VARIoT IoT vulnerabilities database

The Application Firewall in Apple Mac OS X 10.5, when "Block all incoming connections" is enabled, does not prevent root processes or mDNSResponder from accepting connections, which might allow remote attackers or local root processes to bypass intended access restrictions. Apple Mac OS X 10.5's Application Firewall is prone to a misleading configuration weakness because of a flaw in the application's configuration dialog and documentation. This issue may lead to a false sense of security, potentially aiding in network-based attacks. Apple Mac OS X 10.5 is vulnerable to this issue. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. NOTE: The update changes the name of the option and updates the documentation. 3) Changes to Application Firewall settings do not affect processes started by launchd until they are restarted. This may lead to exposure of certain services. Mac OS X 10.5.1 Update: http://www.apple.com/support/downloads/macosx1051update.html Mac OS X Server 10.5.1 Update http://www.apple.com/support/downloads/macosxserver1051update.html PROVIDED AND/OR DISCOVERED BY: J\xfcrgen Schmidt ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307004 heise Security: http://www.heise-security.co.uk/articles/98120 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in the Networking component in Apple Mac OS X 10.4 through 10.4.10 allows local users to execute arbitrary code via a crafted IOCTL request that adds an AppleTalk zone to a routing table. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. 1) Multiple errors within the Adobe Flash Player plug-in can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system. For more information: SA26027 2) A null-pointer dereference error exists within AppleRAID when handling disk images. This can be exploited to cause a system shutdown when a specially crafted disk image is mounted e.g. automatically via Safari if the option "Open 'safe' files after downloading" is enabled. 3) An error in BIND can be exploited by malicious people to poison the DNS cache. For more information: SA26152 4) An error in bzip2 can be exploited to cause a DoS (Denial of Service). For more information: SA15447 This also fixes a race condition when setting file permissions. 5) An unspecified error in the implementation of FTP of CFNetwork can be exploited by a malicious FTP server to cause the client to connect to other hosts by sending specially crafted replies to FTP PASV (passive) commands. 6) An unspecified error exists in the validation of certificates within CFNetwork. This can be exploited via a Man-in-the-Middle (MitM) attack to spoof a web site with a trusted certificate. 7) A null pointer dereference error in the CFNetwork framework can lead to an unexpected application termination when a vulnerable application connects to a malicious server. 8) A boundary error in CoreFoundation can be exploited to cause a one-byte buffer overflow when a user is enticed to read a specially crafted directory hierarchy. Successful exploitation allows execution of arbitrary code. 9) An error exists in CoreText due to the use of an uninitialised pointer and can be exploited to execute arbitrary code when a user is tricked into reading a specially crafted text. 10) Some vulnerabilities in Kerberos can be exploited by malicious users and malicious people to compromise a vulnerable system. For more information: SA26676 11) An error in the handling of the current Mach thread port or thread exception port in the Kernel can be exploited by a malicious, local user to execute arbitrary code with root privileges. Successful exploitation requires permission to execute a setuid binary. 12) An unspecified error in the Kernel can be exploited to bypass the chroot mechanism by changing the working directory using a relative path. 14) An error exists in the handling of standard file descriptors while executing setuid and setgid programs. This can be exploited by malicious, local users to gain system privileges by executing setuid programs with the standard file descriptors in an unexpected state. 15) An integer overflow exists in the Kernel when handling ioctl requests. This can be exploited to execute arbitrary code with system privileges by sending a specially crafted ioctl request. 16) The default configuration of tftpd allows clients to access any path on the system. 17) An error in the Node Information Query mechanism may allow a remote user to query for all addresses of a host, including link-local addresses. 18) An integer overflow exists in the handling of ASP messages with AppleTalk. 20) A boundary error exists when adding a new AppleTalk zone. 21) An arithmetic error exists in AppleTalk when handling memory allocations. 22) A double free error in NFS exists when processing an AUTH_UNIX RPC call. This can be exploited by malicious people to execute arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call via TCP or UDP. 23) An unspecified case-sensitivity error exists in NSURL when determining if a URL references the local file system. 24) A format string error in Safari can be exploited by malicious people to execute arbitrary code when a user is tricked into opening a .download file with a specially crafted name. 25) An implementation error exists in the tabbed browsing feature of Safari. If HTTP authentication is used by a site being loaded in a tab other than the active tab, an authentication sheet may be displayed although the tab and its corresponding page are not visible. 26) A person with physical access to a system may be able to bypass the screen saver authentication dialog by sending keystrokes to a process running behind the screen saver authentication dialog. 27) Safari does not block "file://" URLs when loading resources. This can be exploited to view the content of local files by enticing a user to visit a specially crafted web page. 28) An input validation error exists in WebCore when handling HTML forms. This can be exploited to alter the values of form fields by enticing a user to upload a specially crafted file. 29) A race condition error exists in Safari when handling page transitions. This can be exploited to obtain information entered in forms on other web sites by enticing a user to visit a malicious web page. 30) An unspecified error exists in the handling of the browser's history. This can be exploited to execute arbitrary code by enticing a user to visit a specially crafted web page. 31) An error in Safari allows malicious websites to set Javascript window properties of websites served from a different domain. This can be exploited to get or set the window status and location of pages served from other websites by enticing a user to visit a specially crafted web page. 32) An error in Safari allows a malicious website to bypass the same origin policy by hosting embedded objects with javascript URLs. This can be exploited to execute arbitrary HTML and script code in context of another site by enticing a user to visit a specially crafted web page. 33) An error in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. This can be exploited to execute Javascript code in context of HTTPS web pages in that domain when a user visits a malicious web page. 34) An error in Safari in the handling of new browser windows can be exploited to disclose the URL of an unrelated page. For more information see vulnerability #2 in: SA23893 35) An error in WebKit may allow unauthorised applications to access private keys added to the keychain by Safari. 36) An unspecified error in Safari may allow a malicious website to send remotely specified data to arbitrary TCP ports. 37) WebKit/Safari creates temporary files insecurely when previewing a PDF file, which may allow a local user to access the file's content. 5) The vendor credits Dr Bob Lopez PhD. 6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C. 9) Will Dormann, CERT/CC 11) An anonymous person, reported via iDefense Labs. 12) The vendor credits Johan Henselmans and Jesper Skov. 13) The vendor credits RISE Security. 14) The vendor credits Ilja van Sprundel. 15) The vendor credits Tobias Klein, www.trapkit.de 16) The vendor credits James P. Javery, Stratus Data Systems 17) The vendor credits Arnaud Ebalard, EADS Innovation Works. 18, 21) Sean Larsson, iDefense Labs 19) The vendor credits Bhavesh Davda of VMware and Brian "chort" Keefer of Tumbleweed Communications. 20) An anonymous person, reported via iDefense Labs. 22) The vendor credits Alan Newson of NGSSoftware, and Renaud Deraison of Tenable Network Security, Inc. 25) The vendor credits Michael Roitzsch, Technical University Dresden. 26) The vendor credits Faisal N. Jawdat 27) The vendor credits lixlpixel. 28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH. 29) The vendor credits Ryan Grisso, NetSuite. 30) The vendor credits David Bloom. 31, 32) The vendor credits Michal Zalewski, Google Inc. 33) The vendor credits Keigo Yamazaki of LAC Co. 36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm Research and Spiros Antonatos, FORTH-ICS 37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH Zurich. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307041 US-CERT VU#498105: http://www.kb.cert.org/vuls/id/498105 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628 OTHER REFERENCES: SA15447: http://secunia.com/advisories/15447/ SA23893: http://secunia.com/advisories/23893/ SA26027: http://secunia.com/advisories/26027/ SA26152: http://secunia.com/advisories/26152/ SA26676: http://secunia.com/advisories/26676/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . I. Further details are available in the related vulnerability notes. Impact The impacts of these vulnerabilities vary. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. This and other updates are available via Apple Update or via Apple Downloads. Please send email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History November 15, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9 OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F 4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2 LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ== =AgEr -----END PGP SIGNATURE----- . BACKGROUND AppleTalk, a set of networking protocols developed by Apple, was originally implemented on early Mac operating systems. AppleTalk is compiled into the default kernel, but must be turned on in order to be used. More information can be found at the following URL. http://docs.info.apple.com/article.html?artnum=50039 II. A zone can be thought of as something similar to a Windows Domain. When copying the user provided zone information into a fixed size stack buffer, the kernel uses a user provided length as the number of bytes to copy into the destination buffer. This results in an exploitable stack buffer overflow in the kernel. III. Unsuccessful attempts will likely crash the system. In order to exploit this vulnerability, the system needs to have AppleTalk configured in routing mode. This is not enabled by default. It would likely be enabled on a Mac system running on a network with legacy Mac hosts. IV. Previous versions may also be affected. To determine if AppleTalk is running, the following command can be executed on the command line. $ appletalk -s V. WORKAROUND Disabling AppleTalk will prevent exploitation of this vulnerability. Executing the following command will disable AppleTalk if it is enabled. # appletalk -d VI. More information is available at the following URL. http://docs.info.apple.com/article.html?artnum=307041 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4267 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/08/2007 Initial vendor notification 08/09/2007 Initial vendor response 11/14/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cross-site scripting (XSS) vulnerability in Visionary Technology in Library Solutions (VTLS) vtls.web.gateway before 48.1.1 allows remote attackers to inject arbitrary web script or HTML via the searchtype parameter. Web Gateway is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks. This issue affects versions prior to Web Gateway 48.1.1. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Input passed to the "searchtype" parameter in vtls.web.gateway is not properly sanitised before being returned to the user. The vulnerability is reported in version 48.1.0. SOLUTION: Update to version 48.1.1. PROVIDED AND/OR DISCOVERED BY: Jesus Olmos Gonzalez, Internet Security Auditors, S.L. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug.". The Microsoft Windows DNS Server is vulnerable to cache poisoning, which may allow a remote, unauthenticated attacker to cause a Windows DNS server to provide incorrect responses to DNS queries. Deficiencies in the DNS protocol and common DNS implementations facilitate DNS cache poisoning attacks. This could be used to misdirect users and services; i.e. This update provides the latest stable BIND releases for all platforms except Corporate Server/Desktop 3.0 and MNF2, which have been patched to correct the issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 73cc24fc9586b7ab290d755012c16a79 2007.1/i586/bind-9.4.2-0.1mdv2007.1.i586.rpm 70867c50cfd64b4406aa002d627d740b 2007.1/i586/bind-devel-9.4.2-0.1mdv2007.1.i586.rpm 3603e9d9115466753397a1f472011703 2007.1/i586/bind-utils-9.4.2-0.1mdv2007.1.i586.rpm cf5e4100ecb21a4eb603831e5a6ec23d 2007.1/SRPMS/bind-9.4.2-0.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 4eb7ce0984d3ce3befff667392e3bf3e 2007.1/x86_64/bind-9.4.2-0.1mdv2007.1.x86_64.rpm d7b9a9e7d4c52a5b0c54f59ca20bf2d5 2007.1/x86_64/bind-devel-9.4.2-0.1mdv2007.1.x86_64.rpm c5c66c9609615029d2f07f7b09a63118 2007.1/x86_64/bind-utils-9.4.2-0.1mdv2007.1.x86_64.rpm cf5e4100ecb21a4eb603831e5a6ec23d 2007.1/SRPMS/bind-9.4.2-0.1mdv2007.1.src.rpm Mandriva Linux 2008.0: 52dfe3970fcd9495b2bb9379a9312b25 2008.0/i586/bind-9.4.2-1mdv2008.0.i586.rpm 97d20d35b6814aa2f9fab549ca6237c0 2008.0/i586/bind-devel-9.4.2-1mdv2008.0.i586.rpm 87a7bb3dd25abd8cd882a8f2fdc2398e 2008.0/i586/bind-utils-9.4.2-1mdv2008.0.i586.rpm da4444a8074e6ede39dfa557fb258db7 2008.0/SRPMS/bind-9.4.2-1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: b9d0337363bc1e2b14505f25d4ee5f99 2008.0/x86_64/bind-9.4.2-1mdv2008.0.x86_64.rpm 9b75e2a96784c00c2912bc3bf333d089 2008.0/x86_64/bind-devel-9.4.2-1mdv2008.0.x86_64.rpm 0a593b090d9e6bda3666e234056e19ba 2008.0/x86_64/bind-utils-9.4.2-1mdv2008.0.x86_64.rpm da4444a8074e6ede39dfa557fb258db7 2008.0/SRPMS/bind-9.4.2-1mdv2008.0.src.rpm Mandriva Linux 2008.1: 2534ef007262d4ea2d219bab0190466c 2008.1/i586/bind-9.5.0-3mdv2008.1.i586.rpm c3feee5d05aa3aee14cd70a2d295d0b1 2008.1/i586/bind-devel-9.5.0-3mdv2008.1.i586.rpm f306c06665b723a2530258e6d1dbdae2 2008.1/i586/bind-doc-9.5.0-3mdv2008.1.i586.rpm 967ef80628f92160930bc3a3827a216e 2008.1/i586/bind-utils-9.5.0-3mdv2008.1.i586.rpm 70fc7a7964944a2926979710c5148ed1 2008.1/SRPMS/bind-9.5.0-3mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 3f4d96d7a7f913c141e1f63cdc7e7336 2008.1/x86_64/bind-9.5.0-3mdv2008.1.x86_64.rpm 420db658366763686198f41394aa72b3 2008.1/x86_64/bind-devel-9.5.0-3mdv2008.1.x86_64.rpm 6f3674f68311494c5a9ff0dbce831e82 2008.1/x86_64/bind-doc-9.5.0-3mdv2008.1.x86_64.rpm 4294b3a086b89bf53c5c967c17962447 2008.1/x86_64/bind-utils-9.5.0-3mdv2008.1.x86_64.rpm 70fc7a7964944a2926979710c5148ed1 2008.1/SRPMS/bind-9.5.0-3mdv2008.1.src.rpm Corporate 3.0: de2a4372d1c25d73f343c9fcb044c9dd corporate/3.0/i586/bind-9.2.3-6.5.C30mdk.i586.rpm 1f24f6dbdb6c02e21cbbef99555049cb corporate/3.0/i586/bind-devel-9.2.3-6.5.C30mdk.i586.rpm 00405b98290d5a41f226081baa57e18d corporate/3.0/i586/bind-utils-9.2.3-6.5.C30mdk.i586.rpm 6a237dc290f4f7c463b1996e6a4a4515 corporate/3.0/SRPMS/bind-9.2.3-6.5.C30mdk.src.rpm Corporate 3.0/X86_64: 628162f3d6a414828d2231fefc46842b corporate/3.0/x86_64/bind-9.2.3-6.5.C30mdk.x86_64.rpm dd29ff31a9cffcc1b20fd045869d7013 corporate/3.0/x86_64/bind-devel-9.2.3-6.5.C30mdk.x86_64.rpm c475c1a4d048e04da1fc27dcbb17c3f3 corporate/3.0/x86_64/bind-utils-9.2.3-6.5.C30mdk.x86_64.rpm 6a237dc290f4f7c463b1996e6a4a4515 corporate/3.0/SRPMS/bind-9.2.3-6.5.C30mdk.src.rpm Corporate 4.0: 271ead204904be302d197cd542f5ae23 corporate/4.0/i586/bind-9.3.5-0.4.20060mlcs4.i586.rpm 42413dcc1cf053e735216f767eff4e5d corporate/4.0/i586/bind-devel-9.3.5-0.4.20060mlcs4.i586.rpm 0201afe493a41e1deedc9bf7e9725f4a corporate/4.0/i586/bind-utils-9.3.5-0.4.20060mlcs4.i586.rpm 86bc0cdc9ed1b959b6f56e0660268f2e corporate/4.0/SRPMS/bind-9.3.5-0.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: b1a18a7d0578dab7bd825eda6c682b3d corporate/4.0/x86_64/bind-9.3.5-0.4.20060mlcs4.x86_64.rpm 6a2ebd550feb9147058de05b1a1ef04d corporate/4.0/x86_64/bind-devel-9.3.5-0.4.20060mlcs4.x86_64.rpm 670a1b934ce4974b8505018ab69ade0b corporate/4.0/x86_64/bind-utils-9.3.5-0.4.20060mlcs4.x86_64.rpm 86bc0cdc9ed1b959b6f56e0660268f2e corporate/4.0/SRPMS/bind-9.3.5-0.4.20060mlcs4.src.rpm Multi Network Firewall 2.0: 5b694c24cc2092e38f531dbfdd5c9d41 mnf/2.0/i586/bind-9.2.3-6.5.C30mdk.i586.rpm c08bc805027059c47bed32215f17eacb mnf/2.0/i586/bind-utils-9.2.3-6.5.C30mdk.i586.rpm 39225289516498e1b071c5059306f2b9 mnf/2.0/SRPMS/bind-9.2.3-6.5.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. =========================================================== Ubuntu Security Notice USN-627-1 July 22, 2008 dnsmasq vulnerability CVE-2008-1447 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: dnsmasq-base 2.41-2ubuntu2.1 After a standard system upgrade you need to restart Dnsmasq to effect the necessary changes. Details follow: Dan Kaminsky discovered weaknesses in the DNS protocol as implemented by Dnsmasq. Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq_2.41-2ubuntu2.1.diff.gz Size/MD5: 22023 89c0f060733a11e414ef1fa634b17149 http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq_2.41-2ubuntu2.1.dsc Size/MD5: 698 e44ebdb66be7abcaba3f1558b9379abb http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq_2.41.orig.tar.gz Size/MD5: 357997 8d0acd6656299a800c4d1be5a1193e39 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq_2.41-2ubuntu2.1_all.deb Size/MD5: 11962 fbe42757babf0522e92a48438cdf7d0b amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq-base_2.41-2ubuntu2.1_amd64.deb Size/MD5: 210032 015334862975edd0c6157624b9b4cd6b i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq-base_2.41-2ubuntu2.1_i386.deb Size/MD5: 202466 87bebd172bae955ef2ae8f2de323a737 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/d/dnsmasq/dnsmasq-base_2.41-2ubuntu2.1_lpia.deb Size/MD5: 202996 8938160f148e63de63cad64e2721c6d6 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/d/dnsmasq/dnsmasq-base_2.41-2ubuntu2.1_powerpc.deb Size/MD5: 210320 865aa2d674736978b2b00a8623267fc4 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/d/dnsmasq/dnsmasq-base_2.41-2ubuntu2.1_sparc.deb Size/MD5: 204034 211f90a72d775d1987b6c3179786546f . Background ========== ISC BIND is the Internet Systems Consortium implementation of the Domain Name System (DNS) protocol. Impact ====== An attacker could exploit this weakness to poison the cache of a recursive resolver and thus spoof DNS traffic, which could e.g. lead to the redirection of web or mail traffic to malicious sites. Resolution ========== All BIND users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.2_p1" Note: In order to utilize the query port randomization to mitigate the weakness, you need to make sure that your network setup allows the DNS server to use random source ports for query and that you have not set a fixed query port via the "query-source port" directive in the BIND configuration. The fix introduced a regression in the library breaking the resolution of UTF-8 encoded record names. An updated release is available which corrects this problem. For reference, the original advisory text follows. Multiple weaknesses have been identified in PyDNS, a DNS client implementation for the Python language. Scott Kitterman noted that python-dns is vulnerable to this predictability, as it randomizes neither its transaction ID nor its source port. Taken together, this lack of entropy leaves applications using python-dns to perform DNS queries highly susceptible to response forgery. The Common Vulnerabilities and Exposures project identifies this class of weakness as CVE-2008-1447. For the stable distribution (etch), these problems have been fixed in version 2.3.0-5.2+etch2. We recommend that you upgrade your python-dns package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/python-dns/python-dns_2.3.0-5.2+etch2.diff.gz Size/MD5 checksum: 3807 4c9dceefe0dfc4ee933f3c9298764153 http://security.debian.org/pool/updates/main/p/python-dns/python-dns_2.3.0.orig.tar.gz Size/MD5 checksum: 21084 82d377c6a59181072b30b0da4e9835b8 http://security.debian.org/pool/updates/main/p/python-dns/python-dns_2.3.0-5.2+etch2.dsc Size/MD5 checksum: 695 16b84a9d56bdd4baf5cdf1bf7e413521 Architecture independent packages: http://security.debian.org/pool/updates/main/p/python-dns/python-dns_2.3.0-5.2+etch2_all.deb Size/MD5 checksum: 22972 59775332c3bb11b1408c83cf25b8e253 These files will probably be moved into the stable distribution on its next update. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. The vulnerability is caused due to the DNS service (dns.exe) using predictable transaction values when sending out queries to upstream DNS servers. SOLUTION: Apply patches. Microsoft Windows 2000 Server SP4: http://www.microsoft.com/downloads/details.aspx?FamilyId=c80fcd9b-d0f8-44db-96fc-bf2ead054ff4 Windows Server 2003 SP1/SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=ed8e2cb4-bcd9-40fc-9ad6-46b364d0656d Windows Server 2003 x64 Edition (optionally with SP2): http://www.microsoft.com/downloads/details.aspx?FamilyId=d1323e14-ffa7-4d03-a2a7-9240c192a75e Windows Server 2003 with SP1/SP2 for Itanium-based systems: http://www.microsoft.com/downloads/details.aspx?FamilyId=f3ad67de-85ad-452d-a1e0-0af3faf969d6 PROVIDED AND/OR DISCOVERED BY: The vendor credits: * Amit Klein, Trusteer. * Alla Berzroutchko, Scanit. CHANGELOG: 2007-11-14: Added link to US-CERT. Added link to Scanit. ORIGINAL ADVISORY: MS07-062 (KB941672): http://www.microsoft.com/technet/security/Bulletin/MS07-062.mspx Scanit: http://www.scanit.be/advisory-2007-11-14.html OTHER REFERENCES: US-CERT VU#484649: http://www.kb.cert.org/vuls/id/484649 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. In IP NAT filtering in Sun Solaris 10 and OpenSolaris series products, when a DNS server runs NAT, it incorrectly changes the original address of the data packet. And spoof the address returned by the DNS response. All customers should test the updates / patch in their environment. HP is investigating changes to reduce the performance issues. This bulletin will be revised when new updates / patch become available. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ruby: Multiple vulnerabilities Date: December 16, 2008 Bugs: #225465, #236060 ID: 200812-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been discovered in Ruby that allow for attacks including arbitrary code execution and Denial of Service. Background ========== Ruby is an interpreted object-oriented programming language. The elaborate standard library includes an HTTP server ("WEBRick") and a class for XML parsing ("REXML"). Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/ruby < 1.8.6_p287-r1 >= 1.8.6_p287-r1 Description =========== Multiple vulnerabilities have been discovered in the Ruby interpreter and its standard libraries. Drew Yao of Apple Product Security discovered the following flaws: * Arbitrary code execution or Denial of Service (memory corruption) in the rb_str_buf_append() function (CVE-2008-2662). * Arbitrary code execution or Denial of Service (memory corruption) in the rb_ary_stor() function (CVE-2008-2663). * Memory corruption via alloca in the rb_str_format() function (CVE-2008-2664). * Memory corruption ("REALLOC_N") in the rb_ary_splice() and rb_ary_replace() functions (CVE-2008-2725). * Memory corruption ("beg + rlen") in the rb_ary_splice() and rb_ary_replace() functions (CVE-2008-2726). Furthermore, several other vulnerabilities have been reported: * Tanaka Akira reported an issue with resolv.rb that enables attackers to spoof DNS responses (CVE-2008-1447). * Akira Tagoh of RedHat discovered a Denial of Service (crash) issue in the rb_ary_fill() function in array.c (CVE-2008-2376). * Several safe level bypass vulnerabilities were discovered and reported by Keita Yamaguchi (CVE-2008-3655). * Christian Neukirchen is credited for discovering a Denial of Service (CPU consumption) attack in the WEBRick HTTP server (CVE-2008-3656). * A fault in the dl module allowed the circumvention of taintness checks which could possibly lead to insecure code execution was reported by "sheepman" (CVE-2008-3657). * Tanaka Akira again found a DNS spoofing vulnerability caused by the resolv.rb implementation using poor randomness (CVE-2008-3905). * Luka Treiber and Mitja Kolsek (ACROS Security) disclosed a Denial of Service (CPU consumption) vulnerability in the REXML module when dealing with recursive entity expansion (CVE-2008-3790). Impact ====== These vulnerabilities allow remote attackers to execute arbitrary code, spoof DNS responses, bypass Ruby's built-in security and taintness checks, and cause a Denial of Service via crash or CPU exhaustion. Workaround ========== There is no known workaround at this time. Resolution ========== All Ruby users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.6_p287-r1" References ========== [ 1 ] CVE-2008-1447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 [ 2 ] CVE-2008-2376 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2376 [ 3 ] CVE-2008-2662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662 [ 4 ] CVE-2008-2663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663 [ 5 ] CVE-2008-2664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664 [ 6 ] CVE-2008-2725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725 [ 7 ] CVE-2008-2726 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726 [ 8 ] CVE-2008-3655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3655 [ 9 ] CVE-2008-3656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3656 [ 10 ] CVE-2008-3657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3657 [ 11 ] CVE-2008-3790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790 [ 12 ] CVE-2008-3905 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3905 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-17.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . HP TCP/IP Services for OpenVMS 5.7 ECO5 package is available from the following location: The HP TCP/IP Services for OpenVMS 5.7 ECO5 kits for both Integrity and Alpha platforms have been uploaded to HP Support Center website. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA08-190B Multiple DNS implementations vulnerable to cache poisoning Original release date: July 08, 2008 Last revised: -- Source: US-CERT Systems Affected Systems implementing: * Caching DNS resolvers * DNS stub resolvers Affected systems include both client and server systems, and any other networked systems that include this functionality. Effective attack techniques against these vulnerabilities have been demonstrated. I. Examples of these vulnerabilities can be found in Vulnerability Note VU#800113. Recent research into these and other related vulnerabilities has produced extremely effective exploitation methods to achieve cache poisoning. Tools and techniques have been developed that can reliably poison a domain of the attacker's choosing on most current implementations. As a result, the consensus of DNS software implementers is to implement source port randomization in their resolvers as a mitigation. US-CERT is tracking this issue as VU#800113. This reference number corresponds to CVE-2008-1447. II. Impact An attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control. III. Solution Apply a patch from your vendor Patches have been released by a number of vendors to implement source port randomization in the nameserver. This change significantly reduces the practicality of cache poisoning attacks. Please see the Systems Affected section of Vulnerability Note VU#800113 for additional details for specific vendors. As mentioned above, stub resolvers are also vulnerable to these attacks. Stub resolvers that will issue queries in response to attacker behavior, and may receive packets from an attacker, should be patched. System administrators should be alert for patches to client operating systems that implement port randomization in the stub resolver. Workarounds Restrict access Administrators, particularly those who are unable to apply a patch, can limit exposure to this vulnerability by restricting sources that can ask for recursion. Note that restricting access will still allow attackers with access to authorized hosts to exploit this vulnerability. Filter traffic at network perimeters Because the ability to spoof IP addresses is necessary to conduct these attacks, administrators should take care to filter spoofed addresses at the network perimeter. IETF Request for Comments (RFC) documents RFC 2827, RFC 3704, and RFC 3013 describe best current practices (BCPs) for implementing this defense. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. Run a local DNS cache In lieu of strong port randomization characteristics in a stub resolver, administrators can protect their systems by using local caching full-service resolvers, both on the client systems and on servers that are topologically close on the network to the client systems. This should be done in conjunction with the network segmentation and filtering strategies mentioned above. Disable recursion Disable recursion on any nameserver responding to DNS requests made by untrusted systems. Implement source port randomization Vendors that implement DNS software are encouraged to review IETF Internet Draft, "Measures for making DNS more resilient against forged answers," for additional information about implementing mitigations in their products. This document is a work in progress and may change prior to its publication as an RFC, if it is approved. IV. References * US-CERT Vulnerability Note VU#800113 - <http://www.kb.cert.org/vuls/id/800113> * US-CERT Vulnerability Note VU#484649 - <http://www.kb.cert.org/vuls/id/484649> * US-CERT Vulnerability Note VU#252735 - <http://www.kb.cert.org/vuls/id/252735> * US-CERT Vulnerability Note VU#927905 - <http://www.kb.cert.org/vuls/id/927905> * US-CERT Vulnerability Note VU#457875 - <http://www.kb.cert.org/vuls/id/457875> * Internet Draft: Measures for making DNS more resilient against forged answers - <http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience> * RFC 3833 - <http://tools.ietf.org/html/rfc3833> * RFC 2827 - <http://tools.ietf.org/html/rfc2827> * RFC 3704 - <http://tools.ietf.org/html/rfc3704> * RFC 3013 - <http://tools.ietf.org/html/rfc3013> * Microsoft Security Bulletin MS08-037 - <http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx> * Internet Systems Consortium BIND Vulnerabilities - <http://www.isc.org/sw/bind/bind-security.php> ____________________________________________________________________ US-CERT thanks Dan Kaminsky of IOActive and Paul Vixie of Internet Systems Consortium (ISC) for notifying us about this problem and for helping us to construct this advisory. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA08-190B.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01506861 Version: 6 HPSBUX02351 SSRT080058 rev.6 - HP-UX Running BIND, Remote DNS Cache Poisoning NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2008-07-16 Last Updated: 2010-12-15 ----------------------------------------------------------------------------- Potential Security Impact: Remote DNS cache poisoning Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running BIND. References: CVE-2008-1447 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, B.11.31 running BIND v9.3.2 or BIND v9.2.0, HP-UX B.11.11 running BIND v8.1.2 BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2008-1447 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software updates / patch to resolve the vulnerabilities for BIND v9.2.0 and BIND v9.3.2. Customers running BIND v8.1.2 on HP-UX B.11.11 should upgrade to BIND v9.2.0 or BIND v9.3.2 and apply the updates listed below. A new BIND v9.2.0 depot is available to address an issue encountered on HP-UX B.11.11. The new depot is available by contacting HP Support. The BIND v9.3.2 updates are available for download from: http://software.hp.com The patch PHNE_37865 is available from: http://itrc.hp.com HP-UX Release / Action B.11.11 running v8.1.2 / Upgrade to BIND v9.2.0 or BIND v9.3.2 and apply the updates listed below, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. HP-UX Release / BIND Depot name / Action B.11.11 running v9.2.0 / BIND920V15.depot / Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. HP-UX Release / Action B.11.23 running v9.2.0 / Install PHNE_37865 or subsequent; Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. HP-UX Release / Action B.11.11 running v9.3.2 / Install revision C.9.3.2.7.0 or subsequent; Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. B.11.23 running v9.3.2 / Install revision C.9.3.2.7.0 or subsequent; Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. B.11.31 running v9.3.2 / Install revision C.9.3.2.3.0 or subsequent; Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. Note: Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. Note: Firewall configurations may need to be adjusted to allow DNS queries from random source ports to pass. In addition, firewalls that forward DNS queries must not replace the random source ports. MANUAL ACTIONS: Yes - NonUpdate Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. Check firewall settings. For B.11.11 running v8.1.2, upgrade to BIND v9.2.0 or BIND v9.3.2 and apply the updates For B.11.11 running v9.2.0 install BIND920v15.depot PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa AFFECTED VERSIONS For BIND v8.1.2 HP-UX B.11.11 ============= InternetSrvcs.INETSVCS-RUN action: upgrade to BIND v9.2.0 or BIND v9.3.2 and apply the updates, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. For BIND v9.3.2 HP-UX B.11.11 ============= BindUpgrade.BIND-UPGRADE action: install revision C.9.3.2.7.0 or subsequent, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. URL: http://software.hp.com HP-UX B.11.23 ============= BindUpgrade.BIND-UPGRADE BindUpgrade.BIND2-UPGRADE action: install revision C.9.3.2.7.0 or subsequent, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. URL: http://software.hp.com HP-UX B.11.31 ============= NameService.BIND-AUX NameService.BIND-RUN action: install revision C.9.3.2.7.0 or subsequent, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. URL: http://software.hp.com For BIND v9.2.0 HP-UX B.11.11 ============= BINDv920.INETSVCS-BIND action: install revision B.11.11.01.015 or subsequent, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. URL Contact HP Support for information on where to download depot. HP-UX B.11.23 ============= InternetSrvcs.INETSVCS-INETD InternetSrvcs.INETSVCS-RUN InternetSrvcs.INETSVCS2-RUN action: install patch PHNE_37865 or subsequent, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. URL: http://itrc.hp.com END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 16 July 2008 Initial release Version:2 (rev.2) - 19 July 2008 Added BIND v9.2.0 depot information Version:3 (rev.3) - 06 August 2008 Updated patch location, revised BIND v9.2.0 depot information, added BIND v8.1.2 Version:4 (rev.4) - 08 August 2008 Updated manual actions to include named.conf and firewall configuration setings Version:5 (rev.5) - 12 October 2010 Updated version for BIND v9.2.0 depot for B.11.11 Version:6 (rev.6) - 15 December 2010 Reformat v9.2.0 recommendation for clarity. Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk0JQB8ACgkQ4B86/C0qfVmfGwCeOT1oSjH7NZVlEmixFnjM5hWp gtAAnj1pfPTQUHenOf3lzoRYLUEoy6xf =/E+O -----END PGP SIGNATURE----- . Security Advisory (08-AUG-2008) (CVE-2008-3280) =============================================== Ben Laurie of Google's Applied Security team, while working with an external researcher, Dr. Richard Clayton of the Computer Laboratory, Cambridge University, found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to rely on these OPs. Attack Description ------------------ In order to mount an attack against a vulnerable OP, the attacker first finds the private key corresponding to the weak TLS certificate. He then sets up a website masquerading as the original OP, both for the OpenID protocol and also for HTTP/HTTPS. There are two cases, one is where the victim is a user trying to identify themselves, in which case, even if they use HTTPS to "ensure" that the site they are visiting is indeed their provider, they will be unable to detect the substitution and will give their login credentials to the attacker. The second case is where the victim is the Relying Party (RP). In this case, even if the RP uses TLS to connect to the OP, as is recommended for higher assurance, he will not be defended, as the vast majority of OpenID implementations do not check CRLs, and will, therefore, accept the malicious site as the true OP. Mitigation ---------- Mitigation is surprisingly hard. In theory the vulnerable site should revoke their weak certificate and issue a new one. However, since the CRLs will almost certainly not be checked, this means the site will still be vulnerable to attack for the lifetime of the certificate (and perhaps beyond, depending on user behaviour). Note that shutting down the site DOES NOT prevent the attack. Therefore mitigation falls to other parties. Until either 1 and 2 or 3 have been done, OpenID cannot be trusted for any OP that cannot demonstrate it has never had a weak certificate. Discussion ---------- Normally, when security problems are encountered with a single piece of software, the responsible thing to do is to is to wait until fixes are available before making any announcement. However, as a number of examples in the past have demonstrated, this approach does not work particularly well when many different pieces of software are involved because it is necessary to coordinate a simultaneous release of the fixes, whilst hoping that the very large number of people involved will cooperate in keeping the vulnerability secret. In the present situation, the fixes will involve considerable development work in adding CRL handling to a great many pieces of openID code. This is a far from trivial amount of work. The fixes will also involve changes to browser preferences to ensure that CRLs are checked by default -- which many vendors have resisted for years. We are extremely pessimistic that a security vulnerability in OpenID will be seen as sufficiently important to change the browser vendors minds. Hence, we see no value in delaying this announcement; and by making the details public as soon as possible, we believe that individuals who rely on OpenID will be better able to take their own individual steps to avoid relying upon the flawed certificates we have identified. OpenID is at heart quite a weak protocol, when used in its most general form[1], and consequently there is very limited reliance upon its security. This means that the consequences of the combination of attacks that are now possible is nothing like as serious as might otherwise have been the case. However, it does give an insight into the type of security disaster that may occur in the future if we do not start to take CRLs seriously, but merely stick them onto "to-do" lists or disable them in the name of tiny performance improvements. Affected Sites -------------- There is no central registry of OpenID systems, and so we cannot be sure that we have identified all of the weak certificates that are currently being served. The list of those we have found so far is: openid.sun.com www.xopenid.net openid.net.nz Notes ----- [1] There are ways of using OpenID that are significantly more secure than the commonly deployed scheme, I shall describe those in a separate article. _______________________________________________ Full-Disclosure - We believe in it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: bind Announcement ID: SUSE-SA:2008:033 Date: Fri, 11 Jul 2008 09:00:00 +0000 Affected Products: openSUSE 10.2 openSUSE 10.3 openSUSE 11.0 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SLE SDK 10 SP2 SUSE Linux Enterprise Server 10 SP1 SUSE Linux Enterprise Desktop 10 SP2 SUSE Linux Enterprise Server 10 SP2 Vulnerability Type: DNS cache poisoning Severity (1-10): 9 SUSE Default Package: no Cross-References: CVE-2008-1447 Content of This Advisory: 1) Security Vulnerability Resolved: DNS cache poisoning 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The bind daemon is responsible for resolving hostnames in IP addresses and vice versa. The new version of bind uses a random transaction-ID (TRXID) and a random UDP source-port for DNS queries to address DNS cache poisoning attacks possible because of the "birthday paradox" and an attack discovered by Dan Kaminsky. Unfortunately we do not have details about Kaminsky's attack and have to trust the statement that a random UDP source-port is sufficient to stop it. Update packages of bind9 for SLES8 will be available soon. The glibc stub resolver is known to be vulnerable too and we will publish updates as soon as possible. Note, a local attacker can always sniff DNS queries and generate spoofed responses easily. One that is authoritative only and accessible from the Internet to resolve queries for your local systems that are available over the Internet. The other system (caching) is not accessible over the Internet and can be used by internal clients to recursively lookup names and addresses. But we encourage you to install the bind update as soon as possible too. If you use the latest update of pdns-recursor you are not vulnerable to this attack. For the glibc stub resolver bug you can install a local secure DNS for- warder on your machine or make a DNS forwarder available for a protected network. 3) Special Instructions and Notes Please restart the bind daemon after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/bind-9.4.2-39.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/bind-chrootenv-9.4.2-39.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/bind-devel-9.4.2-39.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/bind-doc-9.4.2-39.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/bind-libs-9.4.2-39.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/bind-utils-9.4.2-39.2.i586.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/bind-9.4.1.P1-12.5.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/bind-chrootenv-9.4.1.P1-12.5.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/bind-devel-9.4.1.P1-12.5.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/bind-doc-9.4.1.P1-12.5.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/bind-libs-9.4.1.P1-12.5.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/bind-utils-9.4.1.P1-12.5.i586.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/bind-9.3.5P1-0.1.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/bind-chrootenv-9.3.5P1-0.1.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/bind-devel-9.3.5P1-0.1.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/bind-doc-9.3.5P1-0.1.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/bind-libs-9.3.5P1-0.1.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/bind-utils-9.3.5P1-0.1.i586.rpm x86-64 Platform: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/x86_64/bind-libs-32bit-9.4.2-39.2.x86_64.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/bind-libs-32bit-9.4.1.P1-12.5.x86_64.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/bind-libs-32bit-9.3.5P1-0.1.x86_64.rpm Sources: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/src/bind-9.4.2-39.2.src.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/bind-9.4.1.P1-12.5.src.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/bind-9.3.5P1-0.1.src.rpm Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Open Enterprise Server http://support.novell.com/techcenter/psdb/aa846ea840c9bf29e6974f3b6913e550.html Novell Linux POS 9 http://support.novell.com/techcenter/psdb/aa846ea840c9bf29e6974f3b6913e550.html Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/aa846ea840c9bf29e6974f3b6913e550.html SUSE SLES 9 http://support.novell.com/techcenter/psdb/aa846ea840c9bf29e6974f3b6913e550.html SUSE Linux Enterprise Server 10 SP1 http://support.novell.com/techcenter/psdb/555065b7278085ce1ce7a6e84b6f07aa.html SUSE Linux Enterprise Server 10 SP2 http://support.novell.com/techcenter/psdb/555065b7278085ce1ce7a6e84b6f07aa.html SLE SDK 10 SP2 http://support.novell.com/techcenter/psdb/555065b7278085ce1ce7a6e84b6f07aa.html SUSE Linux Enterprise 10 SP2 DEBUGINFO http://support.novell.com/techcenter/psdb/555065b7278085ce1ce7a6e84b6f07aa.html SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/555065b7278085ce1ce7a6e84b6f07aa.html SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/555065b7278085ce1ce7a6e84b6f07aa.html SUSE Linux Enterprise Desktop 10 SP2 http://support.novell.com/techcenter/psdb/555065b7278085ce1ce7a6e84b6f07aa.html ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security@suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build@suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security@opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe@opensuse.org>. opensuse-security-announce@opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe@opensuse.org>. ===================================================================== SUSE's security contact is <security@suse.com> or <security@suse.de>. The <security@suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cross-site scripting (XSS) vulnerability in download_plugin.php3 in F5 Firepass 4100 SSL VPN 5.4 through 5.5.2 and 6.0 through 6.0.1 allows remote attackers to inject arbitrary web script or HTML via the backurl parameter. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks. F5 FirePass 4100 SSL VPNs running these firmware versions are vulnerable: 5.4 through 5.5.2 6.0 6.0.1. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Input passed to the "backurl" parameter in download_plugin.php3 isn't properly sanitised before being returned to the user. The vulnerability reportedly affects versions 5.4 to 5.5.2 and 6.0 to 6.0.1. SOLUTION: The vendor has issued a solution at: https://support.f5.com/kb/en-us/solutions/public/7000/400/sol7498.html PROVIDED AND/OR DISCOVERED BY: Jan Fry and Adrian Pastor, Procheckup Ltd ORIGINAL ADVISORY: F5: https://support.f5.com/kb/en-us/solutions/public/7000/400/sol7498.html Procheckup Ltd: http://www.procheckup.com/Vulnerability_PR07-13.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

TorK before 0.22, when running on Windows and Mac OS X, installs Privoxy with a configuration file (config.txt or config) that contains insecure (1) enable-remote-toggle and (2) enable-edit-actions settings, which allows remote attackers to bypass intended access restrictions and modify configuration. TorK is prone to multiple insecure-configuration vulnerabilities because of several default configuration options used by the Privoxy web proxy server. Attackers can exploit these issues to bypass proxy filter rules or modify user-defined configuration values. These issues affect versions prior to TorK 0.22. TorK is a powerful KDE desktop anonymous management tool. It is possible to browse the web anonymously through a browser and send anonymous emails from the MixMinion network. You can use ssh, IRC chat tools and IM instant messaging tools anonymously. And can control and monitor anonymous traffic on the Tor network through TorK. This configuration file contains insecure (1) enable-remote-toggle and (2) enable-edit-actions settings

Vidalia bundle before 0.1.2.18, when running on Windows and Mac OS X, installs Privoxy with a configuration file (config.txt or config) that contains insecure (1) enable-remote-toggle and (2) enable-edit-actions settings, which allows remote attackers to bypass intended access restrictions and modify configuration. TorK is prone to multiple insecure-configuration vulnerabilities because of several default configuration options used by the Privoxy web proxy server. Attackers can exploit these issues to bypass proxy filter rules or modify user-defined configuration values. These issues affect versions prior to TorK 0.22. TorK is a powerful KDE desktop anonymous management tool. It is possible to browse the web anonymously through a browser and send anonymous emails from the MixMinion network. You can use ssh, IRC chat tools and IM instant messaging tools anonymously. And can control and monitor anonymous traffic on the Tor network through TorK. This configuration file contains insecure (1) enable-remote-toggle and (2) enable-edit-actions settings

Quick Look in Apple Mac OS X 10.5.1 does not prevent a movie from accessing URLs when the movie file is previewed or if an icon is created, which might allow remote attackers to obtain sensitive information via HREFTrack. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the related vulnerability notes. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 22) An unspecified error in Safari in the handling of RSS feeds can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted URL. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. This may allow a malicious, local user to execute arbitrary code with system privileges. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. For more information: SA27543 SOLUTION: Apply Security Update 2007-009. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Spin Tracer in Apple Mac OS X 10.5.1 allows local users to execute arbitrary code via unspecified output files, involving an "insecure file operation.". Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the related vulnerability notes. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 22) An unspecified error in Safari in the handling of RSS feeds can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted URL. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. For more information: SA27543 SOLUTION: Apply Security Update 2007-009. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Spotlight in Apple Mac OS X 10.4.11 allows user-assisted attackers to cause a denial of service (application termination) or execute arbitrary code via a crafted .XLS file that triggers memory corruption in the Microsoft Office Spotlight Importer. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. If a user is tricked into downloading a malicious .xls file, an attacker could cause the application to terminate unexpectedly or execute arbitrary commands. I. Further details are available in the related vulnerability notes. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 22) An unspecified error in Safari in the handling of RSS feeds can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted URL. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. This may allow a malicious, local user to execute arbitrary code with system privileges. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. For more information: SA27543 SOLUTION: Apply Security Update 2007-009. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Quick Look Apple Mac OS X 10.5.1, when previewing an HTML file, does not prevent plug-ins from making network requests, which might allow remote attackers to obtain sensitive information. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the related vulnerability notes. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 22) An unspecified error in Safari in the handling of RSS feeds can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted URL. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. This may allow a malicious, local user to execute arbitrary code with system privileges. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. For more information: SA27543 SOLUTION: Apply Security Update 2007-009. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Safari RSS in Apple Mac OS X 10.4.11 allows remote attackers to cause a denial of service (application termination) or execute arbitrary code via a crafted feed: URL that triggers memory corruption. The Apple Safari web browser contains a vulnerability that may allow an attacker to execute arbitrary code. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the related vulnerability notes. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. For more information: SA27543 SOLUTION: Apply Security Update 2007-009. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Mail in Apple Mac OS X 10.4.11 and 10.5.1, when an SMTP account has been set up using Account Assistant, can use plaintext authentication even when MD5 Challenge-Response authentication is available, which makes it easier for remote attackers to sniff account activity. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the related vulnerability notes. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 22) An unspecified error in Safari in the handling of RSS feeds can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted URL. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. This may allow a malicious, local user to execute arbitrary code with system privileges. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. For more information: SA27543 SOLUTION: Apply Security Update 2007-009. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Launch Services in Apple Mac OS X 10.4.11 and 10.5.1 does not treat HTML files as unsafe content, which allows attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via a crafted HTML file. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the related vulnerability notes. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. 22) An unspecified error in Safari in the handling of RSS feeds can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted URL. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. This may allow a malicious, local user to execute arbitrary code with system privileges. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. For more information: SA27543 SOLUTION: Apply Security Update 2007-009. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in IO Storage Family in Apple Mac OS X 10.4.11 allows user-assisted attackers to cause a denial of service (system shutdown) or execute arbitrary code via a disk image with crafted GUID partition maps, which triggers memory corruption. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the related vulnerability notes. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 22) An unspecified error in Safari in the handling of RSS feeds can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted URL. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. This may allow a malicious, local user to execute arbitrary code with system privileges. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. For more information: SA27543 SOLUTION: Apply Security Update 2007-009. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Race condition in the CFURLWriteDataAndPropertiesToResource API in Core Foundation in Apple Mac OS X 10.4.11 creates files with insecure permissions, which might allow local users to obtain sensitive information. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the related vulnerability notes. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 22) An unspecified error in Safari in the handling of RSS feeds can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted URL. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. This may allow a malicious, local user to execute arbitrary code with system privileges. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. For more information: SA27543 SOLUTION: Apply Security Update 2007-009. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

iChat in Apple Mac OS X 10.4.11 allows network-adjacent remote attackers to automatically initiate a video connection to another user via unknown vectors. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the related vulnerability notes. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 22) An unspecified error in Safari in the handling of RSS feeds can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted URL. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. This may allow a malicious, local user to execute arbitrary code with system privileges. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. For more information: SA27543 SOLUTION: Apply Security Update 2007-009. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in CFNetwork in Apple Mac OS X 10.5.1 allows remote attackers to overwrite arbitrary files via a crafted HTTP response. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. If a user is tricked into visiting a malicious site, the attacker could cause the file to be automatically downloaded to any folder to which the user has write permissions. I. Further details are available in the related vulnerability notes. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 22) An unspecified error in Safari in the handling of RSS feeds can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted URL. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. This may allow a malicious, local user to execute arbitrary code with system privileges. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. For more information: SA27543 SOLUTION: Apply Security Update 2007-009. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in Desktop Services in Apple Mac OS X 10.4.11 allows user-assisted attackers to execute arbitrary code via a directory with a crafted .DS_Store file. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. A heap overflow vulnerability exists in Desktop Services. I. Further details are available in the related vulnerability notes. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 22) An unspecified error in Safari in the handling of RSS feeds can be exploited to cause a memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted URL. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. This may allow a malicious, local user to execute arbitrary code with system privileges. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. For more information: SA27543 SOLUTION: Apply Security Update 2007-009. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in ColorSync in Apple Mac OS X 10.4.11 allows remote attackers to cause a denial of service (application termination) or execute arbitrary code via an image with a crafted ColorSync profile, which triggers memory corruption. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the related vulnerability notes. These products include: * Adobe Flash * Adobe Shockwave * GNU Tar II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, surreptitious video conference initiation, and denial of service. III. This and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History December 18, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ 7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0 h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q== =Y1jd -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28136 VERIFY ADVISORY: http://secunia.com/advisories/28136/ CRITICAL: Highly critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page. 2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page. 3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 4) A race condition exists in the "CFURLWriteDataAndPropertiesToResource" API, which can lead to files being created with insecure permissions. 5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service. 6) A boundary error in CUPS can be exploited by malicious people to compromise a vulnerable system. For more information: SA27233 7) An integer underflow error in the CUPS backend in the handling of SNMP responses can be exploited to cause a stack-based buffer overflow by sending a specially crafted SNMP response. Successful exploitation allows execution of arbitrary code, but requires that SNMP is enabled. 8) A boundary error in Desktop Services can be exploited to cause a heap-based buffer overflow when a user opens a directory containing a specially crafted .DS_Store file. Successful exploitation may allow execution of arbitrary code. 9) An input validation error in tar can be exploited by malicious people to compromise a user's system. For more information: SA26573 10) An unspecified error in iChat can be exploited by malicious people on the local network to initiate a video connection without the user's approval. 11) An unspecified error exists within IO Storage Family when handling GUID partition maps within a disk image. This can be exploited to execute arbitrary code when a user is enticed to open a specially crafted disk image. 12) Launch Services does not handle HTML files as potentially unsafe content. This can be exploited to disclose sensitive information or conduct cross-site scripting attacks by enticing a user to open a specially crafted HTML file. 13) A vulnerability in Mail in the handling of unsafe file types can be exploited to compromise a user's system. For more information: SA27785 14) An error in Mail can cause the application to default to SMTP plaintext authentication if the server supports only MD5 Challenge-Response authentication and plaintext authentication. 15) Some vulnerabilities in perl can be exploited by malicious people to compromise a vulnerable system. For more information: SA27546 16) A security issue in python can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA26837 17) Plug-ins in Quick Look are not restricted from making network requests. This may lead to the disclosure of sensitive information when previewing an HTML file. 18) URLs contained in movie files may be accessed when creating an icon for a movie file or previewing a movie file using QuickLook. 19) Some security issues in ruby can be exploited by malicious people to conduct spoofing attacks. For more information: SA26985 20) Some vulnerabilities and a security issue in Ruby on Rails can be exploited by malicious people to disclose sensitive information or to conduct session fixation attacks. For more information: SA25699 SA27781 21) An error in Safari allows a page to navigate the subframes of any other page. This can be exploited to conduct cross-site scripting attacks and to disclose sensitive information when a user visits a specially crafted web page. 23) Some boundary errors in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27450 24) Some boundary errors in the Shockwave Plug-in can be exploited by malicious people to compromise a user's system. For more information: SA19218 25) A boundary error in the processing of command line arguments to "mount_smbfs" and "smbutil" can be exploited to cause a stack-based buffer overflow and execute arbitrary code with system privileges. 26) The distribution definition file used in Software Update is received by using HTTP without any authentication and allows execution of arbitrary commands. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 27) An error due to an insecure file operation exists in the handling of output files in SpinTracer. This may allow a malicious, local user to execute arbitrary code with system privileges. 28) An unspecified error exists in the Microsoft Office Spotlight Importer, which can be exploited to cause a memory corruption when a user downloads a specially crafted .xls file. Successful exploitation may allow execution of arbitrary code. 29) Some vulnerabilities in tcpdump can be exploited by malicious people to cause a DoS or to compromise a user's system. For more information: SA24318 SA26135 30) Some vulnerabilities exist the Perl Compatible Regular Expressions (PCRE) library used by XQuery, which can potentially be exploited to compromise a vulnerable system. For more information: SA27543 SOLUTION: Apply Security Update 2007-009. Security Update 2007-009 (10.4.11 Universal): http://www.apple.com/support/downloads/securityupdate200700910411universal.html Security Update 2007-009 (10.4.11 PPC): http://www.apple.com/support/downloads/securityupdate200700910411ppc.html Security Update 2007-009 (10.5.1): http://www.apple.com/support/downloads/securityupdate20070091051.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sean Harding. 3) The vendor credits Tom Ferris, Adobe Secure Software Engineering Team (ASSET). 5) The vendor credits Dave Camp, Critical Path Software. 7) The vendor credits Wei Wang, McAfee Avert Labs. 12) The vendor credits Michal Zalewski, Google Inc. 15) The vendor credits Tavis Ormandy and Will Drewry, Google Security Team. 18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc. 26) Moritz Jodeit. 27) The vendor credits Kevin Finisterre, DigitalMunition ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307179 OTHER REFERENCES: SA19218: http://secunia.com/advisories/19218/ SA24318: http://secunia.com/advisories/24318/ SA25699: http://secunia.com/advisories/25699/ SA26135: http://secunia.com/advisories/26135/ SA26573: http://secunia.com/advisories/26573/ SA26837: http://secunia.com/advisories/26837/ SA26985: http://secunia.com/advisories/26985/ SA27233: http://secunia.com/advisories/27233/ SA27450: http://secunia.com/advisories/27450/ SA27543: http://secunia.com/advisories/27543/ SA27546: http://secunia.com/advisories/27546/ SA27781: http://secunia.com/advisories/27781/ SA27785: http://secunia.com/advisories/27785/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------