VARIoT IoT vulnerabilities database
| VAR-200711-0140 | CVE-2007-6093 | Ingate Firewall Such as SRTP Service disruption in implementation (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The SRTP implementation in Ingate Firewall before 4.6.0 and SIParator before 4.6.0 allows remote attackers to cause a denial of service (kernel crash) via an RTCP index that is "much more than expected.". Ingate Firewall and SIParator products are prone to multiple vulnerabilities that include buffer-overflow, information-disclosure, and denial-of-service issues.
An attacker may access sensitive information, cause denial-of-service conditions, or potentially execute arbitrary code.
Versions prior to Ingate Firewall 4.6.0 and Ingate SIParator 4.6.0 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Get a free trial of the Secunia Vulnerability Intelligence Solutions:
http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
----------------------------------------------------------------------
TITLE:
Ingate Firewall and SIParator Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA27688
VERIFY ADVISORY:
http://secunia.com/advisories/27688/
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Ingate Firewall 4.x
http://secunia.com/product/4050/
Ingate SIParator 4.x
http://secunia.com/product/5687/
DESCRIPTION:
Some vulnerabilities and security issues have been reported in Ingate
Firewall and SIParator, which potentially can be exploited by
malicious people or users to cause a DoS (Denial of Service) or gain
knowledge of sensitive information, or by malicious people to
compromise a vulnerable system.
1) A boundary error in libsrtp can be exploited to cause a buffer
overflow.
3) An error when processing IPsec phase two proposals without PFS
could cause the IPSec module to crash.
4) An error in the SIP component when using Remote NAT Traversal
could allow user's registrations to conflict and messages to be sent
to the wrong user.
5) Passwords of administrators with less privileges are stored in
clear text.
Other issues have also been reported, which may have security
impacts.
SOLUTION:
Update to version 4.6.0.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.ingate.com/relnote-460.php
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200711-0141 | CVE-2007-6094 | Ingate Firewall Such as VPN Service disruption in components (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The IPsec module in the VPN component in Ingate Firewall before 4.6.0 and SIParator before 4.6.0 allows remote attackers to cause a denial of service (module crash) via an IPsec Phase 2 proposal that lacks Perfect Forward Secrecy (PFS). Ingate Firewall and SIParator products are prone to multiple vulnerabilities that include buffer-overflow, information-disclosure, and denial-of-service issues.
An attacker may access sensitive information, cause denial-of-service conditions, or potentially execute arbitrary code.
Versions prior to Ingate Firewall 4.6.0 and Ingate SIParator 4.6.0 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Get a free trial of the Secunia Vulnerability Intelligence Solutions:
http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
----------------------------------------------------------------------
TITLE:
Ingate Firewall and SIParator Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA27688
VERIFY ADVISORY:
http://secunia.com/advisories/27688/
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Ingate Firewall 4.x
http://secunia.com/product/4050/
Ingate SIParator 4.x
http://secunia.com/product/5687/
DESCRIPTION:
Some vulnerabilities and security issues have been reported in Ingate
Firewall and SIParator, which potentially can be exploited by
malicious people or users to cause a DoS (Denial of Service) or gain
knowledge of sensitive information, or by malicious people to
compromise a vulnerable system.
1) A boundary error in libsrtp can be exploited to cause a buffer
overflow.
2) An error in the SRTP component when processing an overly large
RTCP index could cause a kernel crash.
4) An error in the SIP component when using Remote NAT Traversal
could allow user's registrations to conflict and messages to be sent
to the wrong user.
5) Passwords of administrators with less privileges are stored in
clear text.
Other issues have also been reported, which may have security
impacts.
SOLUTION:
Update to version 4.6.0.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.ingate.com/relnote-460.php
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200711-0142 | CVE-2007-6095 | Ingate Firewall Such as SIP Vulnerability in receiving messages addressed to other users in components |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
The SIP component in Ingate Firewall before 4.6.0 and SIParator before 4.6.0, when Remote NAT Traversal is employed, does not properly perform user registration and message distribution, which might allow remote authenticated users to receive messages intended for other users. Ingate Firewall and SIParator products are prone to multiple vulnerabilities that include buffer-overflow, information-disclosure, and denial-of-service issues.
An attacker may access sensitive information, cause denial-of-service conditions, or potentially execute arbitrary code.
Versions prior to Ingate Firewall 4.6.0 and Ingate SIParator 4.6.0 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Get a free trial of the Secunia Vulnerability Intelligence Solutions:
http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
----------------------------------------------------------------------
TITLE:
Ingate Firewall and SIParator Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA27688
VERIFY ADVISORY:
http://secunia.com/advisories/27688/
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Ingate Firewall 4.x
http://secunia.com/product/4050/
Ingate SIParator 4.x
http://secunia.com/product/5687/
DESCRIPTION:
Some vulnerabilities and security issues have been reported in Ingate
Firewall and SIParator, which potentially can be exploited by
malicious people or users to cause a DoS (Denial of Service) or gain
knowledge of sensitive information, or by malicious people to
compromise a vulnerable system.
1) A boundary error in libsrtp can be exploited to cause a buffer
overflow.
2) An error in the SRTP component when processing an overly large
RTCP index could cause a kernel crash.
3) An error when processing IPsec phase two proposals without PFS
could cause the IPSec module to crash.
5) Passwords of administrators with less privileges are stored in
clear text.
Other issues have also been reported, which may have security
impacts.
SOLUTION:
Update to version 4.6.0.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.ingate.com/relnote-460.php
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200711-0143 | CVE-2007-6096 | Ingate Firewall and SIParator Vulnerable to reading plaintext passwords |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Ingate Firewall before 4.6.0 and SIParator before 4.6.0 use cleartext storage for passwords of "administrators with less privileges," which might allow attackers to read these passwords via unknown vectors. Ingate Firewall and SIParator products are prone to multiple vulnerabilities that include buffer-overflow, information-disclosure, and denial-of-service issues.
An attacker may access sensitive information, cause denial-of-service conditions, or potentially execute arbitrary code.
Versions prior to Ingate Firewall 4.6.0 and Ingate SIParator 4.6.0 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices. Sensitive information disclosure vulnerabilities exist in Ingate Firewall and SIParator. The password of the administrator \"administration\" account is stored in plain text, which may cause malicious attackers to obtain the password information of the management account through unknown means.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Get a free trial of the Secunia Vulnerability Intelligence Solutions:
http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
----------------------------------------------------------------------
TITLE:
Ingate Firewall and SIParator Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA27688
VERIFY ADVISORY:
http://secunia.com/advisories/27688/
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Ingate Firewall 4.x
http://secunia.com/product/4050/
Ingate SIParator 4.x
http://secunia.com/product/5687/
DESCRIPTION:
Some vulnerabilities and security issues have been reported in Ingate
Firewall and SIParator, which potentially can be exploited by
malicious people or users to cause a DoS (Denial of Service) or gain
knowledge of sensitive information, or by malicious people to
compromise a vulnerable system.
1) A boundary error in libsrtp can be exploited to cause a buffer
overflow.
2) An error in the SRTP component when processing an overly large
RTCP index could cause a kernel crash.
3) An error when processing IPsec phase two proposals without PFS
could cause the IPSec module to crash.
4) An error in the SIP component when using Remote NAT Traversal
could allow user's registrations to conflict and messages to be sent
to the wrong user.
Other issues have also been reported, which may have security
impacts.
SOLUTION:
Update to version 4.6.0.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.ingate.com/relnote-460.php
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200711-0144 | CVE-2007-6097 | Ingate Firewall and SIParator of ICMP Vulnerability in implementation |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the ICMP implementation in Ingate Firewall before 4.6.0 and SIParator before 4.6.0 has unknown impact and remote attack vectors, related to ICMP packets that are "incorrectly accepted.". Ingate Firewall and SIParator products are prone to multiple vulnerabilities that include buffer-overflow, information-disclosure, and denial-of-service issues.
An attacker may access sensitive information, cause denial-of-service conditions, or potentially execute arbitrary code.
Versions prior to Ingate Firewall 4.6.0 and Ingate SIParator 4.6.0 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices
| VAR-200711-0145 | CVE-2007-6098 | Ingate Firewall and SIParator Vulnerable to guessing valid login credentials |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Ingate Firewall before 4.6.0 and SIParator before 4.6.0 do not log truncated (1) ICMP, (2) UDP, and (3) TCP packets, which has unknown impact and remote attack vectors; and do not log (4) serial-console login attempts with nonexistent usernames, which might make it easier for attackers with physical access to guess valid login credentials while avoiding detection. Ingate Firewall and SIParator products are prone to multiple vulnerabilities that include buffer-overflow, information-disclosure, and denial-of-service issues.
An attacker may access sensitive information, cause denial-of-service conditions, or potentially execute arbitrary code.
Versions prior to Ingate Firewall 4.6.0 and Ingate SIParator 4.6.0 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices
| VAR-200711-0231 | CVE-2007-6054 | Aruba 800 Mobility Controller Management interface cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the login page in the management interface in the Aruba 800 Mobility Controller 2.5.4.18 and earlier, and 2.4.8.6-FIPS and earlier, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the /screens URI, related to the url variable. The problem is url Related to variables.By a third party /screens URI To PATH_INFO Through any Web Script or HTML May be inserted.
Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible
| VAR-200711-0205 | CVE-2007-6028 |
ComponentOne FlexGrid of VSFlexGrid.VSFlexGridL ActiveX Stack-based buffer overflow vulnerability in Control
Related entries in the VARIoT exploits database: VAR-E-200711-0135, VAR-E-200711-0136 |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple stack-based buffer overflows in the VSFlexGrid.VSFlexGridL ActiveX control in ComponentOne FlexGrid 7.1 Light allow remote attackers to cause a denial of service and possibly execute arbitrary code via a long string in the (1) Text, (2) EditSelText, (3) EditText, and (4) CellFontName property values. ComponentOne FlexGrid ActiveX Control is prone to multiple stack-based buffer-overflow vulnerabilities because the application fails to adequately check boundaries on user-supplied input.
ComponentOne FlexGrid 7.1 Light is vulnerable; other versions may also be affected
| VAR-200711-0321 | CVE-2007-4704 | Apple Mac OS X Of bypassing application firewall restrictions on Windows |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The Application Firewall in Apple Mac OS X 10.5 does not apply changed settings to processes that are started by launchd until the processes are restarted, which might allow attackers to bypass intended access restrictions.
This issue may result in a false sense of security and leave certain processes vulnerable to external attack.
This issue affects Mac OS X 10.5 and Mac OS X Server 10.5; earlier versions are not affected.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Get a free trial of the Secunia Vulnerability Intelligence Solutions:
http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Application Firewall Weaknesses and Security Issue
SECUNIA ADVISORY ID:
SA27695
VERIFY ADVISORY:
http://secunia.com/advisories/27695/
CRITICAL:
Less critical
IMPACT:
Security Bypass
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Some weaknesses and a security issue have been reported in Apple Mac
OS X, which can lead to exposure of certain services.
1) The Application Firewall allows any process running as user "root"
(UID 0) to receive incoming connections even though the option "Block
all incoming connections" is set.
NOTE: The update changes the name of the option and updates the
documentation.
2) The Application Firewall allows any process running as user "root"
(UID 0) to receive incoming connections even though the executable has
been added to the list of blocked applications via the "Set access for
specific services and applications" option. This may lead to
exposure of certain services.
Mac OS X 10.5.1 Update:
http://www.apple.com/support/downloads/macosx1051update.html
Mac OS X Server 10.5.1 Update
http://www.apple.com/support/downloads/macosxserver1051update.html
PROVIDED AND/OR DISCOVERED BY:
J\xfcrgen Schmidt
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307004
heise Security:
http://www.heise-security.co.uk/articles/98120
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200711-0320 | CVE-2007-4703 | Apple Mac OS X In root Process application firewall limit bypass issue |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The Application Firewall in Apple Mac OS X 10.5 does not prevent a root process from accepting incoming connections, even when "Block incoming connections" has been set for its associated executable, which might allow remote attackers or local root processes to bypass intended access restrictions. Apple Mac OS X is prone to a weakness that results in unauthorized network access to certain applications.
This issue affects the Application Firewall when the 'Set access for specific services and applications' setting is enabled for certain applications.
This weakness exposes the computer to unauthorized remote access and can lead to a false sense of security.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
NOTE: The update changes the name of the option and updates the
documentation.
3) Changes to Application Firewall settings do not affect processes
started by launchd until they are restarted. This may lead to
exposure of certain services.
The weaknesses and the security issue have been reported in Mac OS X
10.5 (Leopard).
SOLUTION:
Update to Mac OS X 10.5.1.
Mac OS X 10.5.1 Update:
http://www.apple.com/support/downloads/macosx1051update.html
Mac OS X Server 10.5.1 Update
http://www.apple.com/support/downloads/macosxserver1051update.html
PROVIDED AND/OR DISCOVERED BY:
J\xfcrgen Schmidt
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307004
heise Security:
http://www.heise-security.co.uk/articles/98120
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200711-0319 | CVE-2007-4702 | Apple Mac OS X In bypassing application firewall restrictions in Windows |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The Application Firewall in Apple Mac OS X 10.5, when "Block all incoming connections" is enabled, does not prevent root processes or mDNSResponder from accepting connections, which might allow remote attackers or local root processes to bypass intended access restrictions. Apple Mac OS X 10.5's Application Firewall is prone to a misleading configuration weakness because of a flaw in the application's configuration dialog and documentation.
This issue may lead to a false sense of security, potentially aiding in network-based attacks.
Apple Mac OS X 10.5 is vulnerable to this issue.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
NOTE: The update changes the name of the option and updates the
documentation.
3) Changes to Application Firewall settings do not affect processes
started by launchd until they are restarted. This may lead to
exposure of certain services.
Mac OS X 10.5.1 Update:
http://www.apple.com/support/downloads/macosx1051update.html
Mac OS X Server 10.5.1 Update
http://www.apple.com/support/downloads/macosxserver1051update.html
PROVIDED AND/OR DISCOVERED BY:
J\xfcrgen Schmidt
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307004
heise Security:
http://www.heise-security.co.uk/articles/98120
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200711-0248 | CVE-2007-4267 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in the Networking component in Apple Mac OS X 10.4 through 10.4.10 allows local users to execute arbitrary code via a crafted IOCTL request that adds an AppleTalk zone to a routing table. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk.
20) A boundary error exists when adding a new AppleTalk zone.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service. This and
other updates are available via Apple Update or via Apple Downloads. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
. BACKGROUND
AppleTalk, a set of networking protocols developed by Apple, was
originally implemented on early Mac operating systems. AppleTalk is compiled into the default kernel, but must be turned on
in order to be used. More information can be found at the following URL.
http://docs.info.apple.com/article.html?artnum=50039
II. A zone can be thought
of as something similar to a Windows Domain.
When copying the user provided zone information into a fixed size stack
buffer, the kernel uses a user provided length as the number of bytes
to copy into the destination buffer. This results in an exploitable
stack buffer overflow in the kernel.
III. Unsuccessful attempts
will likely crash the system.
In order to exploit this vulnerability, the system needs to have
AppleTalk configured in routing mode. This is not enabled by default.
It would likely be enabled on a Mac system running on a network with
legacy Mac hosts.
IV. Previous versions may also be
affected.
To determine if AppleTalk is running, the following command can be
executed on the command line.
$ appletalk -s
V. WORKAROUND
Disabling AppleTalk will prevent exploitation of this vulnerability.
Executing the following command will disable AppleTalk if it is
enabled.
# appletalk -d
VI. More information is available at the following URL.
http://docs.info.apple.com/article.html?artnum=307041
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-4267 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
08/08/2007 Initial vendor notification
08/09/2007 Initial vendor response
11/14/2007 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200711-0112 | CVE-2007-5993 | VTLS vtls.web.gateway of Visionary Technology Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Visionary Technology in Library Solutions (VTLS) vtls.web.gateway before 48.1.1 allows remote attackers to inject arbitrary web script or HTML via the searchtype parameter. Web Gateway is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects versions prior to Web Gateway 48.1.1.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Input passed to the "searchtype" parameter in vtls.web.gateway is not
properly sanitised before being returned to the user.
The vulnerability is reported in version 48.1.0.
SOLUTION:
Update to version 48.1.1.
PROVIDED AND/OR DISCOVERED BY:
Jesus Olmos Gonzalez, Internet Security Auditors, S.L.
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200711-0099 | CVE-2007-5979 | F5 FirePass 4100 SSL VPN Download_Plugin.PHP3 Cross-Site Scripting Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in download_plugin.php3 in F5 Firepass 4100 SSL VPN 5.4 through 5.5.2 and 6.0 through 6.0.1 allows remote attackers to inject arbitrary web script or HTML via the backurl parameter.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.
F5 FirePass 4100 SSL VPNs running these firmware versions are vulnerable:
5.4 through 5.5.2
6.0
6.0.1.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Input passed to the "backurl" parameter in download_plugin.php3 isn't
properly sanitised before being returned to the user.
The vulnerability reportedly affects versions 5.4 to 5.5.2 and 6.0 to
6.0.1.
SOLUTION:
The vendor has issued a solution at:
https://support.f5.com/kb/en-us/solutions/public/7000/400/sol7498.html
PROVIDED AND/OR DISCOVERED BY:
Jan Fry and Adrian Pastor, Procheckup Ltd
ORIGINAL ADVISORY:
F5:
https://support.f5.com/kb/en-us/solutions/public/7000/400/sol7498.html
Procheckup Ltd:
http://www.procheckup.com/Vulnerability_PR07-13.php
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200903-0004 | CVE-2007-6723 | Windows and Mac OS X Run on TorK Vulnerabilities whose settings are changed |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
TorK before 0.22, when running on Windows and Mac OS X, installs Privoxy with a configuration file (config.txt or config) that contains insecure (1) enable-remote-toggle and (2) enable-edit-actions settings, which allows remote attackers to bypass intended access restrictions and modify configuration. TorK is prone to multiple insecure-configuration vulnerabilities because of several default configuration options used by the Privoxy web proxy server.
Attackers can exploit these issues to bypass proxy filter rules or modify user-defined configuration values.
These issues affect versions prior to TorK 0.22. TorK is a powerful KDE desktop anonymous management tool. It is possible to browse the web anonymously through a browser and send anonymous emails from the MixMinion network. You can use ssh, IRC chat tools and IM instant messaging tools anonymously. And can control and monitor anonymous traffic on the Tor network through TorK. This configuration file contains insecure (1) enable-remote-toggle and (2) enable-edit-actions settings
| VAR-200903-0003 | CVE-2007-6722 | Vidalia bundle Access restriction bypass vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Vidalia bundle before 0.1.2.18, when running on Windows and Mac OS X, installs Privoxy with a configuration file (config.txt or config) that contains insecure (1) enable-remote-toggle and (2) enable-edit-actions settings, which allows remote attackers to bypass intended access restrictions and modify configuration. TorK is prone to multiple insecure-configuration vulnerabilities because of several default configuration options used by the Privoxy web proxy server.
Attackers can exploit these issues to bypass proxy filter rules or modify user-defined configuration values.
These issues affect versions prior to TorK 0.22. TorK is a powerful KDE desktop anonymous management tool. It is possible to browse the web anonymously through a browser and send anonymous emails from the MixMinion network. You can use ssh, IRC chat tools and IM instant messaging tools anonymously. And can control and monitor anonymous traffic on the Tor network through TorK. This configuration file contains insecure (1) enable-remote-toggle and (2) enable-edit-actions settings
| VAR-200712-0440 | CVE-2007-5857 | Apple Mac OS X of Quick Look In HREFTrack Information disclosure vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
Quick Look in Apple Mac OS X 10.5.1 does not prevent a movie from accessing URLs when the movie file is previewed or if an icon is created, which might allow remote attackers to obtain sensitive information via HREFTrack. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues.
I.
Further details are available in the related vulnerability notes. These products include:
* Adobe Flash
* Adobe Shockwave
* GNU Tar
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
surreptitious video conference initiation, and denial of service.
III. This and other updates are
available via Software Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the
subject.
_________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
December 18, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ
7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz
Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG
IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs
Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0
h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q==
=Y1jd
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Get a free trial of the Secunia Vulnerability Intelligence Solutions:
http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA28136
VERIFY ADVISORY:
http://secunia.com/advisories/28136/
CRITICAL:
Highly critical
IMPACT:
Hijacking, Security Bypass, Cross Site Scripting, Exposure of system
information, Exposure of sensitive information, Privilege escalation,
DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A format string error in the URL handler of Address Book can be
exploited to execute arbitrary code when a user views a specially
crafted web page.
2) An error in the handling of downloaded files in CFNetwork can be
exploited via directory traversal attacks to automatically download
files to arbitrary folders when a user is enticed to visit a
specially crafted web page.
3) An unspecified error exists in ColorSync when processing images
with an embedded ColorSync profile, which can be exploited to cause a
memory corruption.
Successful exploitation may allow execution of arbitrary code.
4) A race condition exists in the
"CFURLWriteDataAndPropertiesToResource" API, which can lead to files
being created with insecure permissions.
5) A boundary error exists in the printer driver for CUPS. This can
be exploited to cause a buffer overflow and allows an admin user to
execute arbitrary code with system privileges by passing a specially
crafted URI to the CUPS service.
6) A boundary error in CUPS can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA27233
7) An integer underflow error in the CUPS backend in the handling of
SNMP responses can be exploited to cause a stack-based buffer
overflow by sending a specially crafted SNMP response.
Successful exploitation allows execution of arbitrary code, but
requires that SNMP is enabled.
8) A boundary error in Desktop Services can be exploited to cause a
heap-based buffer overflow when a user opens a directory containing a
specially crafted .DS_Store file.
Successful exploitation may allow execution of arbitrary code.
9) An input validation error in tar can be exploited by malicious
people to compromise a user's system.
For more information:
SA26573
10) An unspecified error in iChat can be exploited by malicious
people on the local network to initiate a video connection without
the user's approval.
11) An unspecified error exists within IO Storage Family when
handling GUID partition maps within a disk image. This can be
exploited to execute arbitrary code when a user is enticed to open a
specially crafted disk image.
12) Launch Services does not handle HTML files as potentially unsafe
content. This can be exploited to disclose sensitive information or
conduct cross-site scripting attacks by enticing a user to open a
specially crafted HTML file.
13) A vulnerability in Mail in the handling of unsafe file types can
be exploited to compromise a user's system.
For more information:
SA27785
14) An error in Mail can cause the application to default to SMTP
plaintext authentication if the server supports only MD5
Challenge-Response authentication and plaintext authentication.
15) Some vulnerabilities in perl can be exploited by malicious people
to compromise a vulnerable system.
For more information:
SA27546
16) A security issue in python can be exploited by malicious people
to cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
For more information:
SA26837
17) Plug-ins in Quick Look are not restricted from making network
requests. This may lead to the disclosure of sensitive information
when previewing an HTML file.
18) URLs contained in movie files may be accessed when creating an
icon for a movie file or previewing a movie file using QuickLook.
19) Some security issues in ruby can be exploited by malicious people
to conduct spoofing attacks.
For more information:
SA26985
20) Some vulnerabilities and a security issue in Ruby on Rails can be
exploited by malicious people to disclose sensitive information or to
conduct session fixation attacks.
For more information:
SA25699
SA27781
21) An error in Safari allows a page to navigate the subframes of any
other page. This can be exploited to conduct cross-site scripting
attacks and to disclose sensitive information when a user visits a
specially crafted web page.
22) An unspecified error in Safari in the handling of RSS feeds can
be exploited to cause a memory corruption and may allow execution of
arbitrary code when a user accesses a specially crafted URL.
23) Some boundary errors in Samba can be exploited by malicious
people to compromise a vulnerable system.
For more information:
SA27450
24) Some boundary errors in the Shockwave Plug-in can be exploited by
malicious people to compromise a user's system.
For more information:
SA19218
25) A boundary error in the processing of command line arguments to
"mount_smbfs" and "smbutil" can be exploited to cause a stack-based
buffer overflow and execute arbitrary code with system privileges.
26) The distribution definition file used in Software Update is
received by using HTTP without any authentication and allows
execution of arbitrary commands.
Successful exploitation requires a MitM (Man-in-the-Middle) attack.
27) An error due to an insecure file operation exists in the handling
of output files in SpinTracer. This may allow a malicious, local user
to execute arbitrary code with system privileges.
28) An unspecified error exists in the Microsoft Office Spotlight
Importer, which can be exploited to cause a memory corruption when a
user downloads a specially crafted .xls file.
Successful exploitation may allow execution of arbitrary code.
29) Some vulnerabilities in tcpdump can be exploited by malicious
people to cause a DoS or to compromise a user's system.
For more information:
SA24318
SA26135
30) Some vulnerabilities exist the Perl Compatible Regular
Expressions (PCRE) library used by XQuery, which can potentially be
exploited to compromise a vulnerable system.
For more information:
SA27543
SOLUTION:
Apply Security Update 2007-009.
Security Update 2007-009 (10.4.11 Universal):
http://www.apple.com/support/downloads/securityupdate200700910411universal.html
Security Update 2007-009 (10.4.11 PPC):
http://www.apple.com/support/downloads/securityupdate200700910411ppc.html
Security Update 2007-009 (10.5.1):
http://www.apple.com/support/downloads/securityupdate20070091051.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits Sean Harding.
3) The vendor credits Tom Ferris, Adobe Secure Software Engineering
Team (ASSET).
5) The vendor credits Dave Camp, Critical Path Software.
7) The vendor credits Wei Wang, McAfee Avert Labs.
12) The vendor credits Michal Zalewski, Google Inc.
15) The vendor credits Tavis Ormandy and Will Drewry, Google Security
Team.
18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc.
26) Moritz Jodeit.
27) The vendor credits Kevin Finisterre, DigitalMunition
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307179
OTHER REFERENCES:
SA19218:
http://secunia.com/advisories/19218/
SA24318:
http://secunia.com/advisories/24318/
SA25699:
http://secunia.com/advisories/25699/
SA26135:
http://secunia.com/advisories/26135/
SA26573:
http://secunia.com/advisories/26573/
SA26837:
http://secunia.com/advisories/26837/
SA26985:
http://secunia.com/advisories/26985/
SA27233:
http://secunia.com/advisories/27233/
SA27450:
http://secunia.com/advisories/27450/
SA27543:
http://secunia.com/advisories/27543/
SA27546:
http://secunia.com/advisories/27546/
SA27781:
http://secunia.com/advisories/27781/
SA27785:
http://secunia.com/advisories/27785/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200712-0443 | CVE-2007-5860 | Apple Mac OS X of Spin Tracer Vulnerable to arbitrary code execution related to output files |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Spin Tracer in Apple Mac OS X 10.5.1 allows local users to execute arbitrary code via unspecified output files, involving an "insecure file operation.". Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues.
I.
Further details are available in the related vulnerability notes. These products include:
* Adobe Flash
* Adobe Shockwave
* GNU Tar
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
surreptitious video conference initiation, and denial of service.
III. This and other updates are
available via Software Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the
subject.
_________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
December 18, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ
7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz
Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG
IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs
Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0
h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q==
=Y1jd
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Get a free trial of the Secunia Vulnerability Intelligence Solutions:
http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA28136
VERIFY ADVISORY:
http://secunia.com/advisories/28136/
CRITICAL:
Highly critical
IMPACT:
Hijacking, Security Bypass, Cross Site Scripting, Exposure of system
information, Exposure of sensitive information, Privilege escalation,
DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A format string error in the URL handler of Address Book can be
exploited to execute arbitrary code when a user views a specially
crafted web page.
2) An error in the handling of downloaded files in CFNetwork can be
exploited via directory traversal attacks to automatically download
files to arbitrary folders when a user is enticed to visit a
specially crafted web page.
3) An unspecified error exists in ColorSync when processing images
with an embedded ColorSync profile, which can be exploited to cause a
memory corruption.
Successful exploitation may allow execution of arbitrary code.
4) A race condition exists in the
"CFURLWriteDataAndPropertiesToResource" API, which can lead to files
being created with insecure permissions.
5) A boundary error exists in the printer driver for CUPS. This can
be exploited to cause a buffer overflow and allows an admin user to
execute arbitrary code with system privileges by passing a specially
crafted URI to the CUPS service.
6) A boundary error in CUPS can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA27233
7) An integer underflow error in the CUPS backend in the handling of
SNMP responses can be exploited to cause a stack-based buffer
overflow by sending a specially crafted SNMP response.
Successful exploitation allows execution of arbitrary code, but
requires that SNMP is enabled.
8) A boundary error in Desktop Services can be exploited to cause a
heap-based buffer overflow when a user opens a directory containing a
specially crafted .DS_Store file.
Successful exploitation may allow execution of arbitrary code.
9) An input validation error in tar can be exploited by malicious
people to compromise a user's system.
For more information:
SA26573
10) An unspecified error in iChat can be exploited by malicious
people on the local network to initiate a video connection without
the user's approval.
11) An unspecified error exists within IO Storage Family when
handling GUID partition maps within a disk image. This can be
exploited to execute arbitrary code when a user is enticed to open a
specially crafted disk image.
12) Launch Services does not handle HTML files as potentially unsafe
content. This can be exploited to disclose sensitive information or
conduct cross-site scripting attacks by enticing a user to open a
specially crafted HTML file.
13) A vulnerability in Mail in the handling of unsafe file types can
be exploited to compromise a user's system.
For more information:
SA27785
14) An error in Mail can cause the application to default to SMTP
plaintext authentication if the server supports only MD5
Challenge-Response authentication and plaintext authentication.
15) Some vulnerabilities in perl can be exploited by malicious people
to compromise a vulnerable system.
For more information:
SA27546
16) A security issue in python can be exploited by malicious people
to cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
For more information:
SA26837
17) Plug-ins in Quick Look are not restricted from making network
requests. This may lead to the disclosure of sensitive information
when previewing an HTML file.
18) URLs contained in movie files may be accessed when creating an
icon for a movie file or previewing a movie file using QuickLook.
19) Some security issues in ruby can be exploited by malicious people
to conduct spoofing attacks.
For more information:
SA26985
20) Some vulnerabilities and a security issue in Ruby on Rails can be
exploited by malicious people to disclose sensitive information or to
conduct session fixation attacks.
For more information:
SA25699
SA27781
21) An error in Safari allows a page to navigate the subframes of any
other page. This can be exploited to conduct cross-site scripting
attacks and to disclose sensitive information when a user visits a
specially crafted web page.
22) An unspecified error in Safari in the handling of RSS feeds can
be exploited to cause a memory corruption and may allow execution of
arbitrary code when a user accesses a specially crafted URL.
23) Some boundary errors in Samba can be exploited by malicious
people to compromise a vulnerable system.
For more information:
SA27450
24) Some boundary errors in the Shockwave Plug-in can be exploited by
malicious people to compromise a user's system.
For more information:
SA19218
25) A boundary error in the processing of command line arguments to
"mount_smbfs" and "smbutil" can be exploited to cause a stack-based
buffer overflow and execute arbitrary code with system privileges.
26) The distribution definition file used in Software Update is
received by using HTTP without any authentication and allows
execution of arbitrary commands.
Successful exploitation requires a MitM (Man-in-the-Middle) attack.
27) An error due to an insecure file operation exists in the handling
of output files in SpinTracer.
28) An unspecified error exists in the Microsoft Office Spotlight
Importer, which can be exploited to cause a memory corruption when a
user downloads a specially crafted .xls file.
Successful exploitation may allow execution of arbitrary code.
29) Some vulnerabilities in tcpdump can be exploited by malicious
people to cause a DoS or to compromise a user's system.
For more information:
SA24318
SA26135
30) Some vulnerabilities exist the Perl Compatible Regular
Expressions (PCRE) library used by XQuery, which can potentially be
exploited to compromise a vulnerable system.
For more information:
SA27543
SOLUTION:
Apply Security Update 2007-009.
Security Update 2007-009 (10.4.11 Universal):
http://www.apple.com/support/downloads/securityupdate200700910411universal.html
Security Update 2007-009 (10.4.11 PPC):
http://www.apple.com/support/downloads/securityupdate200700910411ppc.html
Security Update 2007-009 (10.5.1):
http://www.apple.com/support/downloads/securityupdate20070091051.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits Sean Harding.
3) The vendor credits Tom Ferris, Adobe Secure Software Engineering
Team (ASSET).
5) The vendor credits Dave Camp, Critical Path Software.
7) The vendor credits Wei Wang, McAfee Avert Labs.
12) The vendor credits Michal Zalewski, Google Inc.
15) The vendor credits Tavis Ormandy and Will Drewry, Google Security
Team.
18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc.
26) Moritz Jodeit.
27) The vendor credits Kevin Finisterre, DigitalMunition
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307179
OTHER REFERENCES:
SA19218:
http://secunia.com/advisories/19218/
SA24318:
http://secunia.com/advisories/24318/
SA25699:
http://secunia.com/advisories/25699/
SA26135:
http://secunia.com/advisories/26135/
SA26573:
http://secunia.com/advisories/26573/
SA26837:
http://secunia.com/advisories/26837/
SA26985:
http://secunia.com/advisories/26985/
SA27233:
http://secunia.com/advisories/27233/
SA27450:
http://secunia.com/advisories/27450/
SA27543:
http://secunia.com/advisories/27543/
SA27546:
http://secunia.com/advisories/27546/
SA27781:
http://secunia.com/advisories/27781/
SA27785:
http://secunia.com/advisories/27785/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200712-0444 | CVE-2007-5861 | Apple Mac OS X of Microsoft Office Spotlight Importer Memory corruption vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Spotlight in Apple Mac OS X 10.4.11 allows user-assisted attackers to cause a denial of service (application termination) or execute arbitrary code via a crafted .XLS file that triggers memory corruption in the Microsoft Office Spotlight Importer. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. If a user is tricked into downloading a malicious .xls file, an attacker could cause the application to terminate unexpectedly or execute arbitrary commands.
I.
Further details are available in the related vulnerability notes. These products include:
* Adobe Flash
* Adobe Shockwave
* GNU Tar
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
surreptitious video conference initiation, and denial of service.
III. This and other updates are
available via Software Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the
subject.
_________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
December 18, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ
7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz
Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG
IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs
Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0
h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q==
=Y1jd
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Get a free trial of the Secunia Vulnerability Intelligence Solutions:
http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA28136
VERIFY ADVISORY:
http://secunia.com/advisories/28136/
CRITICAL:
Highly critical
IMPACT:
Hijacking, Security Bypass, Cross Site Scripting, Exposure of system
information, Exposure of sensitive information, Privilege escalation,
DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A format string error in the URL handler of Address Book can be
exploited to execute arbitrary code when a user views a specially
crafted web page.
2) An error in the handling of downloaded files in CFNetwork can be
exploited via directory traversal attacks to automatically download
files to arbitrary folders when a user is enticed to visit a
specially crafted web page.
3) An unspecified error exists in ColorSync when processing images
with an embedded ColorSync profile, which can be exploited to cause a
memory corruption.
Successful exploitation may allow execution of arbitrary code.
4) A race condition exists in the
"CFURLWriteDataAndPropertiesToResource" API, which can lead to files
being created with insecure permissions.
5) A boundary error exists in the printer driver for CUPS. This can
be exploited to cause a buffer overflow and allows an admin user to
execute arbitrary code with system privileges by passing a specially
crafted URI to the CUPS service.
6) A boundary error in CUPS can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA27233
7) An integer underflow error in the CUPS backend in the handling of
SNMP responses can be exploited to cause a stack-based buffer
overflow by sending a specially crafted SNMP response.
Successful exploitation allows execution of arbitrary code, but
requires that SNMP is enabled.
8) A boundary error in Desktop Services can be exploited to cause a
heap-based buffer overflow when a user opens a directory containing a
specially crafted .DS_Store file.
Successful exploitation may allow execution of arbitrary code.
9) An input validation error in tar can be exploited by malicious
people to compromise a user's system.
For more information:
SA26573
10) An unspecified error in iChat can be exploited by malicious
people on the local network to initiate a video connection without
the user's approval.
11) An unspecified error exists within IO Storage Family when
handling GUID partition maps within a disk image. This can be
exploited to execute arbitrary code when a user is enticed to open a
specially crafted disk image.
12) Launch Services does not handle HTML files as potentially unsafe
content. This can be exploited to disclose sensitive information or
conduct cross-site scripting attacks by enticing a user to open a
specially crafted HTML file.
13) A vulnerability in Mail in the handling of unsafe file types can
be exploited to compromise a user's system.
For more information:
SA27785
14) An error in Mail can cause the application to default to SMTP
plaintext authentication if the server supports only MD5
Challenge-Response authentication and plaintext authentication.
15) Some vulnerabilities in perl can be exploited by malicious people
to compromise a vulnerable system.
For more information:
SA27546
16) A security issue in python can be exploited by malicious people
to cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
For more information:
SA26837
17) Plug-ins in Quick Look are not restricted from making network
requests. This may lead to the disclosure of sensitive information
when previewing an HTML file.
18) URLs contained in movie files may be accessed when creating an
icon for a movie file or previewing a movie file using QuickLook.
19) Some security issues in ruby can be exploited by malicious people
to conduct spoofing attacks.
For more information:
SA26985
20) Some vulnerabilities and a security issue in Ruby on Rails can be
exploited by malicious people to disclose sensitive information or to
conduct session fixation attacks.
For more information:
SA25699
SA27781
21) An error in Safari allows a page to navigate the subframes of any
other page. This can be exploited to conduct cross-site scripting
attacks and to disclose sensitive information when a user visits a
specially crafted web page.
22) An unspecified error in Safari in the handling of RSS feeds can
be exploited to cause a memory corruption and may allow execution of
arbitrary code when a user accesses a specially crafted URL.
23) Some boundary errors in Samba can be exploited by malicious
people to compromise a vulnerable system.
For more information:
SA27450
24) Some boundary errors in the Shockwave Plug-in can be exploited by
malicious people to compromise a user's system.
For more information:
SA19218
25) A boundary error in the processing of command line arguments to
"mount_smbfs" and "smbutil" can be exploited to cause a stack-based
buffer overflow and execute arbitrary code with system privileges.
26) The distribution definition file used in Software Update is
received by using HTTP without any authentication and allows
execution of arbitrary commands.
Successful exploitation requires a MitM (Man-in-the-Middle) attack.
27) An error due to an insecure file operation exists in the handling
of output files in SpinTracer. This may allow a malicious, local user
to execute arbitrary code with system privileges.
Successful exploitation may allow execution of arbitrary code.
29) Some vulnerabilities in tcpdump can be exploited by malicious
people to cause a DoS or to compromise a user's system.
For more information:
SA24318
SA26135
30) Some vulnerabilities exist the Perl Compatible Regular
Expressions (PCRE) library used by XQuery, which can potentially be
exploited to compromise a vulnerable system.
For more information:
SA27543
SOLUTION:
Apply Security Update 2007-009.
Security Update 2007-009 (10.4.11 Universal):
http://www.apple.com/support/downloads/securityupdate200700910411universal.html
Security Update 2007-009 (10.4.11 PPC):
http://www.apple.com/support/downloads/securityupdate200700910411ppc.html
Security Update 2007-009 (10.5.1):
http://www.apple.com/support/downloads/securityupdate20070091051.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits Sean Harding.
3) The vendor credits Tom Ferris, Adobe Secure Software Engineering
Team (ASSET).
5) The vendor credits Dave Camp, Critical Path Software.
7) The vendor credits Wei Wang, McAfee Avert Labs.
12) The vendor credits Michal Zalewski, Google Inc.
15) The vendor credits Tavis Ormandy and Will Drewry, Google Security
Team.
18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc.
26) Moritz Jodeit.
27) The vendor credits Kevin Finisterre, DigitalMunition
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307179
OTHER REFERENCES:
SA19218:
http://secunia.com/advisories/19218/
SA24318:
http://secunia.com/advisories/24318/
SA25699:
http://secunia.com/advisories/25699/
SA26135:
http://secunia.com/advisories/26135/
SA26573:
http://secunia.com/advisories/26573/
SA26837:
http://secunia.com/advisories/26837/
SA26985:
http://secunia.com/advisories/26985/
SA27233:
http://secunia.com/advisories/27233/
SA27450:
http://secunia.com/advisories/27450/
SA27543:
http://secunia.com/advisories/27543/
SA27546:
http://secunia.com/advisories/27546/
SA27781:
http://secunia.com/advisories/27781/
SA27785:
http://secunia.com/advisories/27785/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200712-0439 | CVE-2007-5856 | Apple Mac OS X of Quick Look Information disclosure vulnerability |
CVSS V2: 9.4 CVSS V3: - Severity: HIGH |
Quick Look Apple Mac OS X 10.5.1, when previewing an HTML file, does not prevent plug-ins from making network requests, which might allow remote attackers to obtain sensitive information. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues.
I.
Further details are available in the related vulnerability notes. These products include:
* Adobe Flash
* Adobe Shockwave
* GNU Tar
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
surreptitious video conference initiation, and denial of service.
III. This and other updates are
available via Software Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the
subject.
_________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
December 18, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ
7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz
Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG
IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs
Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0
h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q==
=Y1jd
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Get a free trial of the Secunia Vulnerability Intelligence Solutions:
http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA28136
VERIFY ADVISORY:
http://secunia.com/advisories/28136/
CRITICAL:
Highly critical
IMPACT:
Hijacking, Security Bypass, Cross Site Scripting, Exposure of system
information, Exposure of sensitive information, Privilege escalation,
DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A format string error in the URL handler of Address Book can be
exploited to execute arbitrary code when a user views a specially
crafted web page.
2) An error in the handling of downloaded files in CFNetwork can be
exploited via directory traversal attacks to automatically download
files to arbitrary folders when a user is enticed to visit a
specially crafted web page.
3) An unspecified error exists in ColorSync when processing images
with an embedded ColorSync profile, which can be exploited to cause a
memory corruption.
Successful exploitation may allow execution of arbitrary code.
4) A race condition exists in the
"CFURLWriteDataAndPropertiesToResource" API, which can lead to files
being created with insecure permissions.
5) A boundary error exists in the printer driver for CUPS. This can
be exploited to cause a buffer overflow and allows an admin user to
execute arbitrary code with system privileges by passing a specially
crafted URI to the CUPS service.
6) A boundary error in CUPS can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA27233
7) An integer underflow error in the CUPS backend in the handling of
SNMP responses can be exploited to cause a stack-based buffer
overflow by sending a specially crafted SNMP response.
Successful exploitation allows execution of arbitrary code, but
requires that SNMP is enabled.
8) A boundary error in Desktop Services can be exploited to cause a
heap-based buffer overflow when a user opens a directory containing a
specially crafted .DS_Store file.
Successful exploitation may allow execution of arbitrary code.
9) An input validation error in tar can be exploited by malicious
people to compromise a user's system.
For more information:
SA26573
10) An unspecified error in iChat can be exploited by malicious
people on the local network to initiate a video connection without
the user's approval.
11) An unspecified error exists within IO Storage Family when
handling GUID partition maps within a disk image. This can be
exploited to execute arbitrary code when a user is enticed to open a
specially crafted disk image.
12) Launch Services does not handle HTML files as potentially unsafe
content. This can be exploited to disclose sensitive information or
conduct cross-site scripting attacks by enticing a user to open a
specially crafted HTML file.
13) A vulnerability in Mail in the handling of unsafe file types can
be exploited to compromise a user's system.
For more information:
SA27785
14) An error in Mail can cause the application to default to SMTP
plaintext authentication if the server supports only MD5
Challenge-Response authentication and plaintext authentication.
15) Some vulnerabilities in perl can be exploited by malicious people
to compromise a vulnerable system.
For more information:
SA27546
16) A security issue in python can be exploited by malicious people
to cause a DoS (Denial of Service) and potentially compromise a
vulnerable system. This may lead to the disclosure of sensitive information
when previewing an HTML file.
18) URLs contained in movie files may be accessed when creating an
icon for a movie file or previewing a movie file using QuickLook.
19) Some security issues in ruby can be exploited by malicious people
to conduct spoofing attacks.
For more information:
SA26985
20) Some vulnerabilities and a security issue in Ruby on Rails can be
exploited by malicious people to disclose sensitive information or to
conduct session fixation attacks.
For more information:
SA25699
SA27781
21) An error in Safari allows a page to navigate the subframes of any
other page. This can be exploited to conduct cross-site scripting
attacks and to disclose sensitive information when a user visits a
specially crafted web page.
22) An unspecified error in Safari in the handling of RSS feeds can
be exploited to cause a memory corruption and may allow execution of
arbitrary code when a user accesses a specially crafted URL.
23) Some boundary errors in Samba can be exploited by malicious
people to compromise a vulnerable system.
For more information:
SA27450
24) Some boundary errors in the Shockwave Plug-in can be exploited by
malicious people to compromise a user's system.
For more information:
SA19218
25) A boundary error in the processing of command line arguments to
"mount_smbfs" and "smbutil" can be exploited to cause a stack-based
buffer overflow and execute arbitrary code with system privileges.
26) The distribution definition file used in Software Update is
received by using HTTP without any authentication and allows
execution of arbitrary commands.
Successful exploitation requires a MitM (Man-in-the-Middle) attack.
27) An error due to an insecure file operation exists in the handling
of output files in SpinTracer. This may allow a malicious, local user
to execute arbitrary code with system privileges.
28) An unspecified error exists in the Microsoft Office Spotlight
Importer, which can be exploited to cause a memory corruption when a
user downloads a specially crafted .xls file.
Successful exploitation may allow execution of arbitrary code.
29) Some vulnerabilities in tcpdump can be exploited by malicious
people to cause a DoS or to compromise a user's system.
For more information:
SA24318
SA26135
30) Some vulnerabilities exist the Perl Compatible Regular
Expressions (PCRE) library used by XQuery, which can potentially be
exploited to compromise a vulnerable system.
For more information:
SA27543
SOLUTION:
Apply Security Update 2007-009.
Security Update 2007-009 (10.4.11 Universal):
http://www.apple.com/support/downloads/securityupdate200700910411universal.html
Security Update 2007-009 (10.4.11 PPC):
http://www.apple.com/support/downloads/securityupdate200700910411ppc.html
Security Update 2007-009 (10.5.1):
http://www.apple.com/support/downloads/securityupdate20070091051.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits Sean Harding.
3) The vendor credits Tom Ferris, Adobe Secure Software Engineering
Team (ASSET).
5) The vendor credits Dave Camp, Critical Path Software.
7) The vendor credits Wei Wang, McAfee Avert Labs.
12) The vendor credits Michal Zalewski, Google Inc.
15) The vendor credits Tavis Ormandy and Will Drewry, Google Security
Team.
18) The vendor credits Lukhnos D. Liu, Lithoglyph Inc.
26) Moritz Jodeit.
27) The vendor credits Kevin Finisterre, DigitalMunition
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307179
OTHER REFERENCES:
SA19218:
http://secunia.com/advisories/19218/
SA24318:
http://secunia.com/advisories/24318/
SA25699:
http://secunia.com/advisories/25699/
SA26135:
http://secunia.com/advisories/26135/
SA26573:
http://secunia.com/advisories/26573/
SA26837:
http://secunia.com/advisories/26837/
SA26985:
http://secunia.com/advisories/26985/
SA27233:
http://secunia.com/advisories/27233/
SA27450:
http://secunia.com/advisories/27450/
SA27543:
http://secunia.com/advisories/27543/
SA27546:
http://secunia.com/advisories/27546/
SA27781:
http://secunia.com/advisories/27781/
SA27785:
http://secunia.com/advisories/27785/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------