VARIoT IoT vulnerabilities database

CRLF injection vulnerability in phpMyAdmin before 2.6.4-pl4 allows remote attackers to conduct HTTP response splitting attacks via unspecified scripts. phpMyAdmin is prone to an HTTP-response-splitting vulnerability because the application fails to properly sanitize user-supplied input. A remote attacker may exploit this vulnerability to influence or misrepresent web content is served, cached, or interpreted. This could aid in various attacks that attempt to entice client users into a false sense of trust. This issue is reported to affect phpMyAdmin version 2.7.0-beta1; other versions may also be vulnerable. The vulnerability is caused due to an error in the register_globals emulation layer in "grab_globals.php" where the "import_blacklist" variable is not properly protected from being overwritten. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. http://www.phpmyadmin.net/home_page/downloads.php PROVIDED AND/OR DISCOVERED BY: Reported by vendor. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1207-2 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff November 19th, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : phpmyadmin Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-1678 CVE-2006-2418 CVE-2005-3621 CVE-2005-3665 CVE-2006-5116 Debian Bug : 339437 340438 362567 368082 391090 The phpmyadmin update in DSA 1207 introduced a regression. This update corrects this flaw. For completeness, the original advisory text below: Several remote vulnerabilities have been discovered in phpMyAdmin, a program to administrate MySQL over the web. CVE-2005-3665 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP_HOST variable and (2) various scripts in the libraries directory that handle header generation. CVE-2006-1678 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via scripts in the themes directory. CVE-2006-5116 A remote attacker could overwrite internal variables through the _FILES global variable. For the stable distribution (sarge) these problems have been fixed in version 2.6.2-3sarge3. For the upcoming stable release (etch) and unstable distribution (sid) these problems have been fixed in version 2.9.0.3-1. We recommend that you upgrade your phpmyadmin package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.6.2-3sarge3.dsc Size/MD5 checksum: 604 32ee16f4370604bc150d93c5676fface http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.6.2-3sarge3.diff.gz Size/MD5 checksum: 38520 f27c4b99bbdb3dc13fb71aef99749247 http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.6.2.orig.tar.gz Size/MD5 checksum: 2654418 05e33121984824c43d94450af3edf267 Architecture independent components: http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.6.2-3sarge3_all.deb Size/MD5 checksum: 2769182 00f14fb52a14546e92ece84c16cd249f These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFYFPdXm3vHE4uyloRAgj5AJ4k0NXBlTZgTK+vJTlgPNTEBfeBGgCg61oX s2aDzIfiBIc0hbLjIGOwEcQ= =EQpq -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. For more information: SA17578 SA17895 SA19556 SA20113 SA22126 SOLUTION: Apply updated packages. Some input passed to "libraries/header_http.inc.php" isn't properly sanitised before being returned to the user. This can be exploited to include arbitrary HTTP headers in a response sent to the user. Successful exploitation requires that "register_globals" is enabled. It is also possible to disclose the full path to certain scripts by accessing them directly. http://www.phpmyadmin.net/home_page/downloads.php PROVIDED AND/OR DISCOVERED BY: Toni Koivunen ORIGINAL ADVISORY: Toni Koivunen: http://www.fitsec.com/advisories/FS-05-02.txt phpMyAdmin: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the Your_Account module in PHP-Nuke 7.8 might allows remote attackers to inject arbitrary HTML and web script via the ublock parameter, which is saved in the user's personal menu. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. In addition, it is unclear whether this issue is a vulnerability, since it is related to the user's personal menu, which presumably is not modifiable by others. PHPNuke is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. The application is prone to HTML- and SQL-injection vulnerabilities. PHPNuke 7.8 is reported to be vulnerable. Other versions may also be affected. The Your_Account module in PHP-Nuke 7.8 has a cross-site scripting vulnerability. TITLE: PHP-Nuke Personal Menu Script Insertion and SQL Injection SECUNIA ADVISORY ID: SA18972 VERIFY ADVISORY: http://secunia.com/advisories/18972/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, Manipulation of data WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ DESCRIPTION: Jason Lau has discovered two vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection and script insertion attacks. Example: <img src=javascript:[code]> (requires the Microsoft Internet Explorer browser) 2) Input passed to the "user_id" parameter in the "Your_Home" functionality of the "Your_Account" module isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that "magic_quotes_gpc" is disabled. The vulnerabilities have been confirmed in version 7.8. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Jason Lau ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in the Your_Account module in PHP-Nuke 7.8 might allows remote attackers to execute arbitrary SQL commands via the user_id parameter in the Your_Home functionality. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. PHPNuke is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. The application is prone to HTML- and SQL-injection vulnerabilities. PHPNuke 7.8 is reported to be vulnerable. Other versions may also be affected. TITLE: PHP-Nuke Personal Menu Script Insertion and SQL Injection SECUNIA ADVISORY ID: SA18972 VERIFY ADVISORY: http://secunia.com/advisories/18972/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, Manipulation of data WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ DESCRIPTION: Jason Lau has discovered two vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection and script insertion attacks. 1) Input passed to the "ublock" parameter in the "Your_Home" functionality of the "Your_Account" module isn't properly sanitised before being saved as the user's personal menu. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site when the user views his personal menu. Example: <img src=javascript:[code]> (requires the Microsoft Internet Explorer browser) 2) Input passed to the "user_id" parameter in the "Your_Home" functionality of the "Your_Account" module isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can be further exploited with vulnerability #1 to inject arbitrary HTML and script code into arbitrary user's personal menu. Successful exploitation requires that "magic_quotes_gpc" is disabled. The vulnerabilities have been confirmed in version 7.8. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Jason Lau ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

suid.cgi scripts in F-Secure (1) Internet Gatekeeper for Linux before 2.15.484 and (2) Anti-Virus Linux Gateway before 2.16 are installed SUID with world-executable permissions, which allows local users to gain privilege. F-Secure Anti-Virus products are prone to a local privilege-escalation vulnerability because of insecure setuid-superuser binary permissions. Exploiting this vulnerability allows local attackers to gain superuser privileges, leading to a complete compromise of the affected computer. The vulnerability is caused due to several scripts being installed with the SUID bit set and are world executable. e.g. "/opt/f-secure/fsigk/cgi/*suid.cgi" and "/home/virusgw/cgi/*suid.cgi". These scripts can be exploited by malicious users to gain root privileges. * F-Secure Anti-Virus Linux Gateway versions prior to 2.16. SOLUTION: Update to the fixed version or remove SUID bit from affected scripts. -- Updating to fixed version -- F-Secure Internet Gatekeeper for Linux: Update to version 2.15.484. ftp://ftp.f-secure.com/support/hotfix/ http://www.f-secure.com/webclub/ F-Secure Anti-Virus Linux Gateway: Update to version 2.16. ORIGINAL ADVISORY: http://www.f-secure.com/security/fsc-2005-3.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted BMP file that triggers the overflow in the ReadBMP function. NOTE: this issue was originally included as item 3 in CVE-2006-1983, but it has been given a separate identifier because it is a distinct issue. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software. Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. Apple QuickTime exists based on a stack buffer overflow. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-132B Apple QuickTime Vulnerabilities Original release date: May 12, 2006 Last revised: -- Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows Overview Apple QuickTime contains multiple vulnerabilities. I. Description Apple QuickTime 7.1 resolves multiple vulnerabilities in the way different types of image and media files are handled. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. For more information, please refer to the Vulnerability Notes. II. Impact The impacts of these vulnerabilities could allow an remote, unauthenticated attacker to execute arbitrary code or commands, and cause a denial-of-service condition. For further information, please see the Vulnerability Notes. III. Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Appendix A. References * Vulnerability Notes for QuickTime 7.1 - <http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_7.1> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * About the security content of the QuickTime 7.1 Update - <http://docs.info.apple.com/article.html?artnum=303752> * Apple QuickTime 7.1 - <http://www.apple.com/support/downloads/quicktime71.html> * Standalone Apple QuickTime Player - <http://www.apple.com/quicktime/download/standalone.html> * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132B.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo 9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11 uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2 eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg== =LsFu -----END PGP SIGNATURE----- . TITLE: QuickTime Multiple Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA20069 VERIFY ADVISORY: http://secunia.com/advisories/20069/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple Quicktime 4.x http://secunia.com/product/7923/ Apple Quicktime 5.x http://secunia.com/product/215/ Apple Quicktime 6.x http://secunia.com/product/810/ Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 3) A boundary error within the processing of Flash movies can be exploited via a specially crafted Flash movie to crash the application and potentially execute arbitrary code. 4) An integer overflow and boundary error within the processing of H.264 movies can be exploited via a specially crafted H.264 movie to crash the application and potentially execute arbitrary code. 5) A boundary error within the processing of MPEG4 movies can be exploited via a specially crafted MPEG4 movie to crash the application and potentially execute arbitrary code. 6) An integer overflow error within the processing of FlashPix images (".fpx") can be exploited via a specially crafted FlashPix image with an overly large value in the field specifying the number of data blocks in the file. 7) A boundary error within the processing of AVI movies can be exploited via a specially crafted AVI movie to crash the application and potentially execute arbitrary code. 8) Two boundary errors within the processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash the application and potentially execute arbitrary code. SOLUTION: Update to version 7.1. http://www.apple.com/support/downloads/quicktime71.html PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs. 3) Mike Price, McAfee AVERT Labs. 4) Mike Price of McAfee AVERT Labs and ATmaCA. 5) Mike Price, McAfee AVERT Labs. 6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT Labs. 7) Mike Price, McAfee AVERT Labs. 8) Mike Price, McAfee AVERT Labs. 9) Tom Ferris ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303752 eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060511.html Zero Day Initiative: http://www.zerodayinitiative.com/advisories/ZDI-06-015.html Sowhat: http://secway.org/advisory/AD20060512.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a H.264 (M4V) video format file with a certain modified size value. The implicit trust of a user-supplied size value during a memory copy loop allows an attacker to create an exploitable memory corruption condition. Exploitation requires that an attacker either coerce the target to open a malformed media file or visit a website embedding the malicious file. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software. Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-132B Apple QuickTime Vulnerabilities Original release date: May 12, 2006 Last revised: -- Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows Overview Apple QuickTime contains multiple vulnerabilities. I. Description Apple QuickTime 7.1 resolves multiple vulnerabilities in the way different types of image and media files are handled. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. For more information, please refer to the Vulnerability Notes. II. Impact The impacts of these vulnerabilities could allow an remote, unauthenticated attacker to execute arbitrary code or commands, and cause a denial-of-service condition. For further information, please see the Vulnerability Notes. III. Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Appendix A. References * Vulnerability Notes for QuickTime 7.1 - <http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_7.1> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * About the security content of the QuickTime 7.1 Update - <http://docs.info.apple.com/article.html?artnum=303752> * Apple QuickTime 7.1 - <http://www.apple.com/support/downloads/quicktime71.html> * Standalone Apple QuickTime Player - <http://www.apple.com/quicktime/download/standalone.html> * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132B.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo 9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11 uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2 eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg== =LsFu -----END PGP SIGNATURE----- . ZDI-06-015: Apple QuickTime H.264 Parsing Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-015.html May 11, 2006 -- CVE ID: CVE-2006-1463 -- Affected Vendor: Apple -- Affected Products: Apple QuickTime versions prior to 7.1 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since March 20, 2006 by Digital Vaccine protection filter ID 4183. -- Vendor Response: Apple has identified and corrected this issue in QuickTime 7.1. Customers can obtain the fix from Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For further details see: http://docs.info.apple.com/article.html?artnum=61798 -- Disclosure Timeline: 2006.03.20 - Vulnerability reported to vendor 2006.03.20 - Digital Vaccine released to TippingPoint customers 2006.05.11 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by ATmaCA. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. TITLE: QuickTime Multiple Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA20069 VERIFY ADVISORY: http://secunia.com/advisories/20069/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple Quicktime 4.x http://secunia.com/product/7923/ Apple Quicktime 5.x http://secunia.com/product/215/ Apple Quicktime 6.x http://secunia.com/product/810/ Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 1) An integer overflow error within the processing of JPEG images can be exploited via a specially crafted JPEG image to crash the application and potentially execute arbitrary code. 3) A boundary error within the processing of Flash movies can be exploited via a specially crafted Flash movie to crash the application and potentially execute arbitrary code. 5) A boundary error within the processing of MPEG4 movies can be exploited via a specially crafted MPEG4 movie to crash the application and potentially execute arbitrary code. 6) An integer overflow error within the processing of FlashPix images (".fpx") can be exploited via a specially crafted FlashPix image with an overly large value in the field specifying the number of data blocks in the file. 7) A boundary error within the processing of AVI movies can be exploited via a specially crafted AVI movie to crash the application and potentially execute arbitrary code. 8) Two boundary errors within the processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash the application and potentially execute arbitrary code. 9) A boundary error within the processing of BMP images can be exploited via a specially crafted BMP image to crash the application and potentially execute arbitrary code. SOLUTION: Update to version 7.1. http://www.apple.com/support/downloads/quicktime71.html PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs. 3) Mike Price, McAfee AVERT Labs. 4) Mike Price of McAfee AVERT Labs and ATmaCA. 5) Mike Price, McAfee AVERT Labs. 6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT Labs. 7) Mike Price, McAfee AVERT Labs. 8) Mike Price, McAfee AVERT Labs. 9) Tom Ferris ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303752 eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060511.html Zero Day Initiative: http://www.zerodayinitiative.com/advisories/ZDI-06-015.html Sowhat: http://secway.org/advisory/AD20060512.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickTime AVI video format file. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software. Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. For more information, please refer to the Vulnerability Notes. II. Impact The impacts of these vulnerabilities could allow an remote, unauthenticated attacker to execute arbitrary code or commands, and cause a denial-of-service condition. For further information, please see the Vulnerability Notes. III. Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Appendix A. Please send email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo 9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11 uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2 eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg== =LsFu -----END PGP SIGNATURE----- . ____________________________________________________________________ McAfee, Inc. McAfee Avert\x99 Labs Security Advisory Public Release Date: 2006-05-11 Apple QuickDraw/QuickTime Multiple Vulnerabilities CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465 ______________________________________________________________________ * Synopsis Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data. Two code execution vulnerabilities are present in QuickDraw PICT image format support. Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium. CVE-2006-1461 Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support. ______________________________________________________________________ * Legal Notice Copyright (C) 2006 McAfee, Inc. The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes. McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ . TITLE: QuickTime Multiple Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA20069 VERIFY ADVISORY: http://secunia.com/advisories/20069/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple Quicktime 4.x http://secunia.com/product/7923/ Apple Quicktime 5.x http://secunia.com/product/215/ Apple Quicktime 6.x http://secunia.com/product/810/ Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 3) A boundary error within the processing of Flash movies can be exploited via a specially crafted Flash movie to crash the application and potentially execute arbitrary code. 5) A boundary error within the processing of MPEG4 movies can be exploited via a specially crafted MPEG4 movie to crash the application and potentially execute arbitrary code. 6) An integer overflow error within the processing of FlashPix images (".fpx") can be exploited via a specially crafted FlashPix image with an overly large value in the field specifying the number of data blocks in the file. 8) Two boundary errors within the processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. 9) A boundary error within the processing of BMP images can be exploited via a specially crafted BMP image to crash the application and potentially execute arbitrary code. SOLUTION: Update to version 7.1. http://www.apple.com/support/downloads/quicktime71.html PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs. 3) Mike Price, McAfee AVERT Labs. 4) Mike Price of McAfee AVERT Labs and ATmaCA. 5) Mike Price, McAfee AVERT Labs. 6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT Labs. 7) Mike Price, McAfee AVERT Labs. 8) Mike Price, McAfee AVERT Labs. 9) Tom Ferris ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303752 eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060511.html Zero Day Initiative: http://www.zerodayinitiative.com/advisories/ZDI-06-015.html Sowhat: http://secway.org/advisory/AD20060512.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple buffer overflows in Apple QuickTime before 7.1 allow remote attackers to execute arbitrary code via a crafted QuickTime Flash (SWF) file. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software. Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. For more information, please refer to the Vulnerability Notes. II. For further information, please see the Vulnerability Notes. III. Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Appendix A. Please send email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo 9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11 uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2 eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg== =LsFu -----END PGP SIGNATURE----- . ____________________________________________________________________ McAfee, Inc. McAfee Avert\x99 Labs Security Advisory Public Release Date: 2006-05-11 Apple QuickDraw/QuickTime Multiple Vulnerabilities CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465 ______________________________________________________________________ * Synopsis Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data. Two code execution vulnerabilities are present in QuickDraw PICT image format support. Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium. CVE-2006-1459 Seven integer overflow vulnerabilities are present in QuickTime MOV video format support. CVE-2006-1460 Five buffer overflow vulnerabilities are present in QuickTime MOV video format support. CVE-2006-1462 Three integer overflow vulnerabilities are presenting QuickTime H.264 (M4V) video format support. CVE-2006-1464 One buffer overflow vulnerability is present in QuickTime MPEG4 (M4P) video format support. CVE-2006-1465 One buffer overflow vulnerability is present in QuickTime AVI video format support. ______________________________________________________________________ * Legal Notice Copyright (C) 2006 McAfee, Inc. The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes. McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ . 1) An integer overflow error within the processing of JPEG images can be exploited via a specially crafted JPEG image to crash the application and potentially execute arbitrary code. 4) An integer overflow and boundary error within the processing of H.264 movies can be exploited via a specially crafted H.264 movie to crash the application and potentially execute arbitrary code. 5) A boundary error within the processing of MPEG4 movies can be exploited via a specially crafted MPEG4 movie to crash the application and potentially execute arbitrary code. 6) An integer overflow error within the processing of FlashPix images (".fpx") can be exploited via a specially crafted FlashPix image with an overly large value in the field specifying the number of data blocks in the file. 7) A boundary error within the processing of AVI movies can be exploited via a specially crafted AVI movie to crash the application and potentially execute arbitrary code. 8) Two boundary errors within the processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash the application and potentially execute arbitrary code. 9) A boundary error within the processing of BMP images can be exploited via a specially crafted BMP image to crash the application and potentially execute arbitrary code. SOLUTION: Update to version 7.1. http://www.apple.com/support/downloads/quicktime71.html PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs. 3) Mike Price, McAfee AVERT Labs. 4) Mike Price of McAfee AVERT Labs and ATmaCA. 5) Mike Price, McAfee AVERT Labs. 6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT Labs. 7) Mike Price, McAfee AVERT Labs. 8) Mike Price, McAfee AVERT Labs. 9) Tom Ferris ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303752 eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060511.html Zero Day Initiative: http://www.zerodayinitiative.com/advisories/ZDI-06-015.html Sowhat: http://secway.org/advisory/AD20060512.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Safari on Apple Mac OS X 10.4.6, when "Open `safe' files after downloading" is enabled, will automatically expand archives, which could allow remote attackers to overwrite arbitrary files via an archive that contains a symlink. Apple Mac OS X is reported prone to multiple security vulnerabilities. These issue affect Mac OS X in the following applications or modules: - AppKit - ImageIO - BOM - CFNetwork - ClamAV - CoreFoundation - CoreGraphics - Finder - FTPServer - Flash Player - ImageIO - Keychain - LaunchServices - libcurl - Mail - MySQL Manager - Preview - QuickDraw - QuickTime Streaming Server - Ruby - Safari A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible. Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. 1) An error in the AppKit framework allows an application to read characters entered into secure text field in the same window session. 2) Errors in the AppKit and ImageIO framework when processing GIF and TIFF images can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 3) A boundary error within the BOM component when expanding archives can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 4) An input validation error in the BOM component when expanding archives can be exploited to cause files to be written to arbitrary locations outside the specified directory via directory traversal attacks. 5) An integer overflow error in the CFNetwork component when handling chunked transfer encoding may allow execution of arbitrary code if a user is tricked into visiting a malicious web site. 6) Errors in ClamAV when processing specially crafted email messages may allow execution of arbitrary code. For more information: SA19534 7) An error in the CoreFoundation component allows dynamic libraries to load and execute when a bundle is registered. This can be exploited to execute arbitrary code if an untrusted bundle is registered. 8) An integer underflow error within the "CFStringGetFileSystemRepresentation()" API during string conversion may allow execution of arbitrary code. 9) An error in the CoreGraphics component allows an application in the same window session to read characters entered into secure text field when "Enable access for assistive devices" is enabled. 10) An error in Finder within the handling of Internet Location items makes it possible to specify a different Internet Location type than the actual URL scheme used. This may allow execution of arbitrary code when launching an Internet Location item. 11) Boundary errors in the FTPServer component when handling path names can be exploited to malicious users to cause a buffer overflow, which may allow execution of arbitrary code. 12) Various errors in the Flash Player makes it possible to compromise a user's system via specially crafted Flash files. For more information: SA17430 SA19218 13) An integer overflow error in the ImageIO framework when processing JPEG images can be exploited to crash an application or potentially execute arbitrary code. 14) An error in the Keychain component allows an application to use Keychain items even when the Keychain is locked. This requires that the application has obtained a reference to a Keychain item before the Keychain was locked. 15) An error in the LaunchServices component when processing long filename extensions may allow bypassing of the Download Validation functionality. 16) Boundary errors in the libcurl URL handling may allow execution of arbitrary code. For more information: SA17907 17) An integer overflow error in the Mail component may allow execution of arbitrary code when viewing a specially crafted email message with MacMIME encapsulated attachments. 18) An error in the Mail component when handling invalid colour information in enriched text email messages may allow execution of arbitrary code. 19) An design error in MySQL Manager makes it possible to access the MySQL database with an empty password as the MySQL password supplying during initial setup is not used. 20) A boundary error in the Preview component may allow execution of arbitrary code via a stack-based buffer overflow when navigating a specially crafted directory hierarchy. 21) Two boundary errors in the QuickDraw component when processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash an application and potentially execute arbitrary code. 22) A NULL pointer dereference error in QuickTime Streaming Server when processing QuickTime movies with a missing track can be exploited to crash the application. 23) A boundary error in QuickTime Streaming Server when processing RTSP requests can be exploited to crash the application or potentially execute arbitrary code. 24) An error in Ruby can be exploited to bypass safe level restrictions. For more information: SA16904 25) An error in Safari when handling archives with symbolic links may place the symbolic links on a user's desktop. This requires that the "Open 'safe' files after downloading" option is enabled. SOLUTION: Apply Security Update 2006-003. 13) The vendor credits Brent Simmons, NewsGator Technologies. 14) The vendor credits Tobias Hahn, HU Berlin. 19) The vendor credits Ben Low, University of New South Wales. 21) The vendor credits Mike Price, McAfee AVERT Labs. 23) Mu Security research team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303737 OTHER REFERENCES: SA19686: http://secunia.com/advisories/19686/ SA19534: http://secunia.com/advisories/19534/ SA17430: http://secunia.com/advisories/17430/ SA19218: http://secunia.com/advisories/19218/ SA17907: http://secunia.com/advisories/17907/ SA16904: http://secunia.com/advisories/16904/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Impacts of other vulnerabilities include bypassing security restrictions and denial of service. I. Further details are available in the individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update. Please see the Vulnerability Notes for individual reporter acknowledgements. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8 WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD +4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A== =cabu -----END PGP SIGNATURE-----

QuickTime Streaming Server in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to cause a denial of service (crash and connection interruption) via a QuickTime movie with a missing track, which triggers a null dereference. Apple Mac OS X is reported prone to multiple security vulnerabilities. These issue affect Mac OS X in the following applications or modules: - AppKit - ImageIO - BOM - CFNetwork - ClamAV - CoreFoundation - CoreGraphics - Finder - FTPServer - Flash Player - ImageIO - Keychain - LaunchServices - libcurl - Mail - MySQL Manager - Preview - QuickDraw - QuickTime Streaming Server - Ruby - Safari A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible. Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. 1) An error in the AppKit framework allows an application to read characters entered into secure text field in the same window session. 2) Errors in the AppKit and ImageIO framework when processing GIF and TIFF images can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 3) A boundary error within the BOM component when expanding archives can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 4) An input validation error in the BOM component when expanding archives can be exploited to cause files to be written to arbitrary locations outside the specified directory via directory traversal attacks. 5) An integer overflow error in the CFNetwork component when handling chunked transfer encoding may allow execution of arbitrary code if a user is tricked into visiting a malicious web site. 6) Errors in ClamAV when processing specially crafted email messages may allow execution of arbitrary code. For more information: SA19534 7) An error in the CoreFoundation component allows dynamic libraries to load and execute when a bundle is registered. This can be exploited to execute arbitrary code if an untrusted bundle is registered. 8) An integer underflow error within the "CFStringGetFileSystemRepresentation()" API during string conversion may allow execution of arbitrary code. 9) An error in the CoreGraphics component allows an application in the same window session to read characters entered into secure text field when "Enable access for assistive devices" is enabled. 10) An error in Finder within the handling of Internet Location items makes it possible to specify a different Internet Location type than the actual URL scheme used. This may allow execution of arbitrary code when launching an Internet Location item. 11) Boundary errors in the FTPServer component when handling path names can be exploited to malicious users to cause a buffer overflow, which may allow execution of arbitrary code. 12) Various errors in the Flash Player makes it possible to compromise a user's system via specially crafted Flash files. For more information: SA17430 SA19218 13) An integer overflow error in the ImageIO framework when processing JPEG images can be exploited to crash an application or potentially execute arbitrary code. 14) An error in the Keychain component allows an application to use Keychain items even when the Keychain is locked. This requires that the application has obtained a reference to a Keychain item before the Keychain was locked. 15) An error in the LaunchServices component when processing long filename extensions may allow bypassing of the Download Validation functionality. 16) Boundary errors in the libcurl URL handling may allow execution of arbitrary code. For more information: SA17907 17) An integer overflow error in the Mail component may allow execution of arbitrary code when viewing a specially crafted email message with MacMIME encapsulated attachments. 18) An error in the Mail component when handling invalid colour information in enriched text email messages may allow execution of arbitrary code. 19) An design error in MySQL Manager makes it possible to access the MySQL database with an empty password as the MySQL password supplying during initial setup is not used. 20) A boundary error in the Preview component may allow execution of arbitrary code via a stack-based buffer overflow when navigating a specially crafted directory hierarchy. 21) Two boundary errors in the QuickDraw component when processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash an application and potentially execute arbitrary code. 23) A boundary error in QuickTime Streaming Server when processing RTSP requests can be exploited to crash the application or potentially execute arbitrary code. 24) An error in Ruby can be exploited to bypass safe level restrictions. For more information: SA16904 25) An error in Safari when handling archives with symbolic links may place the symbolic links on a user's desktop. This requires that the "Open 'safe' files after downloading" option is enabled. SOLUTION: Apply Security Update 2006-003. 13) The vendor credits Brent Simmons, NewsGator Technologies. 14) The vendor credits Tobias Hahn, HU Berlin. 19) The vendor credits Ben Low, University of New South Wales. 21) The vendor credits Mike Price, McAfee AVERT Labs. 23) Mu Security research team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303737 OTHER REFERENCES: SA19686: http://secunia.com/advisories/19686/ SA19534: http://secunia.com/advisories/19534/ SA17430: http://secunia.com/advisories/17430/ SA19218: http://secunia.com/advisories/19218/ SA17907: http://secunia.com/advisories/17907/ SA16904: http://secunia.com/advisories/16904/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Impacts of other vulnerabilities include bypassing security restrictions and denial of service. I. Further details are available in the individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update. Please see the Vulnerability Notes for individual reporter acknowledgements. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8 WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD +4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A== =cabu -----END PGP SIGNATURE-----

Multiple integer overflows in Apple QuickTime before 7.1 allow remote attackers to execute arbitrary code via a crafted QuickTime H.264 (M4V) video format file. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software. Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. For more information, please refer to the Vulnerability Notes. II. Impact The impacts of these vulnerabilities could allow an remote, unauthenticated attacker to execute arbitrary code or commands, and cause a denial-of-service condition. For further information, please see the Vulnerability Notes. III. Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Appendix A. Please send email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo 9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11 uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2 eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg== =LsFu -----END PGP SIGNATURE----- . ____________________________________________________________________ McAfee, Inc. McAfee Avert\x99 Labs Security Advisory Public Release Date: 2006-05-11 Apple QuickDraw/QuickTime Multiple Vulnerabilities CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465 ______________________________________________________________________ * Synopsis Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data. Two code execution vulnerabilities are present in QuickDraw PICT image format support. Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium. CVE-2006-1460 Five buffer overflow vulnerabilities are present in QuickTime MOV video format support. CVE-2006-1461 Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support. CVE-2006-1464 One buffer overflow vulnerability is present in QuickTime MPEG4 (M4P) video format support. CVE-2006-1465 One buffer overflow vulnerability is present in QuickTime AVI video format support. ______________________________________________________________________ * Legal Notice Copyright (C) 2006 McAfee, Inc. The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes. McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ . TITLE: QuickTime Multiple Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA20069 VERIFY ADVISORY: http://secunia.com/advisories/20069/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple Quicktime 4.x http://secunia.com/product/7923/ Apple Quicktime 5.x http://secunia.com/product/215/ Apple Quicktime 6.x http://secunia.com/product/810/ Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 3) A boundary error within the processing of Flash movies can be exploited via a specially crafted Flash movie to crash the application and potentially execute arbitrary code. 5) A boundary error within the processing of MPEG4 movies can be exploited via a specially crafted MPEG4 movie to crash the application and potentially execute arbitrary code. 6) An integer overflow error within the processing of FlashPix images (".fpx") can be exploited via a specially crafted FlashPix image with an overly large value in the field specifying the number of data blocks in the file. 7) A boundary error within the processing of AVI movies can be exploited via a specially crafted AVI movie to crash the application and potentially execute arbitrary code. 8) Two boundary errors within the processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash the application and potentially execute arbitrary code. 9) A boundary error within the processing of BMP images can be exploited via a specially crafted BMP image to crash the application and potentially execute arbitrary code. SOLUTION: Update to version 7.1. http://www.apple.com/support/downloads/quicktime71.html PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs. 3) Mike Price, McAfee AVERT Labs. 4) Mike Price of McAfee AVERT Labs and ATmaCA. 5) Mike Price, McAfee AVERT Labs. 6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT Labs. 7) Mike Price, McAfee AVERT Labs. 8) Mike Price, McAfee AVERT Labs. 9) Tom Ferris ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303752 eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060511.html Zero Day Initiative: http://www.zerodayinitiative.com/advisories/ZDI-06-015.html Sowhat: http://secway.org/advisory/AD20060512.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickTime MPEG4 (M4P) video format file. Apple QuickTime fails to properly handle MPEG-4 movie files. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service condition. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software. Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. For more information, please refer to the Vulnerability Notes. II. For further information, please see the Vulnerability Notes. III. Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Appendix A. Please send email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo 9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11 uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2 eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg== =LsFu -----END PGP SIGNATURE----- . ____________________________________________________________________ McAfee, Inc. McAfee Avert\x99 Labs Security Advisory Public Release Date: 2006-05-11 Apple QuickDraw/QuickTime Multiple Vulnerabilities CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465 ______________________________________________________________________ * Synopsis Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data. Two code execution vulnerabilities are present in QuickDraw PICT image format support. Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium. CVE-2006-1461 Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support. ______________________________________________________________________ * Legal Notice Copyright (C) 2006 McAfee, Inc. The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes. McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ . TITLE: QuickTime Multiple Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA20069 VERIFY ADVISORY: http://secunia.com/advisories/20069/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple Quicktime 4.x http://secunia.com/product/7923/ Apple Quicktime 5.x http://secunia.com/product/215/ Apple Quicktime 6.x http://secunia.com/product/810/ Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 3) A boundary error within the processing of Flash movies can be exploited via a specially crafted Flash movie to crash the application and potentially execute arbitrary code. 6) An integer overflow error within the processing of FlashPix images (".fpx") can be exploited via a specially crafted FlashPix image with an overly large value in the field specifying the number of data blocks in the file. 7) A boundary error within the processing of AVI movies can be exploited via a specially crafted AVI movie to crash the application and potentially execute arbitrary code. 8) Two boundary errors within the processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. 9) A boundary error within the processing of BMP images can be exploited via a specially crafted BMP image to crash the application and potentially execute arbitrary code. SOLUTION: Update to version 7.1. http://www.apple.com/support/downloads/quicktime71.html PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs. 3) Mike Price, McAfee AVERT Labs. 4) Mike Price of McAfee AVERT Labs and ATmaCA. 5) Mike Price, McAfee AVERT Labs. 6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT Labs. 7) Mike Price, McAfee AVERT Labs. 8) Mike Price, McAfee AVERT Labs. 9) Tom Ferris ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303752 eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060511.html Zero Day Initiative: http://www.zerodayinitiative.com/advisories/ZDI-06-015.html Sowhat: http://secway.org/advisory/AD20060512.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in Preview in Apple Mac OS 10.4 up to 10.4.6 allows local users to execute arbitrary code via a deep directory hierarchy. Apple Mac OS X is reported prone to multiple security vulnerabilities. These issue affect Mac OS X in the following applications or modules: - AppKit - ImageIO - BOM - CFNetwork - ClamAV - CoreFoundation - CoreGraphics - Finder - FTPServer - Flash Player - ImageIO - Keychain - LaunchServices - libcurl - Mail - MySQL Manager - Preview - QuickDraw - QuickTime Streaming Server - Ruby - Safari A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible. Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. 1) An error in the AppKit framework allows an application to read characters entered into secure text field in the same window session. 2) Errors in the AppKit and ImageIO framework when processing GIF and TIFF images can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 3) A boundary error within the BOM component when expanding archives can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 4) An input validation error in the BOM component when expanding archives can be exploited to cause files to be written to arbitrary locations outside the specified directory via directory traversal attacks. 5) An integer overflow error in the CFNetwork component when handling chunked transfer encoding may allow execution of arbitrary code if a user is tricked into visiting a malicious web site. 6) Errors in ClamAV when processing specially crafted email messages may allow execution of arbitrary code. For more information: SA19534 7) An error in the CoreFoundation component allows dynamic libraries to load and execute when a bundle is registered. This can be exploited to execute arbitrary code if an untrusted bundle is registered. 8) An integer underflow error within the "CFStringGetFileSystemRepresentation()" API during string conversion may allow execution of arbitrary code. 9) An error in the CoreGraphics component allows an application in the same window session to read characters entered into secure text field when "Enable access for assistive devices" is enabled. 10) An error in Finder within the handling of Internet Location items makes it possible to specify a different Internet Location type than the actual URL scheme used. This may allow execution of arbitrary code when launching an Internet Location item. 12) Various errors in the Flash Player makes it possible to compromise a user's system via specially crafted Flash files. For more information: SA17430 SA19218 13) An integer overflow error in the ImageIO framework when processing JPEG images can be exploited to crash an application or potentially execute arbitrary code. 14) An error in the Keychain component allows an application to use Keychain items even when the Keychain is locked. This requires that the application has obtained a reference to a Keychain item before the Keychain was locked. 15) An error in the LaunchServices component when processing long filename extensions may allow bypassing of the Download Validation functionality. 16) Boundary errors in the libcurl URL handling may allow execution of arbitrary code. For more information: SA17907 17) An integer overflow error in the Mail component may allow execution of arbitrary code when viewing a specially crafted email message with MacMIME encapsulated attachments. 18) An error in the Mail component when handling invalid colour information in enriched text email messages may allow execution of arbitrary code. 19) An design error in MySQL Manager makes it possible to access the MySQL database with an empty password as the MySQL password supplying during initial setup is not used. 21) Two boundary errors in the QuickDraw component when processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash an application and potentially execute arbitrary code. 22) A NULL pointer dereference error in QuickTime Streaming Server when processing QuickTime movies with a missing track can be exploited to crash the application. 23) A boundary error in QuickTime Streaming Server when processing RTSP requests can be exploited to crash the application or potentially execute arbitrary code. 24) An error in Ruby can be exploited to bypass safe level restrictions. For more information: SA16904 25) An error in Safari when handling archives with symbolic links may place the symbolic links on a user's desktop. This requires that the "Open 'safe' files after downloading" option is enabled. SOLUTION: Apply Security Update 2006-003. 13) The vendor credits Brent Simmons, NewsGator Technologies. 14) The vendor credits Tobias Hahn, HU Berlin. 19) The vendor credits Ben Low, University of New South Wales. 21) The vendor credits Mike Price, McAfee AVERT Labs. 23) Mu Security research team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303737 OTHER REFERENCES: SA19686: http://secunia.com/advisories/19686/ SA19534: http://secunia.com/advisories/19534/ SA17430: http://secunia.com/advisories/17430/ SA19218: http://secunia.com/advisories/19218/ SA17907: http://secunia.com/advisories/17907/ SA16904: http://secunia.com/advisories/16904/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Impacts of other vulnerabilities include bypassing security restrictions and denial of service. I. Further details are available in the individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update. Please see the Vulnerability Notes for individual reporter acknowledgements. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8 WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD +4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A== =cabu -----END PGP SIGNATURE-----

Buffer overflow in QuickTime Streaming Server in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to execute arbitrary code via a crafted RTSP request, which is not properly handled during message logging. Apple Mac OS X is reported prone to multiple security vulnerabilities. These issue affect Mac OS X in the following applications or modules: - AppKit - ImageIO - BOM - CFNetwork - ClamAV - CoreFoundation - CoreGraphics - Finder - FTPServer - Flash Player - ImageIO - Keychain - LaunchServices - libcurl - Mail - MySQL Manager - Preview - QuickDraw - QuickTime Streaming Server - Ruby - Safari A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible. Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. 1) An error in the AppKit framework allows an application to read characters entered into secure text field in the same window session. 2) Errors in the AppKit and ImageIO framework when processing GIF and TIFF images can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 3) A boundary error within the BOM component when expanding archives can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 4) An input validation error in the BOM component when expanding archives can be exploited to cause files to be written to arbitrary locations outside the specified directory via directory traversal attacks. 5) An integer overflow error in the CFNetwork component when handling chunked transfer encoding may allow execution of arbitrary code if a user is tricked into visiting a malicious web site. 6) Errors in ClamAV when processing specially crafted email messages may allow execution of arbitrary code. For more information: SA19534 7) An error in the CoreFoundation component allows dynamic libraries to load and execute when a bundle is registered. This can be exploited to execute arbitrary code if an untrusted bundle is registered. 8) An integer underflow error within the "CFStringGetFileSystemRepresentation()" API during string conversion may allow execution of arbitrary code. 9) An error in the CoreGraphics component allows an application in the same window session to read characters entered into secure text field when "Enable access for assistive devices" is enabled. 10) An error in Finder within the handling of Internet Location items makes it possible to specify a different Internet Location type than the actual URL scheme used. This may allow execution of arbitrary code when launching an Internet Location item. 11) Boundary errors in the FTPServer component when handling path names can be exploited to malicious users to cause a buffer overflow, which may allow execution of arbitrary code. 12) Various errors in the Flash Player makes it possible to compromise a user's system via specially crafted Flash files. For more information: SA17430 SA19218 13) An integer overflow error in the ImageIO framework when processing JPEG images can be exploited to crash an application or potentially execute arbitrary code. 14) An error in the Keychain component allows an application to use Keychain items even when the Keychain is locked. This requires that the application has obtained a reference to a Keychain item before the Keychain was locked. 15) An error in the LaunchServices component when processing long filename extensions may allow bypassing of the Download Validation functionality. 16) Boundary errors in the libcurl URL handling may allow execution of arbitrary code. For more information: SA17907 17) An integer overflow error in the Mail component may allow execution of arbitrary code when viewing a specially crafted email message with MacMIME encapsulated attachments. 18) An error in the Mail component when handling invalid colour information in enriched text email messages may allow execution of arbitrary code. 19) An design error in MySQL Manager makes it possible to access the MySQL database with an empty password as the MySQL password supplying during initial setup is not used. 20) A boundary error in the Preview component may allow execution of arbitrary code via a stack-based buffer overflow when navigating a specially crafted directory hierarchy. 21) Two boundary errors in the QuickDraw component when processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash an application and potentially execute arbitrary code. 22) A NULL pointer dereference error in QuickTime Streaming Server when processing QuickTime movies with a missing track can be exploited to crash the application. 24) An error in Ruby can be exploited to bypass safe level restrictions. For more information: SA16904 25) An error in Safari when handling archives with symbolic links may place the symbolic links on a user's desktop. This requires that the "Open 'safe' files after downloading" option is enabled. SOLUTION: Apply Security Update 2006-003. 13) The vendor credits Brent Simmons, NewsGator Technologies. 14) The vendor credits Tobias Hahn, HU Berlin. 19) The vendor credits Ben Low, University of New South Wales. 21) The vendor credits Mike Price, McAfee AVERT Labs. 23) Mu Security research team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303737 OTHER REFERENCES: SA19686: http://secunia.com/advisories/19686/ SA19534: http://secunia.com/advisories/19534/ SA17430: http://secunia.com/advisories/17430/ SA19218: http://secunia.com/advisories/19218/ SA17907: http://secunia.com/advisories/17907/ SA16904: http://secunia.com/advisories/16904/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Impacts of other vulnerabilities include bypassing security restrictions and denial of service. I. Further details are available in the individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update. Please see the Vulnerability Notes for individual reporter acknowledgements. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8 WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD +4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A== =cabu -----END PGP SIGNATURE-----

Multiple integer overflows in Apple QuickTime before 7.1 allow remote attackers to cause a denial of service or execute arbitrary code via a crafted QuickTime movie (.MOV). Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software. Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. For more information, please refer to the Vulnerability Notes. II. For further information, please see the Vulnerability Notes. III. Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Appendix A. Please send email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo 9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11 uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2 eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg== =LsFu -----END PGP SIGNATURE----- . ____________________________________________________________________ McAfee, Inc. McAfee Avert\x99 Labs Security Advisory Public Release Date: 2006-05-11 Apple QuickDraw/QuickTime Multiple Vulnerabilities CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465 ______________________________________________________________________ * Synopsis Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data. Two code execution vulnerabilities are present in QuickDraw PICT image format support. Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium. CVE-2006-1459 Seven integer overflow vulnerabilities are present in QuickTime MOV video format support. CVE-2006-1460 Five buffer overflow vulnerabilities are present in QuickTime MOV video format support. CVE-2006-1461 Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support. CVE-2006-1462 Three integer overflow vulnerabilities are presenting QuickTime H.264 (M4V) video format support. CVE-2006-1464 One buffer overflow vulnerability is present in QuickTime MPEG4 (M4P) video format support. CVE-2006-1465 One buffer overflow vulnerability is present in QuickTime AVI video format support. ______________________________________________________________________ * Legal Notice Copyright (C) 2006 McAfee, Inc. The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes. McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ . TITLE: QuickTime Multiple Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA20069 VERIFY ADVISORY: http://secunia.com/advisories/20069/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple Quicktime 4.x http://secunia.com/product/7923/ Apple Quicktime 5.x http://secunia.com/product/215/ Apple Quicktime 6.x http://secunia.com/product/810/ Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 3) A boundary error within the processing of Flash movies can be exploited via a specially crafted Flash movie to crash the application and potentially execute arbitrary code. 5) A boundary error within the processing of MPEG4 movies can be exploited via a specially crafted MPEG4 movie to crash the application and potentially execute arbitrary code. 6) An integer overflow error within the processing of FlashPix images (".fpx") can be exploited via a specially crafted FlashPix image with an overly large value in the field specifying the number of data blocks in the file. 7) A boundary error within the processing of AVI movies can be exploited via a specially crafted AVI movie to crash the application and potentially execute arbitrary code. 8) Two boundary errors within the processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash the application and potentially execute arbitrary code. 9) A boundary error within the processing of BMP images can be exploited via a specially crafted BMP image to crash the application and potentially execute arbitrary code. SOLUTION: Update to version 7.1. http://www.apple.com/support/downloads/quicktime71.html PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs. 3) Mike Price, McAfee AVERT Labs. 4) Mike Price of McAfee AVERT Labs and ATmaCA. 5) Mike Price, McAfee AVERT Labs. 6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT Labs. 7) Mike Price, McAfee AVERT Labs. 8) Mike Price, McAfee AVERT Labs. 9) Tom Ferris ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303752 eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060511.html Zero Day Initiative: http://www.zerodayinitiative.com/advisories/ZDI-06-015.html Sowhat: http://secway.org/advisory/AD20060512.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

LaunchServices in Apple Mac OS X 10.4.6 allows remote attackers to cause Safari to launch unsafe content via long file name extensions, which prevents Download Validation from determining which application will be used to open the file. Apple Mac OS X is reported prone to multiple security vulnerabilities. These issue affect Mac OS X in the following applications or modules: - AppKit - ImageIO - BOM - CFNetwork - ClamAV - CoreFoundation - CoreGraphics - Finder - FTPServer - Flash Player - ImageIO - Keychain - LaunchServices - libcurl - Mail - MySQL Manager - Preview - QuickDraw - QuickTime Streaming Server - Ruby - Safari A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible. Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. 1) An error in the AppKit framework allows an application to read characters entered into secure text field in the same window session. 2) Errors in the AppKit and ImageIO framework when processing GIF and TIFF images can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 3) A boundary error within the BOM component when expanding archives can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 4) An input validation error in the BOM component when expanding archives can be exploited to cause files to be written to arbitrary locations outside the specified directory via directory traversal attacks. 5) An integer overflow error in the CFNetwork component when handling chunked transfer encoding may allow execution of arbitrary code if a user is tricked into visiting a malicious web site. 6) Errors in ClamAV when processing specially crafted email messages may allow execution of arbitrary code. For more information: SA19534 7) An error in the CoreFoundation component allows dynamic libraries to load and execute when a bundle is registered. This can be exploited to execute arbitrary code if an untrusted bundle is registered. 8) An integer underflow error within the "CFStringGetFileSystemRepresentation()" API during string conversion may allow execution of arbitrary code. 9) An error in the CoreGraphics component allows an application in the same window session to read characters entered into secure text field when "Enable access for assistive devices" is enabled. 10) An error in Finder within the handling of Internet Location items makes it possible to specify a different Internet Location type than the actual URL scheme used. This may allow execution of arbitrary code when launching an Internet Location item. 11) Boundary errors in the FTPServer component when handling path names can be exploited to malicious users to cause a buffer overflow, which may allow execution of arbitrary code. 12) Various errors in the Flash Player makes it possible to compromise a user's system via specially crafted Flash files. For more information: SA17430 SA19218 13) An integer overflow error in the ImageIO framework when processing JPEG images can be exploited to crash an application or potentially execute arbitrary code. 14) An error in the Keychain component allows an application to use Keychain items even when the Keychain is locked. This requires that the application has obtained a reference to a Keychain item before the Keychain was locked. 15) An error in the LaunchServices component when processing long filename extensions may allow bypassing of the Download Validation functionality. 16) Boundary errors in the libcurl URL handling may allow execution of arbitrary code. For more information: SA17907 17) An integer overflow error in the Mail component may allow execution of arbitrary code when viewing a specially crafted email message with MacMIME encapsulated attachments. 18) An error in the Mail component when handling invalid colour information in enriched text email messages may allow execution of arbitrary code. 19) An design error in MySQL Manager makes it possible to access the MySQL database with an empty password as the MySQL password supplying during initial setup is not used. 20) A boundary error in the Preview component may allow execution of arbitrary code via a stack-based buffer overflow when navigating a specially crafted directory hierarchy. 21) Two boundary errors in the QuickDraw component when processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash an application and potentially execute arbitrary code. 22) A NULL pointer dereference error in QuickTime Streaming Server when processing QuickTime movies with a missing track can be exploited to crash the application. 23) A boundary error in QuickTime Streaming Server when processing RTSP requests can be exploited to crash the application or potentially execute arbitrary code. 24) An error in Ruby can be exploited to bypass safe level restrictions. For more information: SA16904 25) An error in Safari when handling archives with symbolic links may place the symbolic links on a user's desktop. This requires that the "Open 'safe' files after downloading" option is enabled. SOLUTION: Apply Security Update 2006-003. 13) The vendor credits Brent Simmons, NewsGator Technologies. 14) The vendor credits Tobias Hahn, HU Berlin. 19) The vendor credits Ben Low, University of New South Wales. 21) The vendor credits Mike Price, McAfee AVERT Labs. 23) Mu Security research team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303737 OTHER REFERENCES: SA19686: http://secunia.com/advisories/19686/ SA19534: http://secunia.com/advisories/19534/ SA17430: http://secunia.com/advisories/17430/ SA19218: http://secunia.com/advisories/19218/ SA17907: http://secunia.com/advisories/17907/ SA16904: http://secunia.com/advisories/16904/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Impacts of other vulnerabilities include bypassing security restrictions and denial of service. I. Further details are available in the individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update. Please see the Vulnerability Notes for individual reporter acknowledgements. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8 WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD +4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A== =cabu -----END PGP SIGNATURE-----

Multiple buffer overflows in Apple QuickTime before 7.1 allow remote attackers to execute arbitrary code via a crafted QuickTime movie (.MOV), as demonstrated via a large size for a udta Atom. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software. Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. For more information, please refer to the Vulnerability Notes. II. Impact The impacts of these vulnerabilities could allow an remote, unauthenticated attacker to execute arbitrary code or commands, and cause a denial-of-service condition. For further information, please see the Vulnerability Notes. III. Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Appendix A. Please send email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo 9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11 uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2 eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg== =LsFu -----END PGP SIGNATURE----- . ____________________________________________________________________ McAfee, Inc. McAfee Avert\x99 Labs Security Advisory Public Release Date: 2006-05-11 Apple QuickDraw/QuickTime Multiple Vulnerabilities CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465 ______________________________________________________________________ * Synopsis Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data. Two code execution vulnerabilities are present in QuickDraw PICT image format support. Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium. CVE-2006-1459 Seven integer overflow vulnerabilities are present in QuickTime MOV video format support. CVE-2006-1460 Five buffer overflow vulnerabilities are present in QuickTime MOV video format support. CVE-2006-1461 Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support. CVE-2006-1462 Three integer overflow vulnerabilities are presenting QuickTime H.264 (M4V) video format support. CVE-2006-1464 One buffer overflow vulnerability is present in QuickTime MPEG4 (M4P) video format support. CVE-2006-1465 One buffer overflow vulnerability is present in QuickTime AVI video format support. ______________________________________________________________________ * Legal Notice Copyright (C) 2006 McAfee, Inc. The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes. McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ . TITLE: QuickTime Multiple Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA20069 VERIFY ADVISORY: http://secunia.com/advisories/20069/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple Quicktime 4.x http://secunia.com/product/7923/ Apple Quicktime 5.x http://secunia.com/product/215/ Apple Quicktime 6.x http://secunia.com/product/810/ Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 1) An integer overflow error within the processing of JPEG images can be exploited via a specially crafted JPEG image to crash the application and potentially execute arbitrary code. 3) A boundary error within the processing of Flash movies can be exploited via a specially crafted Flash movie to crash the application and potentially execute arbitrary code. 5) A boundary error within the processing of MPEG4 movies can be exploited via a specially crafted MPEG4 movie to crash the application and potentially execute arbitrary code. 6) An integer overflow error within the processing of FlashPix images (".fpx") can be exploited via a specially crafted FlashPix image with an overly large value in the field specifying the number of data blocks in the file. 7) A boundary error within the processing of AVI movies can be exploited via a specially crafted AVI movie to crash the application and potentially execute arbitrary code. 8) Two boundary errors within the processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash the application and potentially execute arbitrary code. 9) A boundary error within the processing of BMP images can be exploited via a specially crafted BMP image to crash the application and potentially execute arbitrary code. SOLUTION: Update to version 7.1. http://www.apple.com/support/downloads/quicktime71.html PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs. 3) Mike Price, McAfee AVERT Labs. 4) Mike Price of McAfee AVERT Labs and ATmaCA. 5) Mike Price, McAfee AVERT Labs. 6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT Labs. 7) Mike Price, McAfee AVERT Labs. 8) Mike Price, McAfee AVERT Labs. 9) Tom Ferris ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303752 eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060511.html Zero Day Initiative: http://www.zerodayinitiative.com/advisories/ZDI-06-015.html Sowhat: http://secway.org/advisory/AD20060512.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Keychain in Apple Mac OS X 10.3.9 and 10.4.6 might allow an application to bypass a locked Keychain by first obtaining a reference to the Keychain when it is unlocked, then reusing that reference after the Keychain has been locked. Apple Mac OS X is reported prone to multiple security vulnerabilities. These issue affect Mac OS X in the following applications or modules: - AppKit - ImageIO - BOM - CFNetwork - ClamAV - CoreFoundation - CoreGraphics - Finder - FTPServer - Flash Player - ImageIO - Keychain - LaunchServices - libcurl - Mail - MySQL Manager - Preview - QuickDraw - QuickTime Streaming Server - Ruby - Safari A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible. Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. 1) An error in the AppKit framework allows an application to read characters entered into secure text field in the same window session. 2) Errors in the AppKit and ImageIO framework when processing GIF and TIFF images can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 3) A boundary error within the BOM component when expanding archives can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 4) An input validation error in the BOM component when expanding archives can be exploited to cause files to be written to arbitrary locations outside the specified directory via directory traversal attacks. 5) An integer overflow error in the CFNetwork component when handling chunked transfer encoding may allow execution of arbitrary code if a user is tricked into visiting a malicious web site. 6) Errors in ClamAV when processing specially crafted email messages may allow execution of arbitrary code. For more information: SA19534 7) An error in the CoreFoundation component allows dynamic libraries to load and execute when a bundle is registered. This can be exploited to execute arbitrary code if an untrusted bundle is registered. 8) An integer underflow error within the "CFStringGetFileSystemRepresentation()" API during string conversion may allow execution of arbitrary code. 9) An error in the CoreGraphics component allows an application in the same window session to read characters entered into secure text field when "Enable access for assistive devices" is enabled. 10) An error in Finder within the handling of Internet Location items makes it possible to specify a different Internet Location type than the actual URL scheme used. This may allow execution of arbitrary code when launching an Internet Location item. 11) Boundary errors in the FTPServer component when handling path names can be exploited to malicious users to cause a buffer overflow, which may allow execution of arbitrary code. 12) Various errors in the Flash Player makes it possible to compromise a user's system via specially crafted Flash files. For more information: SA17430 SA19218 13) An integer overflow error in the ImageIO framework when processing JPEG images can be exploited to crash an application or potentially execute arbitrary code. 15) An error in the LaunchServices component when processing long filename extensions may allow bypassing of the Download Validation functionality. 16) Boundary errors in the libcurl URL handling may allow execution of arbitrary code. For more information: SA17907 17) An integer overflow error in the Mail component may allow execution of arbitrary code when viewing a specially crafted email message with MacMIME encapsulated attachments. 18) An error in the Mail component when handling invalid colour information in enriched text email messages may allow execution of arbitrary code. 19) An design error in MySQL Manager makes it possible to access the MySQL database with an empty password as the MySQL password supplying during initial setup is not used. 20) A boundary error in the Preview component may allow execution of arbitrary code via a stack-based buffer overflow when navigating a specially crafted directory hierarchy. 21) Two boundary errors in the QuickDraw component when processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash an application and potentially execute arbitrary code. 22) A NULL pointer dereference error in QuickTime Streaming Server when processing QuickTime movies with a missing track can be exploited to crash the application. 23) A boundary error in QuickTime Streaming Server when processing RTSP requests can be exploited to crash the application or potentially execute arbitrary code. 24) An error in Ruby can be exploited to bypass safe level restrictions. For more information: SA16904 25) An error in Safari when handling archives with symbolic links may place the symbolic links on a user's desktop. This requires that the "Open 'safe' files after downloading" option is enabled. SOLUTION: Apply Security Update 2006-003. 13) The vendor credits Brent Simmons, NewsGator Technologies. 14) The vendor credits Tobias Hahn, HU Berlin. 19) The vendor credits Ben Low, University of New South Wales. 21) The vendor credits Mike Price, McAfee AVERT Labs. 23) Mu Security research team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303737 OTHER REFERENCES: SA19686: http://secunia.com/advisories/19686/ SA19534: http://secunia.com/advisories/19534/ SA17430: http://secunia.com/advisories/17430/ SA19218: http://secunia.com/advisories/19218/ SA17907: http://secunia.com/advisories/17907/ SA16904: http://secunia.com/advisories/16904/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Impacts of other vulnerabilities include bypassing security restrictions and denial of service. I. Further details are available in the individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update. Please see the Vulnerability Notes for individual reporter acknowledgements. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8 WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD +4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A== =cabu -----END PGP SIGNATURE-----

MySQL Manager in Apple Mac OS X 10.3.9 and 10.4.6, when setting up a new MySQL database server, does not use the "New MySQL root password" that is provided, which causes the MySQL root password to be blank and allows local users to gain full privileges to that database. Apple Mac OS X is reported prone to multiple security vulnerabilities. These issue affect Mac OS X in the following applications or modules: - AppKit - ImageIO - BOM - CFNetwork - ClamAV - CoreFoundation - CoreGraphics - Finder - FTPServer - Flash Player - ImageIO - Keychain - LaunchServices - libcurl - Mail - MySQL Manager - Preview - QuickDraw - QuickTime Streaming Server - Ruby - Safari A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible. Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. 1) An error in the AppKit framework allows an application to read characters entered into secure text field in the same window session. 2) Errors in the AppKit and ImageIO framework when processing GIF and TIFF images can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 3) A boundary error within the BOM component when expanding archives can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 4) An input validation error in the BOM component when expanding archives can be exploited to cause files to be written to arbitrary locations outside the specified directory via directory traversal attacks. 5) An integer overflow error in the CFNetwork component when handling chunked transfer encoding may allow execution of arbitrary code if a user is tricked into visiting a malicious web site. 6) Errors in ClamAV when processing specially crafted email messages may allow execution of arbitrary code. For more information: SA19534 7) An error in the CoreFoundation component allows dynamic libraries to load and execute when a bundle is registered. This can be exploited to execute arbitrary code if an untrusted bundle is registered. 8) An integer underflow error within the "CFStringGetFileSystemRepresentation()" API during string conversion may allow execution of arbitrary code. 9) An error in the CoreGraphics component allows an application in the same window session to read characters entered into secure text field when "Enable access for assistive devices" is enabled. 10) An error in Finder within the handling of Internet Location items makes it possible to specify a different Internet Location type than the actual URL scheme used. This may allow execution of arbitrary code when launching an Internet Location item. 11) Boundary errors in the FTPServer component when handling path names can be exploited to malicious users to cause a buffer overflow, which may allow execution of arbitrary code. 12) Various errors in the Flash Player makes it possible to compromise a user's system via specially crafted Flash files. For more information: SA17430 SA19218 13) An integer overflow error in the ImageIO framework when processing JPEG images can be exploited to crash an application or potentially execute arbitrary code. 14) An error in the Keychain component allows an application to use Keychain items even when the Keychain is locked. This requires that the application has obtained a reference to a Keychain item before the Keychain was locked. 15) An error in the LaunchServices component when processing long filename extensions may allow bypassing of the Download Validation functionality. 16) Boundary errors in the libcurl URL handling may allow execution of arbitrary code. For more information: SA17907 17) An integer overflow error in the Mail component may allow execution of arbitrary code when viewing a specially crafted email message with MacMIME encapsulated attachments. 18) An error in the Mail component when handling invalid colour information in enriched text email messages may allow execution of arbitrary code. 20) A boundary error in the Preview component may allow execution of arbitrary code via a stack-based buffer overflow when navigating a specially crafted directory hierarchy. 21) Two boundary errors in the QuickDraw component when processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash an application and potentially execute arbitrary code. 22) A NULL pointer dereference error in QuickTime Streaming Server when processing QuickTime movies with a missing track can be exploited to crash the application. 23) A boundary error in QuickTime Streaming Server when processing RTSP requests can be exploited to crash the application or potentially execute arbitrary code. 24) An error in Ruby can be exploited to bypass safe level restrictions. For more information: SA16904 25) An error in Safari when handling archives with symbolic links may place the symbolic links on a user's desktop. This requires that the "Open 'safe' files after downloading" option is enabled. SOLUTION: Apply Security Update 2006-003. 13) The vendor credits Brent Simmons, NewsGator Technologies. 14) The vendor credits Tobias Hahn, HU Berlin. 19) The vendor credits Ben Low, University of New South Wales. 21) The vendor credits Mike Price, McAfee AVERT Labs. 23) Mu Security research team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303737 OTHER REFERENCES: SA19686: http://secunia.com/advisories/19686/ SA19534: http://secunia.com/advisories/19534/ SA17430: http://secunia.com/advisories/17430/ SA19218: http://secunia.com/advisories/19218/ SA17907: http://secunia.com/advisories/17907/ SA16904: http://secunia.com/advisories/16904/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Impacts of other vulnerabilities include bypassing security restrictions and denial of service. I. Further details are available in the individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update. Please see the Vulnerability Notes for individual reporter acknowledgements. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8 WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD +4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A== =cabu -----END PGP SIGNATURE-----

Buffer overflow in the FTP server (FTPServer) in Apple Mac OS X 10.3.9 and 10.4.6 allows remote authenticated users to execute arbitrary code via vectors related to "FTP server path name handling.". Apple Mac OS X is reported prone to multiple security vulnerabilities. These issue affect Mac OS X in the following applications or modules: - AppKit - ImageIO - BOM - CFNetwork - ClamAV - CoreFoundation - CoreGraphics - Finder - FTPServer - Flash Player - ImageIO - Keychain - LaunchServices - libcurl - Mail - MySQL Manager - Preview - QuickDraw - QuickTime Streaming Server - Ruby - Safari A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible. Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. 1) An error in the AppKit framework allows an application to read characters entered into secure text field in the same window session. 2) Errors in the AppKit and ImageIO framework when processing GIF and TIFF images can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 3) A boundary error within the BOM component when expanding archives can be exploited to crash an application or potentially execute arbitrary code. For more information: SA19686 4) An input validation error in the BOM component when expanding archives can be exploited to cause files to be written to arbitrary locations outside the specified directory via directory traversal attacks. 5) An integer overflow error in the CFNetwork component when handling chunked transfer encoding may allow execution of arbitrary code if a user is tricked into visiting a malicious web site. 6) Errors in ClamAV when processing specially crafted email messages may allow execution of arbitrary code. For more information: SA19534 7) An error in the CoreFoundation component allows dynamic libraries to load and execute when a bundle is registered. This can be exploited to execute arbitrary code if an untrusted bundle is registered. 8) An integer underflow error within the "CFStringGetFileSystemRepresentation()" API during string conversion may allow execution of arbitrary code. 9) An error in the CoreGraphics component allows an application in the same window session to read characters entered into secure text field when "Enable access for assistive devices" is enabled. 10) An error in Finder within the handling of Internet Location items makes it possible to specify a different Internet Location type than the actual URL scheme used. This may allow execution of arbitrary code when launching an Internet Location item. 12) Various errors in the Flash Player makes it possible to compromise a user's system via specially crafted Flash files. For more information: SA17430 SA19218 13) An integer overflow error in the ImageIO framework when processing JPEG images can be exploited to crash an application or potentially execute arbitrary code. 14) An error in the Keychain component allows an application to use Keychain items even when the Keychain is locked. This requires that the application has obtained a reference to a Keychain item before the Keychain was locked. 15) An error in the LaunchServices component when processing long filename extensions may allow bypassing of the Download Validation functionality. 16) Boundary errors in the libcurl URL handling may allow execution of arbitrary code. For more information: SA17907 17) An integer overflow error in the Mail component may allow execution of arbitrary code when viewing a specially crafted email message with MacMIME encapsulated attachments. 18) An error in the Mail component when handling invalid colour information in enriched text email messages may allow execution of arbitrary code. 19) An design error in MySQL Manager makes it possible to access the MySQL database with an empty password as the MySQL password supplying during initial setup is not used. 20) A boundary error in the Preview component may allow execution of arbitrary code via a stack-based buffer overflow when navigating a specially crafted directory hierarchy. 21) Two boundary errors in the QuickDraw component when processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash an application and potentially execute arbitrary code. 22) A NULL pointer dereference error in QuickTime Streaming Server when processing QuickTime movies with a missing track can be exploited to crash the application. 23) A boundary error in QuickTime Streaming Server when processing RTSP requests can be exploited to crash the application or potentially execute arbitrary code. 24) An error in Ruby can be exploited to bypass safe level restrictions. For more information: SA16904 25) An error in Safari when handling archives with symbolic links may place the symbolic links on a user's desktop. This requires that the "Open 'safe' files after downloading" option is enabled. SOLUTION: Apply Security Update 2006-003. 13) The vendor credits Brent Simmons, NewsGator Technologies. 14) The vendor credits Tobias Hahn, HU Berlin. 19) The vendor credits Ben Low, University of New South Wales. 21) The vendor credits Mike Price, McAfee AVERT Labs. 23) Mu Security research team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303737 OTHER REFERENCES: SA19686: http://secunia.com/advisories/19686/ SA19534: http://secunia.com/advisories/19534/ SA17430: http://secunia.com/advisories/17430/ SA19218: http://secunia.com/advisories/19218/ SA17907: http://secunia.com/advisories/17907/ SA16904: http://secunia.com/advisories/16904/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Impacts of other vulnerabilities include bypassing security restrictions and denial of service. I. Further details are available in the individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update. Please see the Vulnerability Notes for individual reporter acknowledgements. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8 WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD +4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A== =cabu -----END PGP SIGNATURE-----