On Monday, Apple released Mac OS X 10.5.4. In addition to enhancements to existing features, Apple bundled in 13 specific security updates, including one for Safari 3.1.2. The security update APPLE-SA-2008-004 and Mac OS X 10.5.4 can be downloaded and installed from Apple Downloads.
Alias Manager
This patch only affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses an alias manager vulnerability described in CVE-2008-2308. According to Apple, a "memory corruption issue exists in the handling of AFP volume mount information in an alias data structure. Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of alias data structures. This issue only affects Intel-based systems running Mac OS X 10.5.1 or earlier."
CoreTypes
This patch affects users running Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a potentially unsafe content types vulnerability described in CVE-2008-2309. Apple says, "This update adds .xht and .xhtm files to the system's list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a Web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload. This update improves the system's ability to notify users before handling .xht and .xhtm files. On Mac OS X v10.4 this functionality is provided by the Download Validation feature. On Mac OS X v10.5 this functionality is provided by the Quarantine feature." Apple credits Brian Mastenbrook for reporting this issue.
c++filt
This patch affects users of Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a c++filt vulnerability described in CVE-2008-2310. Apple says that a "format string issue exists in c++filt, which is a debugging tool used to demangle C++ and Java symbols. Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings."
Dock
This patch only affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses a screen lock bypass vulnerability described in CVE-2008-2314. "When the system is set to require a password to wake from sleep or screen saver, and Expose hot corners are set, a person with physical access may be able to access the system without entering a password. This update addresses the issue by disabling hot corners when the screen lock is active," Apple says. Apple credits Andrew Cassell of Marine Spill Response for reporting this issue.
Launch Services
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses a maliciously crafted Web site vulnerability described in CVE-2008-2311. "A race condition exists in the download validation of symbolic links, when the target of the link changes during the narrow time window of validation," Apple says. If the "Open 'safe' files" preference is enabled in Safari, visiting a maliciously crafted Web site may cause a file to be opened on the user's system, resulting in arbitrary code execution. This update addresses the issue by performing additional validation of downloaded files."
Net-SNMP
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a SNMPv3 packet vulnerability described in CVE-2008-0960. Apple says an "issue exists in Net-SNMP's SNMPv3 authentication, which may allow maliciously crafted packets to bypass the authentication check. This update addresses the issue by performing additional validation of SNMPv3 packets."
Ruby
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses Ruby script vulnerabilities described in CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, and CVE-2008-2726. Apple says that "multiple memory corruption issues exist in Ruby's handling of strings and arrays, the most serious of which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of strings and arrays."
Ruby
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The WEBRick vulnerability described in CVE-2008-1145. Apple says that "the :NondisclosureName option in the Ruby WEBrick toolkit is used to restrict access to files. Requesting a file name which uses unexpected capitalization may bypass the :NondisclosureName restriction. This update addresses the issue by additional validation of file names." The directory traversal issue associated with this vulnerability does not affect Mac OS X.
SMB File Server
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses the heap buffer overflow vulnerability described in CVE-2008-1105. Apple says that "sending malicious SMB packets to a SMB server, or connecting to a malicious SMB server, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking on the length of received SMB packets." Apple credits Alin Rad Pop of Secunia Research for reporting this issue.
System Configuration
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses the User Template directory vulnerability described in CVE-2008-2313. Apple says "a local user may be able to populate the User Template directory with files that will become part of the home directory when a new user is created. This could allow arbitrary code execution with the privileges of the new user. This update addresses the issue by applying more restrictive permissions on the User Template directory. This issue does not affect systems running Mac OS X 10.5 or later." Apple credits Andrew Mortensen of the University of Michigan for reporting this issue.
Tomcat
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses Tomcat 4.1.36 vulnerabilities described in CVE-2005-3164, CVE-2007-1355, CVE-2007-2449, CVE-2007-2450, CVE-2007-3382, CVE-2007-3383, CVE-2007-5333, CVE-2007-3385, and CVE-2007-5461. Apple says "Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to address several vulnerabilities, the most serious of which may lead to a cross-site scripting attack. Tomcat version 6.x is bundled with Mac OS X v10.5 systems.
VPN
This patch affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses a divide by zero vulnerability described in CVE-2007-6276. Apple says that "processing a maliciously crafted UDP packet may lead to an unexpected application termination. This issue does not lead to arbitrary code execution. This update addresses the issue by performing additional validation of load balancing information. This issue does not affect systems prior to Mac OS X 10.5."
WebKit
This patch affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses the memory corruption vulnerability described in CVE-2008-2307. Apple says "visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Along with this fix, the version of Safari for Mac OS X v10.5.4 is updated to 3.1.2. For Mac OS X v10.4.11 and Windows XP/Vista, this issue is addressed in Safari v3.1.2 for those systems. Visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution." Apple credits James Urquhart for reporting this issue.
On Thursday, security vendor SecureMac reported seeing new variants of AppleScript.THT Trojan horse in the wild affecting users of Mac OS X 10.4 and 10.5.
The new variations exploit a vulnerability within the Apple Remote Desktop Agent, and can avoid detection by opening ports in the firewall and turning off system logging. The new Trojans can log keystrokes, take screen shots, take pictures with the Apple iSight camera, and enable file sharing, according to SecureMac.
The Trojans are using an AppleScript called ASthtv05 and/or may be bundled as an application. You must download and execute the file for your Mac OS X system to become infected.
SecureMac makes the MacScan, antispyware security software for Mac OSX.
Updated at 12:30 p.m. PDT on Wednesday with links to the newly debuted release candidate.
If you were planning to host a Firefox 3 launch party this week, keep that bubbly on ice a bit longer.
Mozilla on Wednesday released Firefox 3 Release Candidate 3. Windows and Linux users won't likely feel a thing; the new browser is considered stable on those platforms.
The extra release candidate addresses some lingering issues on the Mac OS X operating system. The changes are internal.
The previous test version, Firefox 3 Release Candidate 2, can also be downloaded for Windows, Portable, Mac, and Linux systems.
On Wednesday, Core Security announced three vulnerabilities within iCal, the personal calendar application that ships with the Mac operating system. The vulnerabilities affect iCal version 3.0.1 on MacOS X 10.5.1.
ZDNet's Ryan Naraine quotes an as-yet unpublished Core Security announcement as saying: "The vulnerabilities are caused due to iCal not properly sanitizing certain fields on iCal calendar files (.ics). This can be possibly exploited to crash iCal (first two bugs) or possibly execute arbitrary code (third bug) via malicious calendar updates or by importing a specially crafted calendar file."
Apple was rumored to be releasing a large security patch later on Wednesday, but, in an update to his blog, Naraine says that will not happen. In the meantime, Leopard users should be suspicious of links and e-mails with requests to add/open calendar (.ics) files.
In a statement issued Tuesday, Macintosh security company Intego accused Symantec of infringing on its copyright. At issue is the new box copy for Norton Antivirus for Macintosh. In the upper right corner, Symantec has prominently placed the words "Dual Protection," a reference to the product's use on both the Mac OS X and Windows operating systems when using Apple Boot Camp.
The Austin, Texas-based Intego said in a press release, "Intego is the owner of a trademark registration for the mark DP DUAL PROTECTION in France (registered on January 17, 2007) and an international trademark registration for that mark (registered on July 2, 2007) in the United States, the European Community (27 countries), Switzerland, Monaco, Australia, and Japan. In the United States, Intego has applied to the Patent and Trademark Office to register the DP DUAL PROTECTION mark; Intego claims rights to this mark in the United States. Intego also owns the domain name dualprotection.com, which it registered on January 15, 2007."
A Symantec spokesperson said the company is aware of the issue and is looking into the matter, adding, "We have no further information to share at this time."
Microsoft today released its March 2008 security bulletin, which includes four bulletins, all deemed critical by Microsoft.
The most serious of these affects Microsoft Excel, which alone has six specific "Common Vulnerablities and Exposures" vulnerabilities noted, one of which has been exploited in the wild. The next most serious affects Microsoft Outlook. In that one, a vulnerability in how the software parses "mailto" URIs could lead to remote code execution. A third bulletin affects how various Microsoft Office apps open maliciously crafted files. The final bulletin concerns how Office interfaces with the Web and includes one vulnerability that has been known but unpatched since September 2006. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Entitled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)," this bulletin is critical for users of Microsoft Excel 2000 Service Pack 3, and important for users of Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel 2007, Microsoft Office Excel Viewer 2003, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac. Not affected are Microsoft Works 8, 8.5, and 9, or Works suite 2005 and Works suite 2006. The update addresses vulnerabilities detailed in CVE-2008-0111, CVE-2008-0112, CVE-2008-0114, CVE-2008-0115, CVE-2008-0116, CVE-2008-0117, and CVE-2008-0081. Microsoft says, "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights."
Entitled "Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031)," this bulletin affects users of Microsoft Outlook 2000 Service Pack 3, Outlook 2002 Service Pack 3, Outlook 2003 Service Pack 2, Outlook 2003 Service Pack 3, and Outlook 2007. Not affected are users of Outlook 2007 Service Pack 1. The update addresses the vulnerability detailed in CVE-2008-0110. Microsoft says this vulnerability "could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane."
Entitled "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel Viewer 2003 Service Pack 3, and Microsoft Office 2004 for Mac. Not affected are users of Microsoft Office 2003 Service Pack 3, Microsoft PowerPoint Viewer 2003, Microsoft Visio 2002 Service Pack 2, Microsoft Visio 2003 Viewer, Microsoft Word Viewer 2003, Microsoft Project 2000 Service Pack 1, Microsoft Project 2002 Service Pack 2, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, and Microsoft Office 2008 for Mac. The update addresses the vulnerability detailed in CVE-2008-0113 and CVE-2008-0118. Microsoft says, "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Entitled "Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, Visual Studio .NET 2003 Service Pack 1, Microsoft BizTalk Server 2000, Microsoft BizTalk Server 2002, Microsoft Commerce Server 2000, and Internet Security and Acceleration Server 2000 Service Pack 2. Not affected are users of Microsoft Works 8, Microsoft Works 9, Microsoft Works Suite 2005, Microsoft Works Suite 2006, Microsoft Office 2003 Service Pack 2, Microsoft Office 2003 Service Pack 3, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, Microsoft BizTalk Server 2004, Microsoft BizTalk Server 2006, Microsoft Commerce Server 2000 Service Pack 1, Microsoft Commerce Server 2000 Service Pack 2, and Microsoft Commerce Server 2000 Service Pack 3, Microsoft Commerce Server 2002, Microsoft Commerce Server 2007, Internet Security and Acceleration Server 2004, and Internet Security and Acceleration Server 2006. This update addresses the vulnerability detailed in CVE-2006-4695 and CVE-2007-1201. Microsoft says, "these vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Apple today released 11 security updates for Mac OS X, with many of the updates specific to the newly-released Leopard operating system. The Security Update 2008-001 is the first from Apple for 2008. The applications affected include Time Machine, Mail, and Parental Controls. The update can be downloaded and installed via Software Update preferences, or from Apple Downloads.
Directory Services
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11 and addresses the vulnerability in CVE-2007-0355. Apple says, "A stack buffer overflow exists in the Service Location Protocol (SLP) daemon, which may allow a local user to execute arbitrary code with system privileges." Apple credits Kevin Finisterre of Netragard for reporting this vulnerability.
Foundation
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses the vulnerability in CVE-2008-0035. An affected user accessing a maliciously crafted URL may experience an application termination or arbitrary code execution. A memory corruption issue exists in Safari's handling of URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. Apple notes that this issue does not affect systems prior to Mac OS X v10.5.
Launch Services
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses the vulnerability in CVE-2008-0038. A removed application may still be launched via the Time Machine backup. Apple says, "Launch Services is an API to open applications or their document files or URLs in a way similar to the Finder or the Dock. Users expect that uninstalling an application from their system will prevent it from being launched. However, when an application has been uninstalled from the system, Launch Services may allow it to be launched if it is present in a Time Machine backup." Apple credits Steven Fisher of Discovery Software and Ian Coutier for reporting this vulnerability.
Mail
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11 and addresses the vulnerability in CVE-2008-0039. Affected users accessing a URL in a message may experience an arbitrary code execution. Apple says, "An implementation issue exists in Mail's handling of file:// URLs, which may allow arbitrary applications to be launched without warning when a user clicks a URL in a message. This issue does not affect systems running Mac OS X v10.5 or later.
NFS
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses the vulnerability in CVE-2008-0040. A remote attacker may cause an unexpected system shutdown or arbitrary code execution if the system is being used as an NFS client or server. Apple says, "A memory corruption issue exists in NFS' handling of mbuf chains. If the system is being used as an NFS client or server, a malicious NFS server or client may be able to cause an unexpected system shutdown or arbitrary code execution." This issue does not affect systems running Mac OS X v10.5 or later. Apple credits Oleg Drokin of Sun Microsystems for reporting this issue.
Open Directory
This patch affects users of Mac OS X v10.4.11 and Mac OS X v10.4.11 Server. No CVE number is given. An affected user may find that NTLM authentication requests may always fail. Apple says, "This update addresses a non-security issue introduced in Mac OS X v10.4.11. An race condition in Open Directory's Active Directory plug-in may terminate the operation of winbindd, causing NTLM authentications to fail. This issue only affects Mac OS X v10.4.11 systems configured for use with Active Directory."
Parental Controls
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses the vulnerability in CVE-2008-0041. Affected users may find that requesting to unblock a Web site leads to information disclosure. Apple says, "When set to manage Web content, Parental Controls will inadvertently contact www.apple.com when a Web site is unblocked. This allows a remote user to detect the machines running Parental Controls." Apple credits Jesse Pearson for reporting this issue.
Samba
This patch affects users of Mac OS X v10.4.11, v10.5, and v10.5.1 and Mac OS X Server v10.4.11, v10.5, and v10.5.1. The patch addresses the vulnerability in CVE-2007-6015. A remote attacker may cause an unexpected application termination or arbitrary code execution. Apple says, "A stack buffer overflow may occur in Samba when processing certain NetBIOS Name Service requests. If a system is explicitly configured to allow 'domain logons,' an unexpected application termination or arbitrary code execution could occur when processing a request. Mac OS X Server systems configured as domain controllers are also affected." Apple credits Alin Rad Pop of Secunia Research for reporting this issue.
Terminal
This patch affects users of Mac OS X v10.4.11, v10.5, and v10.5.1 and Mac OS X Server v10.4.11, v10.5, and v10.5.1. The update addresses the vulnerability in CVE-2008-0042. Affected users viewing a maliciously crafted Web page may experience arbitrary code execution. Apple says, "An input validation issue exists in the processing of URL schemes handled by Terminal.app. By enticing a user to visit a maliciously crafted Web page, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution." Apple credits Olli Leppanen of Digital Film Finland and Brian Mastenbrook for reporting this issue.
X11
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses the vulnerability in CVE-2007-4568. Apple says, "Multiple vulnerabilities in X11 X Font Server (XFS), the most serious of which may lead to arbitrary code execution."
X11
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses the vulnerability in CVE-2008-0037. An affected user may find that changing the settings in the Security Preferences Panel has no effect. Apple says, "The X11 server is not reading correctly its 'Allow connections from network client' preference, which can cause the X11 server to allow connections from network clients, even when the preference is turned off." This issue does not affect systems prior to Mac OS X v10.5.
On Wednesday, Apple released QuickTime 7.4.1. The update is for users of Mac OS X v10.3.9, Mac OS X v10.4.7, Mac OS X v10.5 or later, and Windows Vista and Windows XP SP2. It addresses the vulnerability described in CVE-2008-0234.
By enticing a user to visit a maliciously crafted Web page, Apple says that an attacker may use an unpatched version of QuickTime to cause an unexpected application termination or arbitrary code execution. The vulnerability is a heap buffer overflow that exists in QuickTime's handling of HTTP responses when RTSP tunneling is enabled. Apple did not credit a researcher for reporting this vulnerability.
- prev
- 1
- next
