions may also be affected. PROVIDED AND/OR DISCOVERED BY: nnposter ORIGINAL ADVISORY: http://archives.neohapsis.com/archives/bugtraq/2008-07/0037.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------